1 |
<IfDefine HAVE_SSL> |
2 |
<IfModule !mod_ssl.c> |
3 |
LoadModule ssl_module modules/mod_ssl.so |
4 |
</IfModule> |
5 |
</IfDefine> |
6 |
|
7 |
<IfModule mod_ssl.c> |
8 |
|
9 |
## |
10 |
## SSL Virtual Host Context |
11 |
## |
12 |
|
13 |
<VirtualHost _default_:443> |
14 |
|
15 |
# General setup for the virtual host |
16 |
DocumentRoot "/var/www/html" |
17 |
#ServerName localhost:443 |
18 |
ServerAdmin root@<%= domain %> |
19 |
ErrorLog logs/ssl_error_log |
20 |
|
21 |
<IfModule mod_log_config.c> |
22 |
TransferLog logs/ssl_access_log |
23 |
</IfModule> |
24 |
|
25 |
# SSL Engine Switch: |
26 |
# Enable/Disable SSL for this virtual host. |
27 |
SSLEngine on |
28 |
|
29 |
# SSL Cipher Suite: |
30 |
# List the ciphers that the client is permitted to negotiate. |
31 |
# See the mod_ssl documentation for a complete list. |
32 |
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW |
33 |
|
34 |
# SSL Protocol support: |
35 |
# List the enable protocol levels with which clients will be able to |
36 |
# connect. Disable SSLv2 access by default: |
37 |
SSLProtocol all -SSLv2 |
38 |
|
39 |
<%- if wildcard_sslcert == 'true' then -%> |
40 |
SSLCertificateFile /etc/ssl/wildcard.<%= domain %>.crt |
41 |
SSLCertificateKeyFile /etc/ssl/wildcard.<%= domain %>.key |
42 |
SSLCACertificateFile /etc/ssl/wildcard.<%= domain %>.pem |
43 |
SSLVerifyClient None |
44 |
<%- else -%> |
45 |
SSLCertificateFile /etc/ssl/apache/localhost.pem |
46 |
SSLCertificateKeyFile /etc/ssl/apache/localhost.pem |
47 |
#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt |
48 |
#SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt |
49 |
<%- end -%> |
50 |
|
51 |
# Certificate Revocation Lists (CRL): |
52 |
# Set the CA revocation path where to find CA CRLs for client |
53 |
# authentication or alternatively one huge file containing all |
54 |
# of them (file must be PEM encoded) |
55 |
# Note: Inside SSLCARevocationPath you need hash symlinks |
56 |
# to point to the certificate files. Use the provided |
57 |
# Makefile to update the hash symlinks after changes. |
58 |
#SSLCARevocationPath /etc/pki/tls/certs/ssl.crl |
59 |
#SSLCARevocationFile /etc/pki/tls/certs/ca-bundle.crl |
60 |
|
61 |
# Client Authentication (Type): |
62 |
# Client certificate verification type and depth. Types are |
63 |
# none, optional, require and optional_no_ca. Depth is a |
64 |
# number which specifies how deeply to verify the certificate |
65 |
# issuer chain before deciding the certificate is not valid. |
66 |
#SSLVerifyClient require |
67 |
#SSLVerifyDepth 10 |
68 |
|
69 |
# Access Control: |
70 |
# With SSLRequire you can do per-directory access control based |
71 |
# on arbitrary complex boolean expressions containing server |
72 |
# variable checks and other lookup directives. The syntax is a |
73 |
# mixture between C and Perl. See the mod_ssl documentation |
74 |
# for more details. |
75 |
#<Location /> |
76 |
#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \ |
77 |
# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \ |
78 |
# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \ |
79 |
# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \ |
80 |
# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \ |
81 |
# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/ |
82 |
#</Location> |
83 |
|
84 |
# SSL Engine Options: |
85 |
# Set various options for the SSL engine. |
86 |
# o FakeBasicAuth: |
87 |
# Translate the client X.509 into a Basic Authorisation. This means that |
88 |
# the standard Auth/DBMAuth methods can be used for access control. The |
89 |
# user name is the `one line' version of the client's X.509 certificate. |
90 |
# Note that no password is obtained from the user. Every entry in the user |
91 |
