diff options
Diffstat (limited to 'files/vhosts.d/Gentoo/0-default_ssl.conf')
| -rw-r--r-- | files/vhosts.d/Gentoo/0-default_ssl.conf | 200 |
1 files changed, 0 insertions, 200 deletions
diff --git a/files/vhosts.d/Gentoo/0-default_ssl.conf b/files/vhosts.d/Gentoo/0-default_ssl.conf deleted file mode 100644 index a123de8..0000000 --- a/files/vhosts.d/Gentoo/0-default_ssl.conf +++ /dev/null @@ -1,200 +0,0 @@ -############################################################ -#### this file is managed by PUPPET #### -#### only modify in svn or you will loose the changes ! #### -############################################################ -<IfDefine SSL> -<IfDefine SSL_DEFAULT_VHOST> -<IfModule ssl_module> -# see bug #178966 why this is in here - -# When we also provide SSL we have to listen to the HTTPS port -# Note: Configurations that use IPv6 but not IPv4-mapped addresses need two -# Listen directives: "Listen [::]:443" and "Listen 0.0.0.0:443" -Listen 443 -NameVirtualHost *:443 -LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %{SSL_PROTOCOL}x %{SSL_CIPHER}x" sslcombined -UseCanonicalName On - -<VirtualHost _default_:443> - Include /etc/apache2/vhosts.d/default_vhost.include - ErrorLog /var/log/apache2/ssl_error_log - - <IfModule log_config_module> - TransferLog /var/log/apache2/ssl_access_log - </IfModule> - - ## SSL Engine Switch: - # Enable/Disable SSL for this virtual host. - SSLEngine on - - ## SSL Cipher Suite: - # List the ciphers that the client is permitted to negotiate. - # See the mod_ssl documentation for a complete list. - #SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL - #SSLCipherSuite HIGH:MEDIUM:!ADH:-SSLv2 - SSLCipherSuite HIGH:MEDIUM:!aNULL:!SSLv2:@STRENGTH - - SSLCertificateFile /e/certs/server.crt - SSLCertificateKeyFile /e/certs/server.key - <Files ~ "\.(cgi|shtml|phtml|php3?)$"> - SSLOptions +StdEnvVars - </Files> - - RewriteEngine on - RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) - RewriteRule .* - [F] - ServerSignature Off - - ## Server Certificate: - # Point SSLCertificateFile at a PEM encoded certificate. If the certificate - # is encrypted, then you will be prompted for a pass phrase. Note that a - # kill -HUP will prompt again. Keep in mind that if you have both an RSA - # and a DSA certificate you can configure both in parallel (to also allow - # the use of DSA ciphers, etc.) - #SSLCertificateFile /etc/apache2/ssl/server.crt - #SSLCertificateFile /etc/apache2/ssl/server-dsa.crt - - ## Server Private Key: - # If the key is not combined with the certificate, use this directive to - # point at the key file. Keep in mind that if you've both a RSA and a DSA - # private key you can configure both in parallel (to also allow the use of - # DSA ciphers, etc.) - #SSLCertificateKeyFile /etc/apache2/ssl/server.key - #SSLCertificateKeyFile /etc/apache2/ssl/server-dsa.key - - ## Server Certificate Chain: - # Point SSLCertificateChainFile at a file containing the concatenation of - # PEM encoded CA certificates which form the certificate chain for the - # server certificate. Alternatively the referenced file can be the same as - # SSLCertificateFile when the CA certificates are directly appended to the - # server certificate for convinience. - #SSLCertificateChainFile /etc/apache2/ssl/ca.crt - - ## Certificate Authority (CA): - # Set the CA certificate verification path where to find CA certificates - # for client authentication or alternatively one huge file containing all - # of them (file must be PEM encoded). - # Note: Inside SSLCACertificatePath you need hash symlinks to point to the - # certificate files. Use the provided Makefile to update the hash symlinks - # after changes. - #SSLCACertificatePath /etc/apache2/ssl/ssl.crt - #SSLCACertificateFile /etc/apache2/ssl/ca-bundle.crt - - ## Certificate Revocation Lists (CRL): - # Set the CA revocation path where to find CA CRLs for client authentication - # or alternatively one huge file containing all of them (file must be PEM - # encoded). - # Note: Inside SSLCARevocationPath you need hash symlinks to point to the - # certificate files. Use the provided Makefile to update the hash symlinks - # after changes. - #SSLCARevocationPath /etc/apache2/ssl/ssl.crl - #SSLCARevocationFile /etc/apache2/ssl/ca-bundle.crl - - ## Client Authentication (Type): - # Client certificate verification type and depth. Types are none, optional, - # require and optional_no_ca. Depth is a number which specifies how deeply - # to verify the certificate issuer chain before deciding