1# 2# This is the Apache server configuration file providing SSL support. 3# It contains the configuration directives to instruct the server how to 4# serve pages over an https connection. For detailed information about these 5# directives see <URL:http://httpd.apache.org/docs/2.4/mod/mod_ssl.html> 6# 7# Do NOT simply read the instructions in here without understanding 8# what they do. They're here only as hints or reminders. If you are unsure 9# consult the online docs. You have been warned. 10# 11# Required modules: mod_log_config, mod_setenvif, mod_ssl, 12# socache_shmcb_module (for default value of SSLSessionCache) 13 14# 15# Pseudo Random Number Generator (PRNG): 16# Configure one or more sources to seed the PRNG of the SSL library. 17# The seed data should be of good random quality. 18# WARNING! On some platforms /dev/random blocks if not enough entropy 19# is available. This means you then cannot use the /dev/random device 20# because it would lead to very long connection times (as long as 21# it requires to make more entropy available). But usually those 22# platforms additionally provide a /dev/urandom device which doesn't 23# block. So, if available, use this one instead. Read the mod_ssl User 24# Manual for more details. 25# 26#SSLRandomSeed startup file:/dev/random 512 27#SSLRandomSeed startup file:/dev/urandom 512 28#SSLRandomSeed connect file:/dev/random 512 29#SSLRandomSeed connect file:/dev/urandom 512 30 31 32# 33# When we also provide SSL we have to listen to the 34# standard HTTP port (see above) and to the HTTPS port 35# 36Listen @@SSLPort@@ 37 38## 39## SSL Global Context 40## 41## All SSL configuration in this context applies both to 42## the main server and all SSL-enabled virtual hosts. 43## 44 45# SSL Cipher Suite: 46# List the ciphers that the client is permitted to negotiate. 47# See the mod_ssl documentation for a complete list. 48SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5 49 50# Speed-optimized SSL Cipher configuration: 51# If speed is your main concern (on busy HTTPS servers e.g.), 52# you might want to force clients to specific, performance 53# optimized ciphers. In this case, prepend those ciphers 54# to the SSLCipherSuite list, and enable SSLHonorCipherOrder. 55# Caveat: by giving precedence to RC4-SHA and AES128-SHA 56# (as in the example below), most connections will no longer 57# have perfect forward secrecy - if the server's key is 58# compromised, captures of past or future traffic must be 59# considered compromised, too. 60#SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5 61#SSLHonorCipherOrder on 62 63# Pass Phrase Dialog: 64# Configure the pass phrase gathering process. 65# The filtering dialog program (`builtin' is an internal 66# terminal dialog) has to provide the pass phrase on stdout. 67SSLPassPhraseDialog builtin 68 69# Inter-Process Session Cache: 70# Configure the SSL Session Cache: First the mechanism 71# to use and second the expiring timeout (in seconds). 72#SSLSessionCache "dbm:@exp_runtimedir@/ssl_scache" 73SSLSessionCache "shmcb:@exp_runtimedir@/ssl_scache(512000)" 74SSLSessionCacheTimeout 300 75 76## 77## SSL Virtual Host Context 78## 79 80<VirtualHost _default_:@@SSLPort@@> 81 82# General setup for the virtual host 83DocumentRoot "@exp_htdocsdir@" 84ServerName www.example.com:@@SSLPort@@ 85ServerAdmin you@example.com 86ErrorLog "@exp_logfiledir@/error_log" 87TransferLog "@exp_logfiledir@/access_log" 88 89# SSL Engine Switch: 90# Enable/Disable SSL for this virtual host. 91SSLEngine on 92 93# Server Certificate: 94# Point SSLCertificateFile at a PEM encoded certificate. If 95# the certificate is encrypted, then you will be prompted for a 96# pass phrase. Note that a kill -HUP will prompt again. Keep 97# in mind that if you have both an RSA and a DSA certificate you 98# can configure both in parallel (to also allow the use of DSA 99# ciphers, etc.) 100# Some ECC cipher suites (http://www.ietf.org/rfc/rfc4492.txt) 101# require an ECC certificate which can also be configured in 102# parallel. 103SSLCertificateFile "@exp_sysconfdir@/server.crt" 104#SSLCertificateFile "@exp_sysconfdir@/server-dsa.crt" 105#SSLCertificateFile "@exp_sysconfdir@/server-ecc.crt" 106 107# Server Private Key: 108# If the key is not combined with the certificate, use this 109# directive to point at the key file. Keep in mind that if 110# you've both a RSA and a DSA private key you can configure 111# both in parallel (to also allow the use of DSA ciphers, etc.) 112# ECC keys, when in use, can also be configured in parallel 113SSLCertificateKeyFile "@exp_sysconfdir@/server.key" 114#SSLCertificateKeyFile "@exp_sysconfdir@/server-dsa.key" 115#SSLCertificateKeyFile "@exp_sysconfdir@/server-ecc.key" 116 117# Server Certificate Chain: 118# Point SSLCertificateChainFile at a file containing the 119# concatenation of PEM encoded CA certificates which form the 120# certificate chain for the server certificate. Alternatively 121# the referenced file can be the same as SSLCertificateFile 122# when the CA certificates are directly appended to the server 123# certificate for convenience. 124#SSLCertificateChainFile "@exp_sysconfdir@/server-ca.crt" 125 126# Certificate Authority (CA): 127# Set the CA certificate verification path where to find CA 128# certificates for client authentication or alternatively one 129# huge file containing all of them (file must be PEM encoded) 130# Note: Inside SSLCACertificatePath you need hash symlinks 131# to point to the certificate files. Use the provided 132# Makefile to update the hash symlinks after changes. 