Advertisement
Guest User

quavg

a guest
May 25th, 2016
55
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 9.92 KB | None | 0 0
  1. #
  2. # This is the Apache server configuration file providing SSL support.
  3. # It contains the configuration directives to instruct the server how to
  4. # serve pages over an https connection. For detailed information about these
  5. # directives see <URL:http://httpd.apache.org/docs/trunk/mod/mod_ssl.html>
  6. #
  7. # Do NOT simply read the instructions in here without understanding
  8. # what they do. They're here only as hints or reminders. If you are unsure
  9. # consult the online docs. You have been warned.
  10. #
  11.  
  12. #
  13. # Pseudo Random Number Generator (PRNG):
  14. # Configure one or more sources to seed the PRNG of the SSL library.
  15. # The seed data should be of good random quality.
  16. # WARNING! On some platforms /dev/random blocks if not enough entropy
  17. # is available. This means you then cannot use the /dev/random device
  18. # because it would lead to very long connection times (as long as
  19. # it requires to make more entropy available). But usually those
  20. # platforms additionally provide a /dev/urandom device which doesn't
  21. # block. So, if available, use this one instead. Read the mod_ssl User
  22. # Manual for more details.
  23. #
  24. #SSLRandomSeed startup file:/dev/random 512
  25. #SSLRandomSeed startup file:/dev/urandom 512
  26. #SSLRandomSeed connect file:/dev/random 512
  27. #SSLRandomSeed connect file:/dev/urandom 512
  28.  
  29.  
  30. #
  31. # When we also provide SSL we have to listen to the
  32. # standard HTTP port (see above) and to the HTTPS port
  33. #
  34. # Note: Configurations that use IPv6 but not IPv4-mapped addresses need two
  35. # Listen directives: "Listen [::]:443" and "Listen 0.0.0.0:443"
  36. #
  37. Listen 443
  38.  
  39. ##
  40. ## SSL Global Context
  41. ##
  42. ## All SSL configuration in this context applies both to
  43. ## the main server and all SSL-enabled virtual hosts.
  44. ##
  45.  
  46. # Pass Phrase Dialog:
  47. # Configure the pass phrase gathering process.
  48. # The filtering dialog program (`builtin' is a internal
  49. # terminal dialog) has to provide the pass phrase on stdout.
  50. SSLPassPhraseDialog builtin
  51.  
  52. # Inter-Process Session Cache:
  53. # Configure the SSL Session Cache: First the mechanism
  54. # to use and second the expiring timeout (in seconds).
  55. #SSLSessionCache "dbm:${SRVROOT}/logs/ssl_scache"
  56. SSLSessionCache "shmcb:${SRVROOT}/logs/ssl_scache(128000)"
  57. SSLSessionCacheTimeout 300
  58.  
  59. ##
  60. ## SSL Virtual Host Context
  61. ##
  62.  
  63. <VirtualHost _default_:443>
  64.  
  65. # General setup for the virtual host
  66. DocumentRoot "${SRVROOT}/htdocs"
  67. ServerName www.poupareviajaretudodebom.com.br:443
  68. ServerAdmin contato@promotech.com.br
  69. ErrorLog "${SRVROOT}/logs/error.log"
  70. TransferLog "${SRVROOT}/logs/access.log"
  71.  
  72. # SSL Engine Switch:
  73. # Enable/Disable SSL for this virtual host.
  74. SSLEngine on
  75.  
  76. # SSL Cipher Suite:
  77. # List the ciphers that the client is permitted to negotiate.
  78. # See the mod_ssl documentation for a complete list.
  79. # Recent OpenSSL snapshots include Elliptic Curve Cryptograhpy (ECC)
  80. # cipher suites (see RFC 4492) as part of "ALL". Edit this line
  81. # if you need to disable any of those ciphers.
  82. SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
  83.  
  84. # Server Certificate:
  85. # Point SSLCertificateFile at a PEM encoded certificate. If
  86. # the certificate is encrypted, then you will be prompted for a
  87. # pass phrase. Note that a kill -HUP will prompt again. Keep
  88. # in mind that if you have both an RSA and a DSA certificate you
  89. # can configure both in parallel (to also allow the use of DSA
  90. # ciphers, etc.)
  91. # Some ECC cipher suites (http://www.ietf.org/rfc/rfc4492.txt)
  92. # require an ECC certificate which can also be configured in
  93. # parallel.
  94. SSLCertificateFile "${SRVROOT}/conf/www_quandoveganhou_com_br.crt"
  95. #SSLCertificateFile "${SRVROOT}/conf/server-dsa.crt"
  96. #SSLCertificateFile "${SRVROOT}/conf/server-ecc.crt"
  97.  
  98. # Server Private Key:
  99. # If the key is not combined with the certificate, use this
  100. # directive to point at the key file. Keep in mind that if
  101. # you've both a RSA and a DSA private key you can configure
  102. # both in parallel (to also allow the use of DSA ciphers, etc.)
  103. # ECC keys, when in use, can also be configured in parallel
  104. SSLCertificateKeyFile "${SRVROOT}/conf/server.key"
  105. #SSLCertificateKeyFile "${SRVROOT}/conf/server-dsa.key"
  106. #SSLCertificateKeyFile "${SRVROOT}/conf/server-ecc.key"
  107.  
