1# 2# This is the Apache server configuration file providing SSL support. 3# It contains the configuration directives to instruct the server how to 4# serve pages over an https connection. For detailed information about these 5# directives see <URL:http://httpd.apache.org/docs/2.2/mod/mod_ssl.html> 6# 7# Do NOT simply read the instructions in here without understanding 8# what they do. They're here only as hints or reminders. If you are unsure 9# consult the online docs. You have been warned. 10# 11 12# 13# Pseudo Random Number Generator (PRNG): 14# Configure one or more sources to seed the PRNG of the SSL library. 15# The seed data should be of good random quality. 16# WARNING! On some platforms /dev/random blocks if not enough entropy 17# is available. This means you then cannot use the /dev/random device 18# because it would lead to very long connection times (as long as 19# it requires to make more entropy available). But usually those 20# platforms additionally provide a /dev/urandom device which doesn't 21# block. So, if available, use this one instead. Read the mod_ssl User 22# Manual for more details. 23# 24#SSLRandomSeed startup file:/dev/random 512 25#SSLRandomSeed startup file:/dev/urandom 512 26#SSLRandomSeed connect file:/dev/random 512 27#SSLRandomSeed connect file:/dev/urandom 512 28 29 30# 31# When we also provide SSL we have to listen to the 32# standard HTTP port (see above) and to the HTTPS port 33# 34# Note: Configurations that use IPv6 but not IPv4-mapped addresses need two 35# Listen directives: "Listen [::]:@@SSLPort@@" and "Listen 0.0.0.0:@@SSLPort@@" 36# 37Listen @@SSLPort@@ 38 39## 40## SSL Global Context 41## 42## All SSL configuration in this context applies both to 43## the main server and all SSL-enabled virtual hosts. 44## 45 46# 47# Some MIME-types for downloading Certificates and CRLs 48# 49AddType application/x-x509-ca-cert .crt 50AddType application/x-pkcs7-crl .crl 51 52# Pass Phrase Dialog: 53# Configure the pass phrase gathering process. 54# The filtering dialog program (`builtin' is a internal 55# terminal dialog) has to provide the pass phrase on stdout. 56SSLPassPhraseDialog builtin 57 58# Inter-Process Session Cache: 59# Configure the SSL Session Cache: First the mechanism 60# to use and second the expiring timeout (in seconds). 61#SSLSessionCache "dbm:@exp_runtimedir@/ssl_scache" 62SSLSessionCache "shmcb:@exp_runtimedir@/ssl_scache(512000)" 63SSLSessionCacheTimeout 300 64 65# Semaphore: 66# Configure the path to the mutual exclusion semaphore the 67# SSL engine uses internally for inter-process synchronization. 68SSLMutex "file:@exp_runtimedir@/ssl_mutex" 69 70## 71## SSL Virtual Host Context 72## 73 74<VirtualHost _default_:@@SSLPort@@> 75 76# General setup for the virtual host 77DocumentRoot "@exp_htdocsdir@" 78ServerName www.example.com:@@SSLPort@@ 79ServerAdmin you@example.com 80ErrorLog "@exp_logfiledir@/error_log" 81TransferLog "@exp_logfiledir@/access_log" 82 83# SSL Engine Switch: 84# Enable/Disable SSL for this virtual host. 85SSLEngine on 86 87# SSL Protocol support: 88# List the protocol versions which clients are allowed to 89# connect with. Disable SSLv2 by default (cf. RFC 6176). 90SSLProtocol all -SSLv2 91 92# SSL Cipher Suite: 93# List the ciphers that the client is permitted to negotiate. 94# See the mod_ssl documentation for a complete list. 95SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5 96 97# Speed-optimized SSL Cipher configuration: 98# If speed is your main concern (on busy HTTPS servers e.g.), 99# you might want to force clients to specific, performance 100# optimized ciphers. In this case, prepend those ciphers 101# to the SSLCipherSuite list, and enable SSLHonorCipherOrder. 102# Caveat: by giving precedence to RC4-SHA and AES128-SHA 103# (as in the example below), most connections will no longer 104# have perfect forward secrecy - if the server's key is 105# compromised, captures of past or future traffic must be 106# considered compromised, too. 107#SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5 108#SSLHonorCipherOrder on 109 110# Server Certificate: 111# Point SSLCertificateFile at a PEM encoded certificate. If 112# the certificate is encrypted, then you will be prompted for a 113# pass phrase. Note that a kill -HUP will prompt again. Keep 114# in mind that if you have both an RSA and a DSA certificate you 115# can configure both in parallel (to also allow the use of DSA 116# ciphers, etc.) 117# Some ECC cipher suites (http://www.ietf.org/rfc/rfc4492.txt) 118# require an ECC certificate which can also be configured in 119# parallel. 120SSLCertificateFile "@exp_sysconfdir@/server.crt" 121#SSLCertificateFile "@exp_sysconfdir@/server-dsa.crt" 122#SSLCertificateFile "@exp_sysconfdir@/server-ecc.crt" 123 124# Server Private Key: 125# If the key is not combined with the certificate, use this 126# directive to point at the key file. Keep in mind that if 127# you've both a RSA and a DSA private key you can configure 128# both in parallel (to also allow the use of DSA ciphers, etc.) 129# ECC keys, when in use, can also be configured in parallel 130SSLCertificateKeyFile "@exp_sysconfdir@/server.key" 131#SSLCertificateKeyFile "@exp_sysconfdir@/server-dsa.key" 132#SSLCertificateKeyFile "@exp_sysconfdir@/server-ecc.key" 133 134# Server Certificate Chain: 135# Point SSLCertificateChainFile at a file containing the 136# concatenation of PEM encoded CA certificates which form the 137# certificate chain for the server certificate. Alternatively 138# the referenced file can be the same as SSLCertificateFile 139# when the CA certificates are directly appended to the server 140# certificate for convenience. 