<IfModule mod_ssl.c>NameVirtualHost *:443<VirtualHost _default_:443> Serve

1. <IfModule mod_ssl.c>
2. NameVirtualHost *:443
3. <VirtualHost _default_:443>
4. ServerAdmin webmaster@localhost
5.  
6. DocumentRoot /var/www
7. <Directory />
8. Options FollowSymLinks
9. AllowOverride None
10. </Directory>
11. <Directory /var/www/>
12. Options Indexes FollowSymLinks MultiViews
13. AllowOverride None
14. Order allow,deny
15. allow from all
16. </Directory>
17.  
18. ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
19. <Directory "/usr/lib/cgi-bin">
20. AllowOverride None
21. Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
22. Order allow,deny
23. Allow from all
24. </Directory>
25.  
26. ErrorLog ${APACHE_LOG_DIR}/error.log
27.  
28. # Possible values include: debug, info, notice, warn, error, crit,
29. # alert, emerg.
30. LogLevel warn
31.  
32. CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined
33.  
34. Alias /doc/ "/usr/share/doc/"
35. <Directory "/usr/share/doc/">
36. Options Indexes MultiViews FollowSymLinks
37. AllowOverride None
38. Order deny,allow
39. Deny from all
40. Allow from 127.0.0.0/255.0.0.0 ::1/128
41. </Directory>
42.  
43. # SSL Engine Switch:
44. # Enable/Disable SSL for this virtual host.
45. SSLEngine on
46.  
47. # A self-signed (snakeoil) certificate can be created by installing
48. # the ssl-cert package. See
49. # /usr/share/doc/apache2.2-common/README.Debian.gz for more info.
50. # If both key and certificate are stored in the same file, only the
51. # SSLCertificateFile directive is needed.
52. #SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
53. SSLCertificateFile /etc/apache2/ssl/apache.pem
54. #SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
55.  
56. # Server Certificate Chain:
57. # Point SSLCertificateChainFile at a file containing the
58. # concatenation of PEM encoded CA certificates which form the
59. # certificate chain for the server certificate. Alternatively
60. # the referenced file can be the same as SSLCertificateFile
61. # when the CA certificates are directly appended to the server
62. # certificate for convinience.
63. #SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt
64.  
65. # Certificate Authority (CA):
66. # Set the CA certificate verification path where to find CA
67. # certificates for client authentication or alternatively one
68. # huge file containing all of them (file must be PEM encoded)
69. # Note: Inside SSLCACertificatePath you need hash symlinks
70. # to point to the certificate files. Use the provided
71. # Makefile to update the hash symlinks after changes.
72. #SSLCACertificatePath /etc/ssl/certs/
73. #SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt
74.  
75. # Certificate Revocation Lists (CRL):
76. # Set the CA revocation path where to find CA CRLs for client
77. # authentication or alternatively one huge file containing all
78. # of them (file must be PEM encoded)
79. # Note: Inside SSLCARevocationPath you need hash symlinks
80. # to point to the certificate files. Use the provided
81. # Makefile to update the hash symlinks after changes.
82. #SSLCARevocationPath /etc/apache2/ssl.crl/
83. #SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl
84.  
85. # Client Authentication (Type):
86. # Client certificate verification type and depth. Types are
87. # none, optional, require and optional_no_ca. Depth is a
88. # number which specifies how deeply to verify the certificate
89. # issuer chain before deciding the certificate is not valid.
90. #SSLVerifyClient require
91. #SSLVerifyDepth 10
92.  
93. # Access Control:
94. # With SSLRequire you can do per-directory access control based
95. # on arbitrary complex boolean expressions containing server
96. # variable checks and other lookup directives. The syntax is a
97. # mixture between C and Perl. See the mod_ssl documentation
98. # for more details.
99. #<Location />
100. #SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
101. # and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
102. # and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
103. # and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
104. # and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
105. # or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
106. #</Location>
107.  
108. # SSL Engine Options:
109. # Set various options for the SSL engine.
110. # o FakeBasicAuth:
111. # Translate the client X.509 into a Basic Authorisation. This means that
112. # the standard Auth/DBMAuth methods can be used for access control. The
113. # user name is the `one line' version of the client's X.509 certificate.
114. # Note that no password is obtained from the user. Every entry in the user
115. # file needs this password: `xxj31ZMTZzkVA'.
116. # o ExportCertData:
117. # This exports two additional environment variables: SSL_CLIENT_CERT and
118. # SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
119. # server (always existing) and the client (only existing when client
120. # authentication is used). This can be used to import the certificates
121. # into CGI scripts.
122. # o StdEnvVars:
123. # This exports the standard SSL/TLS related `SSL_*' environment variables.
124. # Per default this exportation is switched off for performance reasons,
125. # because the extraction step is an expensive operation and is usually
126. # useless for serving static content. So one usually enables the
127. # exportation for CGI and SSI requests only.
128. # o StrictRequire:
129. # This denies access when "SSLRequireSSL" or "SSLRequire" applied even
130. # under a "Satisfy any" situation, i.e. when it applies access is denied
131. # and no other module can change it.
132. # o OptRenegotiate:
133. # This enables optimized SSL connection renegotiation handling when SSL
134. # directives are used in per-directory context.
135. #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
136. <FilesMatch "\.(cgi|shtml|phtml|php)$">
137. SSLOptions +StdEnvVars
138. </FilesMatch>
139. <Directory /usr/lib/cgi-bin>
140. SSLOptions +StdEnvVars
141. </Directory>
142.  
143. # SSL Protocol Adjustments:
144. # The safe and default but still SSL/TLS standard compliant shutdown
145. # approach is that mod_ssl sends the close notify alert but doesn't wait for
146. # the close notify alert from client. When you need a different shutdown
147. # approach you can use one of the following variables:
148. # o ssl-unclean-shutdown:
149. # This forces an unclean shutdown when the connection is closed, i.e. no
150. # SSL close notify alert is send or allowed to received. This violates
151. # the SSL/TLS standard but is needed for some brain-dead browsers. Use
152. # this when you receive I/O errors because of the standard approach where
153. # mod_ssl sends the close notify alert.
154. # o ssl-accurate-shutdown:
155. # This forces an accurate shutdown when the connection is closed, i.e. a
156. # SSL close notify alert is send and mod_ssl waits for the close notify
157. # alert of the client. This is 100% SSL/TLS standard compliant, but in
158. # practice often causes hanging connections with brain-dead browsers. Use
159. # this only for browsers where you know that their SSL implementation
160. # works correctly.
161. # Notice: Most problems of broken clients are also related to the HTTP
162. # keep-alive facility, so you usually additionally want to disable
163. # keep-alive for those clients, too. Use variable "nokeepalive" for this.
164. # Similarly, one has to force some clients to use HTTP/1.0 to workaround
165. # their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
166. # "force-response-1.0" for this.
167. BrowserMatch "MSIE [2-6]" \
168. nokeepalive ssl-unclean-shutdown \
169. downgrade-1.0 force-response-1.0
170. # MSIE 7 and newer should be able to use keepalive
171. BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
172.  
173. </VirtualHost>
174. </IfModule>