httpd-ssl.conf

1. #
2. # This is the Apache server configuration file providing SSL support.
3. # It contains the configuration directives to instruct the server how to
4. # serve pages over an https connection. For detailed information about these
5. # directives see <URL:http://httpd.apache.org/docs/2.4/mod/mod_ssl.html>
6. #
7. # Do NOT simply read the instructions in here without understanding
8. # what they do. They're here only as hints or reminders. If you are unsure
9. # consult the online docs. You have been warned.
10. #
11. # Required modules: mod_log_config, mod_setenvif, mod_ssl,
12. # socache_shmcb_module (for default value of SSLSessionCache)
13.  
14. #
15. # Pseudo Random Number Generator (PRNG):
16. # Configure one or more sources to seed the PRNG of the SSL library.
17. # The seed data should be of good random quality.
18. # WARNING! On some platforms /dev/random blocks if not enough entropy
19. # is available. This means you then cannot use the /dev/random device
20. # because it would lead to very long connection times (as long as
21. # it requires to make more entropy available). But usually those
22. # platforms additionally provide a /dev/urandom device which doesn't
23. # block. So, if available, use this one instead. Read the mod_ssl User
24. # Manual for more details.
25. #
26. #SSLRandomSeed startup file:/dev/random 512
27. #SSLRandomSeed startup file:/dev/urandom 512
28. #SSLRandomSeed connect file:/dev/random 512
29. #SSLRandomSeed connect file:/dev/urandom 512
30. SSLRandomSeed startup builtin
31. SSLRandomSeed connect builtin
32.  
33. LoadModule ssl_module modules/mod_ssl.so
34.  
35. #
36. # When we also provide SSL we have to listen to the
37. # standard HTTP port (see above) and to the HTTPS port
38. #
39. Listen 443
40.  
41. ##
42. ## SSL Global Context
43. ##
44. ## All SSL configuration in this context applies both to
45. ## the main server and all SSL-enabled virtual hosts.
46. ##
47.  
48. # SSL Cipher Suite:
49. # List the ciphers that the client is permitted to negotiate.
50. # See the mod_ssl documentation for a complete list.
51. SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
52.  
53. # Speed-optimized SSL Cipher configuration:
54. # If speed is your main concern (on busy HTTPS servers e.g.),
55. # you might want to force clients to specific, performance
56. # optimized ciphers. In this case, prepend those ciphers
57. # to the SSLCipherSuite list, and enable SSLHonorCipherOrder.
58. # Caveat: by giving precedence to RC4-SHA and AES128-SHA
59. # (as in the example below), most connections will no longer
60. # have perfect forward secrecy - if the server's key is
61. # compromised, captures of past or future traffic must be
62. # considered compromised, too.
63. #SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5
64. #SSLHonorCipherOrder on
65.  
66. # Pass Phrase Dialog:
67. # Configure the pass phrase gathering process.
68. # The filtering dialog program (`builtin' is an internal
69. # terminal dialog) has to provide the pass phrase on stdout.
70. SSLPassPhraseDialog builtin
71.  
72. # Inter-Process Session Cache:
73. # Configure the SSL Session Cache: First the mechanism
74. # to use and second the expiring timeout (in seconds).
75. #SSLSessionCache "shmcb:C:/xampp/apache/logs/ssl_scache(512000)"
76. SSLSessionCache "shmcb:C:/xampp/apache/logs/ssl_scache(512000)"
77. SSLSessionCacheTimeout 300
78.  
79. ##
80. ## SSL Virtual Host Context
81. ##
82.  
83. <VirtualHost *:443>
84.  
85. DocumentRoot "C:/xampp/htdocs"
86. ServerName tehtotalpwnage.tk:443
87. ServerAdmin [email protected]
88. ErrorLog "C:/xampp/apache/logs/error.log"
89. TransferLog "C:/xampp/apache/logs/access.log"
90.  
91. SSLEngine on
92.  
93. SSLCertificateFile "C:/xampp/htdocs/ca/intermediate/certs/tehtotalpwnage.tk.crt"
94. #SSLCertificateFile "conf/ssl.crt/server.crt"
95. #SSLCertificateFile "conf/ssl.crt/server.crt"
96.  
97. SSLCertificateKeyFile "C:/xampp/htdocs/ca/intermediate/private/tehtotalpwnage.tk.key"
98. #SSLCertificateKeyFile "conf/ssl.key/server.key"
99. #SSLCertificateKeyFile "conf/ssl.key/server.key"
100.  
101. SSLCertificateChainFile "C:/xampp/htdocs/ca/intermediate/certs/chain-ca.crt"
102.  
103. SSLCACertificatePath "C:/xampp/htdocs/ca/intermediate/certs"
104. SSLCACertificateFile "C:/xampp/htdocs/ca/intermediate/certs/intermediate-ca.crt"
105.  
106. SSLCARevocationPath "C:/xampp/htdocs/ca/intermediate/crl"
107. SSLCARevocationFile "C:/xampp/htdocs/ca/intermediate/crl/intermediate-crl.pem"
108. SSLCARevocationCheck chain
109.  
