/[adm]/puppet/modules/apache/templates/01_default_ssl_vhost.conf
ViewVC logotype

Contents of /puppet/modules/apache/templates/01_default_ssl_vhost.conf

Parent Directory Parent Directory | Revision Log Revision Log


Revision 2552 - (show annotations) (download)
Sat Mar 17 01:25:04 2012 UTC (12 years, 6 months ago) by misc
File size: 6682 byte(s)
manage the certificate used for default connexion too, since that's the one that xymon check for expiry ( and that's also what openssl does ). Probably a issue with SNI, didn't look more in details for tonight
1 <IfDefine HAVE_SSL>
2 <IfModule !mod_ssl.c>
3 LoadModule ssl_module modules/mod_ssl.so
4 </IfModule>
5 </IfDefine>
6
7 <IfModule mod_ssl.c>
8
9 ##
10 ## SSL Virtual Host Context
11 ##
12
13 <VirtualHost _default_:443>
14
15 # General setup for the virtual host
16 DocumentRoot "/var/www/html"
17 #ServerName localhost:443
18 ServerAdmin root@<%= domain %>
19 ErrorLog logs/ssl_error_log
20
21 <IfModule mod_log_config.c>
22 TransferLog logs/ssl_access_log
23 </IfModule>
24
25 # SSL Engine Switch:
26 # Enable/Disable SSL for this virtual host.
27 SSLEngine on
28
29 # SSL Cipher Suite:
30 # List the ciphers that the client is permitted to negotiate.
31 # See the mod_ssl documentation for a complete list.
32 SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
33
34 # SSL Protocol support:
35 # List the enable protocol levels with which clients will be able to
36 # connect. Disable SSLv2 access by default:
37 SSLProtocol all -SSLv2
38
39 <%- if wildcard_sslcert == 'true' then -%>
40 SSLCertificateFile /etc/ssl/wildcard.<%= domain %>.crt
41 SSLCertificateKeyFile /etc/ssl/wildcard.<%= domain %>.key
42 SSLCACertificateFile /etc/ssl/wildcard.<%= domain %>.pem
43 SSLVerifyClient None
44 <%- else -%>
45 SSLCertificateFile /etc/ssl/apache/localhost.pem
46 SSLCertificateKeyFile /etc/ssl/apache/localhost.pem
47 #SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
48 #SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
49 <%- end -%>
50
51 # Certificate Revocation Lists (CRL):
52 # Set the CA revocation path where to find CA CRLs for client
53 # authentication or alternatively one huge file containing all
54 # of them (file must be PEM encoded)
55 # Note: Inside SSLCARevocationPath you need hash symlinks
56 # to point to the certificate files. Use the provided
57 # Makefile to update the hash symlinks after changes.
58 #SSLCARevocationPath /etc/pki/tls/certs/ssl.crl
59 #SSLCARevocationFile /etc/pki/tls/certs/ca-bundle.crl
60
61 # Client Authentication (Type):
62 # Client certificate verification type and depth. Types are
63 # none, optional, require and optional_no_ca. Depth is a
64 # number which specifies how deeply to verify the certificate
65 # issuer chain before deciding the certificate is not valid.
66 #SSLVerifyClient require
67 #SSLVerifyDepth 10
68
69 # Access Control:
70 # With SSLRequire you can do per-directory access control based
71 # on arbitrary complex boolean expressions containing server
72 # variable checks and other lookup directives. The syntax is a
73 # mixture between C and Perl. See the mod_ssl documentation
74 # for more details.
75 #<Location />
76 #SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
77 # and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
78 # and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
79 # and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
80 # and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
81 # or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
82 #</Location>
83
84 # SSL Engine Options:
85 # Set various options for the SSL engine.
86 # o FakeBasicAuth:
87 # Translate the client X.509 into a Basic Authorisation. This means that
88 # the standard Auth/DBMAuth methods can be used for access control. The
89 # user name is the `one line' version of the client's X.509 certificate.
90 # Note that no password is obtained from the user. Every entry in the user
91 # file needs this password: `xxj31ZMTZzkVA'.
92 # o ExportCertData:
93 # This exports two additional environment variables: SSL_CLIENT_CERT and
94 # SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
95 # server (always existing) and the client (only existing when client
96 # authentication is used). This can be used to import the certificates
97 # into CGI scripts.
98 # o StdEnvVars:
99 # This exports the standard SSL/TLS related `SSL_*' environment variables.
100 # Per default this exportation is switched off for performance reasons,
101 # because the extraction step is an expensive operation and is usually
102 # useless for serving static content. So one usually enables the
103 # exportation for CGI and SSI requests only.
104 # o StrictRequire:
105 # This denies access when "SSLRequireSSL" or "SSLRequire" applied even
106 # under a "Satisfy any" situation, i.e. when it applies access is denied
107 # and no other module can change it.
108 # o OptRenegotiate:
109 # This enables optimized SSL connection renegotiation handling when SSL
110 # directives are used in per-directory context.
111 #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
112
113 <FilesMatch "\.(cgi|shtml|phtml|php)$">
114 SSLOptions +StdEnvVars
115 </FilesMatch>
116
117 <Directory "/var/www/cgi-bin">
118 SSLOptions +StdEnvVars
119 </Directory>
120
121 # SSL Protocol Adjustments:
122 # The safe and default but still SSL/TLS standard compliant shutdown
123 # approach is that mod_ssl sends the close notify alert but doesn't wait for
124 # the close notify alert from client. When you need a different shutdown
125 # approach you can use one of the following variables:
126 # o ssl-unclean-shutdown:
127 # This forces an unclean shutdown when the connection is closed, i.e. no
128 # SSL close notify alert is send or allowed to received. This violates
129 # the SSL/TLS standard but is needed for some brain-dead browsers. Use
130 # this when you receive I/O errors because of the standard approach where
131 # mod_ssl sends the close notify alert.
132 # o ssl-accurate-shutdown:
133 # This forces an accurate shutdown when the connection is closed, i.e. a
134 # SSL close notify alert is send and mod_ssl waits for the close notify
135 # alert of the client. This is 100% SSL/TLS standard compliant, but in
136 # practice often causes hanging connections with brain-dead browsers. Use
137 # this only for browsers where you know that their SSL implementation
138 # works correctly.
139 # Notice: Most problems of broken clients are also related to the HTTP
140 # keep-alive facility, so you usually additionally want to disable
141 # keep-alive for those clients, too. Use variable "nokeepalive" for this.
142 # Similarly, one has to force some clients to use HTTP/1.0 to workaround
143 # their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
144 # "force-response-1.0" for this.
145
146 <IfModule mod_setenvif.c>
147 BrowserMatch ".*MSIE.*" nokeepalive ssl-unclean-shutdown \
148 downgrade-1.0 force-response-1.0
149 </IfModule>
150
151 # Per-Server Logging:
152 # The home of a custom SSL log file. Use this when you want a
153 # compact non-error SSL logfile on a virtual host basis.
154
155 <IfModule mod_log_config.c>
156 CustomLog logs/ssl_request_log \
157 "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
158 </IfModule>
159
160 <IfModule mod_rewrite.c>
161 RewriteEngine On
162 RewriteOptions inherit
163 </IfModule>
164
165 </VirtualHost>
166
167 </IfModule>

  ViewVC Help
Powered by ViewVC 1.1.30