# file needs this password: `xxj31ZMTZzkVA'. |
92 |
# o ExportCertData: |
93 |
# This exports two additional environment variables: SSL_CLIENT_CERT and |
94 |
# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the |
95 |
# server (always existing) and the client (only existing when client |
96 |
# authentication is used). This can be used to import the certificates |
97 |
# into CGI scripts. |
98 |
# o StdEnvVars: |
99 |
# This exports the standard SSL/TLS related `SSL_*' environment variables. |
100 |
# Per default this exportation is switched off for performance reasons, |
101 |
# because the extraction step is an expensive operation and is usually |
102 |
# useless for serving static content. So one usually enables the |
103 |
# exportation for CGI and SSI requests only. |
104 |
# o StrictRequire: |
105 |
# This denies access when "SSLRequireSSL" or "SSLRequire" applied even |
106 |
# under a "Satisfy any" situation, i.e. when it applies access is denied |
107 |
# and no other module can change it. |
108 |
# o OptRenegotiate: |
109 |
# This enables optimized SSL connection renegotiation handling when SSL |
110 |
# directives are used in per-directory context. |
111 |
#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire |
112 |
|
113 |
<FilesMatch "\.(cgi|shtml|phtml|php)$"> |
114 |
SSLOptions +StdEnvVars |
115 |
</FilesMatch> |
116 |
|
117 |
<Directory "/var/www/cgi-bin"> |
118 |
SSLOptions +StdEnvVars |
119 |
</Directory> |
120 |
|
121 |
# SSL Protocol Adjustments: |
122 |
# The safe and default but still SSL/TLS standard compliant shutdown |
123 |
# approach is that mod_ssl sends the close notify alert but doesn't wait for |
124 |
# the close notify alert from client. When you need a different shutdown |
125 |
# approach you can use one of the following variables: |
126 |
# o ssl-unclean-shutdown: |
127 |
# This forces an unclean shutdown when the connection is closed, i.e. no |
128 |
# SSL close notify alert is send or allowed to received. This violates |
129 |
# the SSL/TLS standard but is needed for some brain-dead browsers. Use |
130 |
# this when you receive I/O errors because of the standard approach where |
131 |
# mod_ssl sends the close notify alert. |
132 |
# o ssl-accurate-shutdown: |
133 |
# This forces an accurate shutdown when the connection is closed, i.e. a |
134 |
# SSL close notify alert is send and mod_ssl waits for the close notify |
135 |
# alert of the client. This is 100% SSL/TLS standard compliant, but in |
136 |
# practice often causes hanging connections with brain-dead browsers. Use |
137 |
# this only for browsers where you know that their SSL implementation |
138 |
# works correctly. |
139 |
# Notice: Most problems of broken clients are also related to the HTTP |
140 |
# keep-alive facility, so you usually additionally want to disable |
141 |
# keep-alive for those clients, too. Use variable "nokeepalive" for this. |
142 |
# Similarly, one has to force some clients to use HTTP/1.0 to workaround |
143 |
# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and |
144 |
# "force-response-1.0" for this. |
145 |
|
146 |
<IfModule mod_setenvif.c> |
147 |
BrowserMatch ".*MSIE.*" nokeepalive ssl-unclean-shutdown \ |
148 |
downgrade-1.0 force-response-1.0 |
149 |
</IfModule> |
150 |
|
151 |
# Per-Server Logging: |
152 |
# The home of a custom SSL log file. Use this when you want a |
153 |
# compact non-error SSL logfile on a virtual host basis. |
154 |
|
155 |
<IfModule mod_log_config.c> |
156 |
CustomLog logs/ssl_request_log \ |
157 |
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" |
158 |
</IfModule> |
159 |
|
160 |
<IfModule mod_rewrite.c> |
161 |
RewriteEngine On |
162 |
RewriteOptions inherit |
163 |
</IfModule> |
164 |
|
165 |
</VirtualHost> |
166 |
|
167 |
</IfModule> |