133#SSLCACertificatePath "@exp_sysconfdir@/ssl.crt" 134#SSLCACertificateFile "@exp_sysconfdir@/ssl.crt/ca-bundle.crt" 135 136# Certificate Revocation Lists (CRL): 137# Set the CA revocation path where to find CA CRLs for client 138# authentication or alternatively one huge file containing all 139# of them (file must be PEM encoded). 140# The CRL checking mode needs to be configured explicitly 141# through SSLCARevocationCheck (defaults to "none" otherwise). 142# Note: Inside SSLCARevocationPath you need hash symlinks 143# to point to the certificate files. Use the provided 144# Makefile to update the hash symlinks after changes. 145#SSLCARevocationPath "@exp_sysconfdir@/ssl.crl" 146#SSLCARevocationFile "@exp_sysconfdir@/ssl.crl/ca-bundle.crl" 147#SSLCARevocationCheck chain 148 149# Client Authentication (Type): 150# Client certificate verification type and depth. Types are 151# none, optional, require and optional_no_ca. Depth is a 152# number which specifies how deeply to verify the certificate 153# issuer chain before deciding the certificate is not valid. 154#SSLVerifyClient require 155#SSLVerifyDepth 10 156 157# TLS-SRP mutual authentication: 158# Enable TLS-SRP and set the path to the OpenSSL SRP verifier 159# file (containing login information for SRP user accounts). 160# Requires OpenSSL 1.0.1 or newer. See the mod_ssl FAQ for 161# detailed instructions on creating this file. Example: 162# "openssl srp -srpvfile @exp_sysconfdir@/passwd.srpv -add username" 163#SSLSRPVerifierFile "@exp_sysconfdir@/passwd.srpv" 164 165# Access Control: 166# With SSLRequire you can do per-directory access control based 167# on arbitrary complex boolean expressions containing server 168# variable checks and other lookup directives. The syntax is a 169# mixture between C and Perl. See the mod_ssl documentation 170# for more details. 171#<Location /> 172#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \ 173# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \ 174# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \ 175# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \ 176# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \ 177# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/ 178#</Location> 179 180# SSL Engine Options: 181# Set various options for the SSL engine. 182# o FakeBasicAuth: 183# Translate the client X.509 into a Basic Authorisation. This means that 184# the standard Auth/DBMAuth methods can be used for access control. The 185# user name is the `one line' version of the client's X.509 certificate. 186# Note that no password is obtained from the user. Every entry in the user 187# file needs this password: `xxj31ZMTZzkVA'. 188# o ExportCertData: 189# This exports two additional environment variables: SSL_CLIENT_CERT and 190# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the 191# server (always existing) and the client (only existing when client 192# authentication is used). This can be used to import the certificates 193# into CGI scripts. 194# o StdEnvVars: 195# This exports the standard SSL/TLS related `SSL_*' environment variables. 196# Per default this exportation is switched off for performance reasons, 197# because the extraction step is an expensive operation and is usually 198# useless for serving static content. So one usually enables the 199# exportation for CGI and SSI requests only. 200# o StrictRequire: 201# This denies access when "SSLRequireSSL" or "SSLRequire" applied even 202# under a "Satisfy any" situation, i.e. when it applies access is denied 203# and no other module can change it. 204# o OptRenegotiate: 205# This enables optimized SSL connection renegotiation handling when SSL 206# directives are used in per-directory context. 207#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire 208<FilesMatch "\.(cgi|shtml|phtml|php)$"> 209 SSLOptions +StdEnvVars 210</FilesMatch> 211<Directory "@exp_cgidir@"> 212 SSLOptions +StdEnvVars 213</Directory> 214 215# SSL Protocol Adjustments: 216# The safe and default but still SSL/TLS standard compliant shutdown 217# approach is that mod_ssl sends the close notify alert but doesn't wait for 218# the close notify alert from client. When you need a different shutdown 219# approach you can use one of the following variables: 220# o ssl-unclean-shutdown: 221# This forces an unclean shutdown when the connection is closed, i.e. no 222# SSL close notify alert is sent or allowed to be received. This violates 223# the SSL/TLS standard but is needed for some brain-dead browsers. Use 224# this when you receive I/O errors because of the standard approach where 225# mod_ssl sends the close notify alert. 226# o ssl-accurate-shutdown: 227# This forces an accurate shutdown when the connection is closed, i.e. a 228# SSL close notify alert is send and mod_ssl waits for the close notify 229# alert of the client. This is 100% SSL/TLS standard compliant, but in 230# practice often causes hanging connections with brain-dead browsers. Use 231# this only for browsers where you know that their SSL implementation 232# works correctly. 233# Notice: Most problems of broken clients are also related to the HTTP 234# keep-alive facility, so you usually additionally want to disable 235# keep-alive for those clients, too. Use variable "nokeepalive" for this. 236# Similarly, one has to force some clients to use HTTP/1.0 to workaround 237# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and 238# "force-response-1.0" for this. 239BrowserMatch "MSIE [2-5]" \ 240 nokeepalive ssl-unclean-shutdown \ 241 downgrade-1.0 force-response-1.0 242 243# Per-Server Logging: 244# The home of a custom SSL log file. Use this when you want a 245# compact non-error SSL logfile on a virtual host basis. 246CustomLog "@exp_logfiledir@/ssl_request_log" \ 247 "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" 248 249</VirtualHost> 250