141#SSLCertificateChainFile "@exp_sysconfdir@/server-ca.crt" 142 143# Certificate Authority (CA): 144# Set the CA certificate verification path where to find CA 145# certificates for client authentication or alternatively one 146# huge file containing all of them (file must be PEM encoded) 147# Note: Inside SSLCACertificatePath you need hash symlinks 148# to point to the certificate files. Use the provided 149# Makefile to update the hash symlinks after changes. 150#SSLCACertificatePath "@exp_sysconfdir@/ssl.crt" 151#SSLCACertificateFile "@exp_sysconfdir@/ssl.crt/ca-bundle.crt" 152 153# Certificate Revocation Lists (CRL): 154# Set the CA revocation path where to find CA CRLs for client 155# authentication or alternatively one huge file containing all 156# of them (file must be PEM encoded) 157# Note: Inside SSLCARevocationPath you need hash symlinks 158# to point to the certificate files. Use the provided 159# Makefile to update the hash symlinks after changes. 160#SSLCARevocationPath "@exp_sysconfdir@/ssl.crl" 161#SSLCARevocationFile "@exp_sysconfdir@/ssl.crl/ca-bundle.crl" 162 163# Client Authentication (Type): 164# Client certificate verification type and depth. Types are 165# none, optional, require and optional_no_ca. Depth is a 166# number which specifies how deeply to verify the certificate 167# issuer chain before deciding the certificate is not valid. 168#SSLVerifyClient require 169#SSLVerifyDepth 10 170 171# Access Control: 172# With SSLRequire you can do per-directory access control based 173# on arbitrary complex boolean expressions containing server 174# variable checks and other lookup directives. The syntax is a 175# mixture between C and Perl. See the mod_ssl documentation 176# for more details. 177#<Location /> 178#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \ 179# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \ 180# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \ 181# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \ 182# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \ 183# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/ 184#</Location> 185 186# SSL Engine Options: 187# Set various options for the SSL engine. 188# o FakeBasicAuth: 189# Translate the client X.509 into a Basic Authorisation. This means that 190# the standard Auth/DBMAuth methods can be used for access control. The 191# user name is the `one line' version of the client's X.509 certificate. 192# Note that no password is obtained from the user. Every entry in the user 193# file needs this password: `xxj31ZMTZzkVA'. 194# o ExportCertData: 195# This exports two additional environment variables: SSL_CLIENT_CERT and 196# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the 197# server (always existing) and the client (only existing when client 198# authentication is used). This can be used to import the certificates 199# into CGI scripts. 200# o StdEnvVars: 201# This exports the standard SSL/TLS related `SSL_*' environment variables. 202# Per default this exportation is switched off for performance reasons, 203# because the extraction step is an expensive operation and is usually 204# useless for serving static content. So one usually enables the 205# exportation for CGI and SSI requests only. 206# o StrictRequire: 207# This denies access when "SSLRequireSSL" or "SSLRequire" applied even 208# under a "Satisfy any" situation, i.e. when it applies access is denied 209# and no other module can change it. 210# o OptRenegotiate: 211# This enables optimized SSL connection renegotiation handling when SSL 212# directives are used in per-directory context. 213#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire 214<FilesMatch "\.(cgi|shtml|phtml|php)$"> 215 SSLOptions +StdEnvVars 216</FilesMatch> 217<Directory "@exp_cgidir@"> 218 SSLOptions +StdEnvVars 219</Directory> 220 221# SSL Protocol Adjustments: 222# The safe and default but still SSL/TLS standard compliant shutdown 223# approach is that mod_ssl sends the close notify alert but doesn't wait for 224# the close notify alert from client. When you need a different shutdown 225# approach you can use one of the following variables: 226# o ssl-unclean-shutdown: 227# This forces an unclean shutdown when the connection is closed, i.e. no 228# SSL close notify alert is sent or allowed to be received. This violates 229# the SSL/TLS standard but is needed for some brain-dead browsers. Use 230# this when you receive I/O errors because of the standard approach where 231# mod_ssl sends the close notify alert. 232# o ssl-accurate-shutdown: 233# This forces an accurate shutdown when the connection is closed, i.e. a 234# SSL close notify alert is send and mod_ssl waits for the close notify 235# alert of the client. This is 100% SSL/TLS standard compliant, but in 236# practice often causes hanging connections with brain-dead browsers. Use 237# this only for browsers where you know that their SSL implementation 238# works correctly. 239# Notice: Most problems of broken clients are also related to the HTTP 240# keep-alive facility, so you usually additionally want to disable 241# keep-alive for those clients, too. Use variable "nokeepalive" for this. 242# Similarly, one has to force some clients to use HTTP/1.0 to workaround 243# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and 244# "force-response-1.0" for this. 245BrowserMatch "MSIE [2-5]" \ 246 nokeepalive ssl-unclean-shutdown \ 247 downgrade-1.0 force-response-1.0 248 249# Per-Server Logging: 250# The home of a custom SSL log file. Use this when you want a 251# compact non-error SSL logfile on a virtual host basis. 252CustomLog "@exp_logfiledir@/ssl_request_log" \ 253 "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" 254 255</VirtualHost> 256