default.ssl

1. <IfModule mod_ssl.c>
2.         <VirtualHost _default_:443>
3.                 ServerAdmin informatique@domain.com
4.                 ServerName webserver
5.                 DocumentRoot /var/www
6.  
7.                 # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
8.                 # error, crit, alert, emerg.
9.                 # It is also possible to configure the loglevel for particular
10.                 # modules, e.g.
11.                 #LogLevel info ssl:warn
12.  
13.                 ErrorLog ${APACHE_LOG_DIR}/error.log
14.                 CustomLog ${APACHE_LOG_DIR}/access.log combined
15.  
16.                 # For most configuration files from conf-available/, which are
17.                 # enabled or disabled at a global level, it is possible to
18.                 # include a line for only one particular virtual host. For example the
19.                 # following line enables the CGI configuration for this host only
20.                 # after it has been globally disabled with "a2disconf".
21.                 #Include conf-available/serve-cgi-bin.conf
22.  
23.                 #   SSL Engine Switch:
24.                 #   Enable/Disable SSL for this virtual host.
25.                 SSLEngine on
26.  
27.                 #   A self-signed (snakeoil) certificate can be created by installing
28.                 #   the ssl-cert package. See
29.                 #   /usr/share/doc/apache2/README.Debian.gz for more info.
30.                 #   If both key and certificate are stored in the same file, only the
31.                 #   SSLCertificateFile directive is needed.
32.                 SSLCertificateFile      /etc/ssl/srv-supervision.crt
33.                 SSLCertificateKeyFile /etc/ssl/srv-supervision.key
34.  
35.                 #   Server Certificate Chain:
36.                 #   Point SSLCertificateChainFile at a file containing the
37.                 #   concatenation of PEM encoded CA certificates which form the
38.                 #   certificate chain for the server certificate. Alternatively
39.                 #   the referenced file can be the same as SSLCertificateFile
40.                 #   when the CA certificates are directly appended to the server
41.                 #   certificate for convinience.
42.                 #SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt
43.                 #   Certificate Authority (CA):
44.                 #   Set the CA certificate verification path where to find CA
45.                 #   certificates for client authentication or alternatively one
46.                 #   huge file containing all of them (file must be PEM encoded)
47.                 #   Note: Inside SSLCACertificatePath you need hash symlinks
48.                 #                to point to the certificate files. Use the provided
49.                 #                Makefile to update the hash symlinks after changes.
50.                 #SSLCACertificatePath /etc/ssl/certs/
51.                 #SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt
52.  
53.                 #   Certificate Revocation Lists (CRL):
54.                 #   Set the CA revocation path where to find CA CRLs for client
55.                 #   authentication or alternatively one huge file containing all
56.                 #   of them (file must be PEM encoded)
57.                 #   Note: Inside SSLCARevocationPath you need hash symlinks
58.                 #                to point to the certificate files. Use the provided
59.                 #                Makefile to update the hash symlinks after changes.
60.                 #SSLCARevocationPath /etc/apache2/ssl.crl/
61.                 #SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl
62.  
63.                 #   Client Authentication (Type):
64.                 #   Client certificate verification type and depth.  Types are
65.                 #   none, optional, require and optional_no_ca.  Depth is a
66.                 #   number which specifies how deeply to verify the certificate
67.                 #   issuer chain before deciding the certificate is not valid.
68.                 #SSLVerifyClient require
69.                 #SSLVerifyDepth  10
70.  
71.                 #   SSL Engine Options:
72.                 #   Set various options for the SSL engine.
73.                 #   o FakeBasicAuth:
74.                 #        Translate the client X.509 into a Basic Authorisation.  This means that
75.                 #        the standard Auth/DBMAuth methods can be used for access control.  The
76.                 #        user name is the `one line' version of the client's X.509 certificate.
77.                 #        Note that no password is obtained from the user. Every entry in the user
78.                 #        file needs this password: `xxj31ZMTZzkVA'.
79.                 #   o ExportCertData:
80.                 #        This exports two additional environment variables: SSL_CLIENT_CERT and
81.                 #        SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
82.                  #        server (always existing) and the client (only existing when client
83.                 #        authentication is used). This can be used to import the certificates
84.                 #        into CGI scripts.
85.                 #   o StdEnvVars:
86.                 #        This exports the standard SSL/TLS related `SSL_*' environment variables.
87.                 #        Per default this exportation is switched off for performance reasons,
88.                 #        because the extraction step is an expensive operation and is usually
89.                 #        useless for serving static content. So one usually enables the
90.                 #        exportation for CGI and SSI requests only.
91.                 #   o OptRenegotiate:
92.                 #        This enables optimized SSL connection renegotiation handling when SSL
93.                 #        directives are used in per-directory context.
94.                 #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
95.                 <FilesMatch "\.(cgi|shtml|phtml|php)$">
96.                                 SSLOptions +StdEnvVars
97.                 </FilesMatch>
98.                 <Directory /usr/lib/cgi-bin>
99.                                 SSLOptions +StdEnvVars
100.                 </Directory>
101.  
102.                 <directory "/var/www">
103.                 AuthType                Kerberos
104.                 AuthName                "Login"
105.                 KrbServiceName          HTTP/webserver.domain.lo@DOMAIN.LO
106.                 KrbVerifyKDC            on
107.                 KrbMethodNegotiate      on
108.                 KrbMethodK5Passwd       on
109.                 KrbAuthRealms           DOMAIN.LO
110.                 Krb5KeyTab              /etc/apache2/keytab/webserver.keytab
111.                 require                 valid-user
112.                 </directory>
113.  
114.                 #   SSL Protocol Adjustments:
115.                 #   The safe and default but still SSL/TLS standard compliant shutdown
116.                 #   approach is that mod_ssl sends the close notify alert but doesn't wait for
117.                 #   the close notify alert from client. When you need a different shutdown
118.                 #   approach you can use one of the following variables:
119.                 #   o ssl-unclean-shutdown:
120.                 #        This forces an unclean shutdown when the connection is closed, i.e. no
121.                 #        SSL close notify alert is send or allowed to received.  This violates
122.                  #        the SSL/TLS standard but is needed for some brain-dead browsers. Use
123.                 #        this when you receive I/O errors because of the standard approach where
124.                 #        mod_ssl sends the close notify alert.
125.                 #   o ssl-accurate-shutdown:
126.                 #        This forces an accurate shutdown when the connection is closed, i.e. a
127.                 #        SSL close notify alert is send and mod_ssl waits for the close notify
128.                 #        alert of the client. This is 100% SSL/TLS standard compliant, but in
129.                 #        practice often causes hanging connections with brain-dead browsers. Use
130.                 #        this only for browsers where you know that their SSL implementation
131.                 #        works correctly.
132.                 #   Notice: Most problems of broken clients are also related to the HTTP
133.                 #   keep-alive facility, so you usually additionally want to disable
134.                 #   keep-alive for those clients, too. Use variable "nokeepalive" for this.
135.                 #   Similarly, one has to force some clients to use HTTP/1.0 to workaround
136.                 #   their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
137.                 #   "force-response-1.0" for this.
138.                 BrowserMatch "MSIE [2-6]" \
139.                                 nokeepalive ssl-unclean-shutdown \
140.                                 downgrade-1.0 force-response-1.0
141.                 # MSIE 7 and newer should be able to use keepalive
142.                 BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
143.  
144.         </VirtualHost>
145. </IfModule>
146.  
147. # vim: syntax=apache ts=4 sw=4 sts=4 sr noet