436d9fbf |
1 | <IfModule mod_ssl.c> |
2 | <VirtualHost _default_:443> |
3 | ServerAdmin webmaster@localhost |
4 | |
5 | DocumentRoot /var/www/html |
6 | |
7 | # Available loglevels: trace8, ..., trace1, debug, info, notice, warn, |
8 | # error, crit, alert, emerg. |
9 | # It is also possible to configure the loglevel for particular |
10 | # modules, e.g. |
11 | #LogLevel info ssl:warn |
12 | |
13 | ErrorLog ${APACHE_LOG_DIR}/error.log |
14 | CustomLog ${APACHE_LOG_DIR}/access.log combined |
15 | |
16 | # For most configuration files from conf-available/, which are |
17 | # enabled or disabled at a global level, it is possible to |
18 | # include a line for only one particular virtual host. For example the |
19 | # following line enables the CGI configuration for this host only |
20 | # after it has been globally disabled with "a2disconf". |
21 | #Include conf-available/serve-cgi-bin.conf |
22 | |
23 | # SSL Engine Switch: |
24 | # Enable/Disable SSL for this virtual host. |
25 | SSLEngine on |
26 | |
27 | # A self-signed (snakeoil) certificate can be created by installing |
28 | # the ssl-cert package. See |
29 | # /usr/share/doc/apache2/README.Debian.gz for more info. |
30 | # If both key and certificate are stored in the same file, only the |
31 | # SSLCertificateFile directive is needed. |
32 | SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem |
33 | SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key |
34 | |
35 | # Server Certificate Chain: |
36 | # Point SSLCertificateChainFile at a file containing the |
37 | # concatenation of PEM encoded CA certificates which form the |
38 | # certificate chain for the server certificate. Alternatively |
39 | # the referenced file can be the same as SSLCertificateFile |
40 | # when the CA certificates are directly appended to the server |
41 | # certificate for convinience. |
42 | #SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt |
43 | |
44 | # Certificate Authority (CA): |
45 | # Set the CA certificate verification path where to find CA |
46 | # certificates for client authentication or alternatively one |
47 | # huge file containing all of them (file must be PEM encoded) |
48 | # Note: Inside SSLCACertificatePath you need hash symlinks |
49 | # to point to the certificate files. Use the provided |
50 | # Makefile to update the hash symlinks after changes. |
51 | #SSLCACertificatePath /etc/ssl/certs/ |
52 | #SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt |
53 | |
54 | # Certificate Revocation Lists (CRL): |
55 | # Set the CA revocation path where to find CA CRLs for client |
56 | # authentication or alternatively one huge file containing all |
57 | # of them (file must be PEM encoded) |
58 | # Note: Inside SSLCARevocationPath you need hash symlinks |
59 | # to point to the certificate files. Use the provided |
60 | # Makefile to update the hash symlinks after changes. |
61 | #SSLCARevocationPath /etc/apache2/ssl.crl/ |
62 | #SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl |
63 | |
64 | # Client Authentication (Type): |
65 | # Client certificate verification type and depth. Types are |
66 | # none, optional, require and optional_no_ca. Depth is a |
67 | # number which specifies how deeply to verify the certificate |
68 | # issuer chain before deciding the certificate is not valid. |
69 | #SSLVerifyClient require |
70 | #SSLVerifyDepth 10 |
71 | |
72 | # SSL Engine Options: |
73 | # Set various options for the SSL engine. |
74 | # o FakeBasicAuth: |
75 | # Translate the client X.509 into a Basic Authorisation. This means that |
76 | # the standard Auth/DBMAuth methods can be used for access control. The |
77 | # user name is the `one line' version of the client's X.509 certificate. |
78 | # Note that no password is obtained from the user. Every entry in the user |
79 | # file needs this password: `xxj31ZMTZzkVA'. |
80 | # o ExportCertData: |
81 | # This exports two additional environment variables: SSL_CLIENT_CERT and |
82 | # SSL_SERVER_CERT. These contain the PEM-encoded certificates of the |
83 | # server (always existing) and the client (only existing when client |
84 | # authentication is used). This can be used to import the certificates |
85 | # into CGI scripts. |
86 | # o StdEnvVars: |
87 | # This exports the standard SSL/TLS related `SSL_*' environment variables. |
88 | # Per default this exportation is switched off for performance reasons, |
89 | # because the extraction step is an expensive operation and is usually |
90 | # useless for serving static content. So one usually enables the |
91 | # exportation for CGI and SSI requests only. |
92 | # o OptRenegotiate: |
93 | # This enables optimized SSL connection renegotiation handling when SSL |
94 | # directives are used in per-directory context. |
95 | #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire |
96 | <FilesMatch "\.(cgi|shtml|phtml|php)$"> |
97 | SSLOptions +StdEnvVars |
98 | </FilesMatch> |
99 | <Directory /usr/lib/cgi-bin> |
100 | SSLOptions +StdEnvVars |
101 | </Directory> |
102 | |
103 | # SSL Protocol Adjustments: |
104 | # The safe and default but still SSL/TLS standard compliant shutdown |
105 | # approach is that mod_ssl sends the close notify alert but doesn't wait for |
106 | # the close notify alert from client. When you need a different shutdown |
107 | # approach you can use one of the following variables: |
108 | # o ssl-unclean-shutdown: |
109 | # This forces an unclean shutdown when the connection is closed, i.e. no |
110 | # SSL close notify alert is send or allowed to received. This violates |
111 | # the SSL/TLS standard but is needed for some brain-dead browsers. Use |
112 | # this when you receive I/O errors because of the standard approach where |
113 | # mod_ssl sends the close notify alert. |
114 | # o ssl-accurate-shutdown: |
115 | # This forces an accurate shutdown when the connection is closed, i.e. a |
116 | # SSL close notify alert is send and mod_ssl waits for the close notify |
117 | # alert of the client. This is 100% SSL/TLS standard compliant, but in |
118 | # practice often causes hanging connections with brain-dead browsers. Use |
119 | # this only for browsers where you know that their SSL implementation |
120 | # works correctly. |
121 | # Notice: Most problems of broken clients are also related to the HTTP |
122 | # keep-alive facility, so you usually additionally want to disable |
123 | # keep-alive for those clients, too. Use variable "nokeepalive" for this. |
124 | # Similarly, one has to force some clients to use HTTP/1.0 to workaround |
125 | # their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and |
126 | # "force-response-1.0" for this. |
127 | BrowserMatch "MSIE [2-6]" \ |
128 | nokeepalive ssl-unclean-shutdown \ |
129 | downgrade-1.0 force-response-1.0 |
130 | # MSIE 7 and newer should be able to use keepalive |
131 | BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown |
132 | |
133 | </VirtualHost> |
134 | </IfModule> |
135 | |
136 | # vim: syntax=apache ts=4 sw=4 sts=4 sr noet |