the certificate is - # not valid. - #SSLVerifyClient require - #SSLVerifyDepth 10 - - ## Access Control: - # With SSLRequire you can do per-directory access control based on arbitrary - # complex boolean expressions containing server variable checks and other - # lookup directives. The syntax is a mixture between C and Perl. See the - # mod_ssl documentation for more details. - #<Location /> - # #SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \ - # and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \ - # and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \ - # and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \ - # and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \ - # or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/ - #</Location> - - ## SSL Engine Options: - # Set various options for the SSL engine. - - ## FakeBasicAuth: - # Translate the client X.509 into a Basic Authorisation. This means that the - # standard Auth/DBMAuth methods can be used for access control. The user - # name is the `one line' version of the client's X.509 certificate. - # Note that no password is obtained from the user. Every entry in the user - # file needs this password: `xxj31ZMTZzkVA'. - - ## ExportCertData: - # This exports two additional environment variables: SSL_CLIENT_CERT and - # SSL_SERVER_CERT. These contain the PEM-encoded certificates of the server - # (always existing) and the client (only existing when client - # authentication is used). This can be used to import the certificates into - # CGI scripts. - - ## StdEnvVars: - # This exports the standard SSL/TLS related `SSL_*' environment variables. - # Per default this exportation is switched off for performance reasons, - # because the extraction step is an expensive operation and is usually - # useless for serving static content. So one usually enables the exportation - # for CGI and SSI requests only. - - ## StrictRequire: - # This denies access when "SSLRequireSSL" or "SSLRequire" applied even under - # a "Satisfy any" situation, i.e. when it applies access is denied and no - # other module can change it. - - ## OptRenegotiate: - # This enables optimized SSL connection renegotiation handling when SSL - # directives are used in per-directory context. - #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire - <FilesMatch "\.(cgi|shtml|phtml|php)$"> - SSLOptions +StdEnvVars - </FilesMatch> - - <Directory "/var/www/localhost/cgi-bin"> - SSLOptions +StdEnvVars - </Directory> - - ## SSL Protocol Adjustments: - # The safe and default but still SSL/TLS standard compliant shutdown - # approach is that mod_ssl sends the close notify alert but doesn't wait - # for the close notify alert from client. When you need a different - # shutdown approach you can use one of the following variables: - - ## ssl-unclean-shutdown: - # This forces an unclean shutdown when the connection is closed, i.e. no - # SSL close notify alert is send or allowed to received. This violates the - # SSL/TLS standard but is needed for some brain-dead browsers. Use this when - # you receive I/O errors because of the standard approach where mod_ssl - # sends the close notify alert. - - ## ssl-accurate-shutdown: - # This forces an accurate shutdown when the connection is closed, i.e. a - # SSL close notify alert is send and mod_ssl waits for the close notify - # alert of the client. This is 100% SSL/TLS standard compliant, but in - # practice often causes hanging connections with brain-dead browsers. Use - # this only for browsers where you know that their SSL implementation works - # correctly. - # Notice: Most problems of broken clients are also related to the HTTP - # keep-alive facility, so you usually additionally want to disable - # keep-alive for those clients, too. Use variable "nokeepalive" for this. - # Similarly, one has to force some clients to use HTTP/1.0 to workaround - # their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and - # "force-response-1.0" for this. - <IfModule setenvif_module> - BrowserMatch ".*MSIE.*" \ - nokeepalive ssl-unclean-shutdown \ - downgrade-1.0 force-response-1.0 - </IfModule> - - ## Per-Server Logging: - # The home of a custom SSL log file. Use this when you want a compact - # non-error SSL logfile on a virtual host basis. - <IfModule log_config_module> - CustomLog /var/log/apache2/ssl_request_log \ - "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" - </IfModule> -</VirtualHost> -</IfModule> -</IfDefine> -</IfDefine> - -# vim: ts=4 filetype=apache |