ssl.conf# SSL_SERVER_CERT. These contain the PEM-encoded certificates of t

1. ssl.conf
2. # SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
3. # server (always existing) and the client (only existing when client
4. # authentication is used). This can be used to import the certificates
5. # into CGI scripts.
6. # o StdEnvVars:
7. # This exports the standard SSL/TLS related `SSL_*' environment variables.
8. # Per default this exportation is switched off for performance reasons,
9. # because the extraction step is an expensive operation and is usually
10. # useless for serving static content. So one usually enables the
11. # exportation for CGI and SSI requests only.
12. # o StrictRequire:
13. # This denies access when "SSLRequireSSL" or "SSLRequire" applied even
14. # under a "Satisfy any" situation, i.e. when it applies access is denied
15. # and no other module can change it.
16. # o OptRenegotiate:
17. # This enables optimized SSL connection renegotiation handling when SSL
18. # directives are used in per-directory context.
19. #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
20. <Files ~ "\.(cgi|shtml|phtml|php3?)$">
21. SSLOptions +StdEnvVars
22. </Files>
23. <Directory "/var/www/cgi-bin">
24. SSLOptions +StdEnvVars
25. </Directory>
26.  
27. # SSL Protocol Adjustments:
28. # The safe and default but still SSL/TLS standard compliant shutdown
29. # approach is that mod_ssl sends the close notify alert but doesn't wait for
30. # the close notify alert from client. When you need a different shutdown
31. # approach you can use one of the following variables:
32. # o ssl-unclean-shutdown:
33. # This forces an unclean shutdown when the connection is closed, i.e. no
34. # SSL close notify alert is send or allowed to received. This violates
35. # the SSL/TLS standard but is needed for some brain-dead browsers. Use
36. # this when you receive I/O errors because of the standard approach where
37. # mod_ssl sends the close notify alert.
38. # o ssl-accurate-shutdown:
39. # This forces an accurate shutdown when the connection is closed, i.e. a
40. # SSL close notify alert is send and mod_ssl waits for the close notify
41. # alert of the client. This is 100% SSL/TLS standard compliant, but in
42. # practice often causes hanging connections with brain-dead browsers. Use
43. # this only for browsers where you know that their SSL implementation
44. # works correctly.
45. # Notice: Most problems of broken clients are also related to the HTTP
46. # keep-alive facility, so you usually additionally want to disable
47. # keep-alive for those clients, too. Use variable "nokeepalive" for this.
48. # Similarly, one has to force some clients to use HTTP/1.0 to workaround
49. # their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
50. # "force-response-1.0" for this.
51. BrowserMatch "MSIE [2-5]" \
52. nokeepalive ssl-unclean-shutdown \
53. downgrade-1.0 force-response-1.0
54.  
55. # Per-Server Logging:
56. # The home of a custom SSL log file. Use this when you want a
57. # compact non-error SSL logfile on a virtual host basis.
58. CustomLog logs/ssl_request_log \
59. "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
60.  
61. </VirtualHost>
62.  
63.  
64. tripwire-le-ssl.conf
65. <IfModule mod_ssl.c>
66. <VirtualHost *:443>
67. ServerName www.spoopytripwire.com
68. ServerAlias spoopytripwire.com
69. DocumentRoot /var/www/tripwire/public
70. ErrorLog /var/www/tripwire/log/error.log
71. CustomLog /var/www/tripwire/log/reqests.log combined
72.  
73.  
74. Include /etc/letsencrypt/options-ssl-apache.conf
75. SSLCertificateFile /etc/letsencrypt/live/spoopytripwire.com/cert.pem
76. SSLCertificateKeyFile /etc/letsencrypt/live/spoopytripwire.com/privkey.pem
77. SSLCertificateChainFile /etc/letsencrypt/live/spoopytripwire.com/chain.pem
78. </VirtualHost>
79. </IfModule>
80.  
81.  
82.  
83.