  108. # Certificate Authority (CA):
  109. # Set the CA certificate verification path where to find CA
  110. # certificates for client authentication or alternatively one
  111. # huge file containing all of them (file must be PEM encoded)
  112. # Note: Inside SSLCACertificatePath you need hash symlinks
  113. # to point to the certificate files. Use the provided
  114. # Makefile to update the hash symlinks after changes.
  115. #SSLCACertificatePath "${SRVROOT}/conf/ssl.crt"
  116. #SSLCACertificateFile "${SRVROOT}/conf/ssl.crt/ca-bundle.crt"
  117.  
  118. # Certificate Revocation Lists (CRL):
  119. # Set the CA revocation path where to find CA CRLs for client
  120. # authentication or alternatively one huge file containing all
  121. # of them (file must be PEM encoded)
  122. # Note: Inside SSLCARevocationPath you need hash symlinks
  123. # to point to the certificate files. Use the provided
  124. # Makefile to update the hash symlinks after changes.
  125. #SSLCARevocationPath "${SRVROOT}/conf/ssl.crl"
  126. #SSLCARevocationFile "${SRVROOT}/conf/ssl.crl/ca-bundle.crl"
  127.  
  128. # Client Authentication (Type):
  129. # Client certificate verification type and depth. Types are
  130. # none, optional, require and optional_no_ca. Depth is a
  131. # number which specifies how deeply to verify the certificate
  132. # issuer chain before deciding the certificate is not valid.
  133. #SSLVerifyClient require
  134. #SSLVerifyDepth 10
  135.  
  136. # Access Control:
  137. # With SSLRequire you can do per-directory access control based
  138. # on arbitrary complex boolean expressions containing server
  139. # variable checks and other lookup directives. The syntax is a
  140. # mixture between C and Perl. See the mod_ssl documentation
  141. # for more details.
  142. #<Location />
  143. #SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
  144. # and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
  145. # and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
  146. # and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
  147. # and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
  148. # or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
  149. #</Location>
  150.  
  151. # SSL Engine Options:
  152. # Set various options for the SSL engine.
  153. # o FakeBasicAuth:
  154. # Translate the client X.509 into a Basic Authorisation. This means that
  155. # the standard Auth/DBMAuth methods can be used for access control. The
  156. # user name is the `one line' version of the client's X.509 certificate.
  157. # Note that no password is obtained from the user. Every entry in the user
  158. # file needs this password: `xxj31ZMTZzkVA'.
  159. # o ExportCertData:
  160. # This exports two additional environment variables: SSL_CLIENT_CERT and
  161. # SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
  162. # server (always existing) and the client (only existing when client
  163. # authentication is used). This can be used to import the certificates
  164. # into CGI scripts.
  165. # o StdEnvVars:
  166. # This exports the standard SSL/TLS related `SSL_*' environment variables.
  167. # Per default this exportation is switched off for performance reasons,
  168. # because the extraction step is an expensive operation and is usually
  169. # useless for serving static content. So one usually enables the
  170. # exportation for CGI and SSI requests only.
  171. # o StrictRequire:
  172. # This denies access when "SSLRequireSSL" or "SSLRequire" applied even
  173. # under a "Satisfy any" situation, i.e. when it applies access is denied
  174. # and no other module can change it.
  175. # o OptRenegotiate:
  176. # This enables optimized SSL connection renegotiation handling when SSL
  177. # directives are used in per-directory context.
  178. #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
  179. <FilesMatch "\.(cgi|shtml|phtml|php)$">
  180. SSLOptions +StdEnvVars
  181. </FilesMatch>
  182. <Directory "${SRVROOT}/cgi-bin">
  183. SSLOptions +StdEnvVars
  184. </Directory>
  185.  
  186. # SSL Protocol Adjustments:
  187. # The safe and default but still SSL/TLS standard compliant shutdown
  188. # approach is that mod_ssl sends the close notify alert but doesn't wait for
  189. # the close notify alert from client. When you need a different shutdown
  190. # approach you can use one of the following variables:
  191. # o ssl-unclean-shutdown:
  192. # This forces an unclean shutdown when the connection is closed, i.e. no
  193. # SSL close notify alert is sent or allowed to be received. This violates
  194. # the SSL/TLS standard but is needed for some brain-dead browsers. Use
  195. # this when you receive I/O errors because of the standard approach where
  196. # mod_ssl sends the close notify alert.
  197. # o ssl-accurate-shutdown:
  198. # This forces an accurate shutdown when the connection is closed, i.e. a
  199. # SSL close notify alert is send and mod_ssl waits for the close notify
  200. # alert of the client. This is 100% SSL/TLS standard compliant, but in
  201. # practice often causes hanging connections with brain-dead browsers. Use
  202. # this only for browsers where you know that their SSL implementation
  203. # works correctly.
  204. # Notice: Most problems of broken clients are also related to the HTTP
  205. # keep-alive facility, so you usually additionally want to disable
  206. # keep-alive for those clients, too. Use variable "nokeepalive" for this.
  207. # Similarly, one has to force some clients to use HTTP/1.0 to workaround
  208. # their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
  209. # "force-response-1.0" for this.
  210. BrowserMatch ".*MSIE.*" \
  211. nokeepalive ssl-unclean-shutdown \
  212. downgrade-1.0 force-response-1.0
  213.  
  214. # Per-Server Logging:
  215. # The home of a custom SSL log file. Use this when you want a
  216. # compact non-error SSL logfile on a virtual host basis.
  217. CustomLog "${SRVROOT}/logs/ssl_request.log" \
  218. "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
  219.  
  220. </VirtualHost>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement