Guest User

default-ssl.conf

a guest
Dec 23rd, 2015
216
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. <IfModule mod_ssl.c>
  2. <VirtualHost _default_:443>
  3. ServerAdmin webmaster@localhost
  4.  
  5. DocumentRoot /var/www/html
  6.  
  7. # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
  8. # error, crit, alert, emerg.
  9. # It is also possible to configure the loglevel for particular
  10. # modules, e.g.
  11. #LogLevel info ssl:warn
  12.  
  13. ErrorLog ${APACHE_LOG_DIR}/error.log
  14. CustomLog ${APACHE_LOG_DIR}/access.log combined
  15.  
  16. # For most configuration files from conf-available/, which are
  17. # enabled or disabled at a global level, it is possible to
  18. # include a line for only one particular virtual host. For example the
  19. # following line enables the CGI configuration for this host only
  20. # after it has been globally disabled with "a2disconf".
  21. #Include conf-available/serve-cgi-bin.conf
  22.  
  23. # SSL Engine Switch:
  24. # Enable/Disable SSL for this virtual host.
  25. SSLEngine on
  26.  
  27. # A self-signed (snakeoil) certificate can be created by installing
  28. # the ssl-cert package. See
  29. # /usr/share/doc/apache2/README.Debian.gz for more info.
  30. # If both key and certificate are stored in the same file, only the
  31. # SSLCertificateFile directive is needed.
  32. #SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
  33. #SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
  34.  
  35. SSLCertificateFile /etc/ssl/server.pem
  36. SSLCertificateKeyFile /etc/ssl/server.key
  37.  
  38.  
  39. # Server Certificate Chain:
  40. # Point SSLCertificateChainFile at a file containing the
  41. # concatenation of PEM encoded CA certificates which form the
  42. # certificate chain for the server certificate. Alternatively
  43. # the referenced file can be the same as SSLCertificateFile
  44. # when the CA certificates are directly appended to the server
  45. # certificate for convinience.
  46. #SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt
  47.  
  48. # Certificate Authority (CA):
  49. # Set the CA certificate verification path where to find CA
  50. # certificates for client authentication or alternatively one
  51. # huge file containing all of them (file must be PEM encoded)
  52. # Note: Inside SSLCACertificatePath you need hash symlinks
  53. # to point to the certificate files. Use the provided
  54. # Makefile to update the hash symlinks after changes.
  55. #SSLCACertificatePath /etc/ssl/certs/
  56. #SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt
  57.  
  58. SSLCACertificatePath /etc/ssl/
  59. SSLCACertificateFile /etc/ssl/ca.cer
  60.  
  61. # Certificate Revocation Lists (CRL):
  62. # Set the CA revocation path where to find CA CRLs for client
  63. # authentication or alternatively one huge file containing all
  64. # of them (file must be PEM encoded)
  65. # Note: Inside SSLCARevocationPath you need hash symlinks
  66. # to point to the certificate files. Use the provided
  67. # Makefile to update the hash symlinks after changes.
  68. #SSLCARevocationPath /etc/apache2/ssl.crl/
  69. #SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl
  70.  
  71. #SSLCARevocationPath /etc/ssl/
  72. SSLCARevocationFile /etc/ssl/revoke.crl
  73. SSLCARevocationCheck chain
  74.  
  75.  
  76. # Client Authentication (Type):
  77. # Client certificate verification type and depth. Types are
  78. # none, optional, require and optional_no_ca. Depth is a
  79. # number which specifies how deeply to verify the certificate
  80. # issuer chain before deciding the certificate is not valid.
  81. SSLVerifyClient require
  82. SSLVerifyDepth 10
  83.  
  84. # SSL Engine Options:
  85. # Set various options for the SSL engine.
  86. # o FakeBasicAuth:
  87. # Translate the client X.509 into a Basic Authorisation. This means that
  88. # the standard Auth/DBMAuth methods can be used for access control. The
  89. # user name is the `one line' version of the client's X.509 certificate.
  90. # Note that no password is obtained from the user. Every entry in the user
  91. # file needs this password: `xxj31ZMTZzkVA'.
  92. # o ExportCertData:
  93. # This exports two additional environment variables: SSL_CLIENT_CERT and
  94. # SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
  95. # server (always existing) and the client (only existing when client
  96. # authentication is used). This can be used to import the certificates
  97. # into CGI scripts.
  98. # o StdEnvVars:
  99. # This exports the standard SSL/TLS related `SSL_*' environment variables.
  100. # Per default this exportation is switched off for performance reasons,
  101. # because the extraction step is an expensive operation and is usually
  102. # useless for serving static content. So one usually enables the
  103. # exportation for CGI and SSI requests only.
  104. # o OptRenegotiate:
  105. # This enables optimized SSL connection renegotiation handling when SSL
  106. # directives are used in per-directory context.
  107. #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
  108. <FilesMatch "\.(cgi|shtml|phtml|php)$">
  109. SSLOptions +StdEnvVars
  110. </FilesMatch>
  111. <Directory /usr/lib/cgi-bin>
  112. SSLOptions +StdEnvVars
  113. </Directory>
  114.  
  115. # SSL Protocol Adjustments:
  116. # The safe and default but still SSL/TLS standard compliant shutdown
  117. # approach is that mod_ssl sends the close notify alert but doesn't wait for
  118. # the close notify alert from client. When you need a different shutdown
  119. # approach you can use one of the following variables:
  120. # o ssl-unclean-shutdown:
  121. # This forces an unclean shutdown when the connection is closed, i.e. no
  122. # SSL close notify alert is send or allowed to received. This violates
  123. # the SSL/TLS standard but is needed for some brain-dead browsers. Use
  124. # this when you receive I/O errors because of the standard approach where
  125. # mod_ssl sends the close notify alert.
  126. # o ssl-accurate-shutdown:
  127. # This forces an accurate shutdown when the connection is closed, i.e. a
  128. # SSL close notify alert is send and mod_ssl waits for the close notify
  129. # alert of the client. This is 100% SSL/TLS standard compliant, but in
  130. # practice often causes hanging connections with brain-dead browsers. Use
  131. # this only for browsers where you know that their SSL implementation
  132. # works correctly.
  133. # Notice: Most problems of broken clients are also related to the HTTP
  134. # keep-alive facility, so you usually additionally want to disable
  135. # keep-alive for those clients, too. Use variable "nokeepalive" for this.
  136. # Similarly, one has to force some clients to use HTTP/1.0 to workaround
  137. # their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
  138. # "force-response-1.0" for this.
  139. BrowserMatch "MSIE [2-6]" \
  140. nokeepalive ssl-unclean-shutdown \
  141. downgrade-1.0 force-response-1.0
  142. # MSIE 7 and newer should be able to use keepalive
  143. BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
  144.  
  145. </VirtualHost>
  146. </IfModule>
  147.  
  148. # vim: syntax=apache ts=4 sw=4 sts=4 sr noet
RAW Paste Data