110. #SSLVerifyClient require
111. #SSLVerifyDepth 10
112.  
113. # TLS-SRP mutual authentication:
114. # Enable TLS-SRP and set the path to the OpenSSL SRP verifier
115. # file (containing login information for SRP user accounts).
116. # Requires OpenSSL 1.0.1 or newer. See the mod_ssl FAQ for
117. # detailed instructions on creating this file. Example:
118. # "openssl srp -srpvfile c:/Apache24/conf/passwd.srpv -add username"
119. #SSLSRPVerifierFile "c:/Apache24/conf/passwd.srpv"
120.  
121. # Access Control:
122. # With SSLRequire you can do per-directory access control based
123. # on arbitrary complex boolean expressions containing server
124. # variable checks and other lookup directives. The syntax is a
125. # mixture between C and Perl. See the mod_ssl documentation
126. # for more details.
127. #<Location />
128. #SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
129. # and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
130. # and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
131. # and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
132. # and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
133. # or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
134. #</Location>
135. <IfModule mod_ssl.c>
136. ErrorLog "C:/xampp/apache/logs/ssl_engine.log"
137. LogLevel debug
138. </IfModule>
139. <Location /wp-login.php>
140. SSLVerifyClient optional
141. <IfModule mod_rewrite.c>
142. RewriteEngine on
143. RewriteCond %{HTTP_USER_AGENT} .*Safari.*
144. RewriteCond %{SSL:SSL_CLIENT_VERIFY} !=SUCCESS
145. RewriteRule .* /wp-admin [redirect,last]
146. </IfModule>
147. </Location>
148. <Location /wp-admin>
149. SSLVerifyClient require
150. </Location>
151. # SSL Engine Options:
152. # Set various options for the SSL engine.
153. # o FakeBasicAuth:
154. # Translate the client X.509 into a Basic Authorisation. This means that
155. # the standard Auth/DBMAuth methods can be used for access control. The
156. # user name is the `one line' version of the client's X.509 certificate.
157. # Note that no password is obtained from the user. Every entry in the user
158. # file needs this password: `xxj31ZMTZzkVA'.
159. # o ExportCertData:
160. # This exports two additional environment variables: SSL_CLIENT_CERT and
161. # SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
162. # server (always existing) and the client (only existing when client
163. # authentication is used). This can be used to import the certificates
164. # into CGI scripts.
165. # o StdEnvVars:
166. # This exports the standard SSL/TLS related `SSL_*' environment variables.
167. # Per default this exportation is switched off for performance reasons,
168. # because the extraction step is an expensive operation and is usually
169. # useless for serving static content. So one usually enables the
170. # exportation for CGI and SSI requests only.
171. # o StrictRequire:
172. # This denies access when "SSLRequireSSL" or "SSLRequire" applied even
173. # under a "Satisfy any" situation, i.e. when it applies access is denied
174. # and no other module can change it.
175. # o OptRenegotiate:
176. # This enables optimized SSL connection renegotiation handling when SSL
177. # directives are used in per-directory context.
178. #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
179. <FilesMatch "\.(cgi|shtml|phtml|php)$">
180. SSLOptions +StdEnvVars
181. </FilesMatch>
182. <Directory "C:/xampp/apache/cgi-bin">
183. SSLOptions +StdEnvVars
184. </Directory>
185.  
186. # SSL Protocol Adjustments:
187. # The safe and default but still SSL/TLS standard compliant shutdown
188. # approach is that mod_ssl sends the close notify alert but doesn't wait for
189. # the close notify alert from client. When you need a different shutdown
190. # approach you can use one of the following variables:
191. # o ssl-unclean-shutdown:
192. # This forces an unclean shutdown when the connection is closed, i.e. no
193. # SSL close notify alert is sent or allowed to be received. This violates
194. # the SSL/TLS standard but is needed for some brain-dead browsers. Use
195. # this when you receive I/O errors because of the standard approach where
196. # mod_ssl sends the close notify alert.
197. # o ssl-accurate-shutdown:
198. # This forces an accurate shutdown when the connection is closed, i.e. a
199. # SSL close notify alert is send and mod_ssl waits for the close notify
200. # alert of the client. This is 100% SSL/TLS standard compliant, but in
201. # practice often causes hanging connections with brain-dead browsers. Use
202. # this only for browsers where you know that their SSL implementation
203. # works correctly.
204. # Notice: Most problems of broken clients are also related to the HTTP
205. # keep-alive facility, so you usually additionally want to disable
206. # keep-alive for those clients, too. Use variable "nokeepalive" for this.
207. # Similarly, one has to force some clients to use HTTP/1.0 to workaround
208. # their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
209. # "force-response-1.0" for this.
210. BrowserMatch "MSIE [2-5]" \
211. nokeepalive ssl-unclean-shutdown \
212. downgrade-1.0 force-response-1.0
213.  
214. # Per-Server Logging:
215. # The home of a custom SSL log file. Use this when you want a
216. # compact non-error SSL logfile on a virtual host basis.
217. CustomLog "C:/xampp/apache/logs/ssl_request.log" \
218. "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
219.  
220. </VirtualHost>