]>
Commit | Line | Data |
---|---|---|
e264b656 | 1 | LoadModule ssl_module modules/libssl.so |
0f26d055 | 2 | |
f30acac8 | 3 | <IfModule mod_ssl.c> |
0f26d055 JB |
4 | ##-------------------------------------------------------------------------- |
5 | ## Add additional SSL configuration directives which provide a | |
6 | ## robust default configuration: virtual server on port 443 | |
7 | ## which speaks SSL. | |
8 | ##-------------------------------------------------------------------------- | |
9 | ## | |
10 | ## SSL Support | |
11 | ## | |
f30acac8 | 12 | ## When we also provide SSL we have to listen to the |
0f26d055 JB |
13 | ## standard HTTP port (see above) and to the HTTPS port |
14 | ## | |
15 | Listen 443 | |
16 | ||
17 | ## | |
18 | ## SSL Global Context | |
19 | ## | |
20 | ## All SSL configuration in this context applies both to | |
21 | ## the main server and all SSL-enabled virtual hosts. | |
22 | ## | |
23 | ||
0f26d055 JB |
24 | # Pass Phrase Dialog: |
25 | # Configure the pass phrase gathering process. | |
26 | # The filtering dialog program (`builtin' is a internal | |
27 | # terminal dialog) has to provide the pass phrase on stdout. | |
e264b656 | 28 | SSLPassPhraseDialog builtin |
0f26d055 JB |
29 | |
30 | # Inter-Process Session Cache: | |
31 | # Configure the SSL Session Cache: First either `none' | |
32 | # or `dbm:/path/to/file' for the mechanism to use and | |
33 | # second the expiring timeout (in seconds). | |
e264b656 ER |
34 | #SSLSessionCache none |
35 | #SSLSessionCache dbm:logs/ssl_scache | |
36 | SSLSessionCache shm:/var/run/ssl_scache(512000) | |
37 | SSLSessionCacheTimeout 300 | |
0f26d055 | 38 | |
d1082b3b ER |
39 | # FOLLOW SECURE DEFAULTS: https://wiki.mozilla.org/Security/Server_Side_TLS |
40 | ||
41 | # Usable SSL protocol flavors: | |
42 | # This directive can be used to control the SSL protocol flavors mod_ssl | |
43 | # should use when establishing its server environment. Clients then can only | |
44 | # connect with one of the provided protocols. | |
45 | SSLProtocol all -SSLv2 -SSLv3 | |
46 | ||
b7254a64 ER |
47 | # SSL Cipher Suite: |
48 | # List the ciphers that the client is permitted to negotiate. | |
49 | # See the mod_ssl documentation for a complete list. | |
50 | SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA | |
51 | ||
0f26d055 JB |
52 | # Semaphore: |
53 | # Configure the path to the mutual explusion semaphore the | |
f30acac8 | 54 | # SSL engine uses internally for inter-process synchronization. |
0f26d055 JB |
55 | SSLMutex file:/var/run/ssl_mutex |
56 | ||
57 | # Pseudo Random Number Generator (PRNG): | |
f30acac8 | 58 | # Configure one or more sources to seed the PRNG of the |
0f26d055 JB |
59 | # SSL library. The seed data should be of good random quality. |
60 | SSLRandomSeed startup builtin | |
61 | SSLRandomSeed connect builtin | |
e264b656 | 62 | #SSLRandomSeed startup file:/dev/random 512 |
0f26d055 | 63 | #SSLRandomSeed startup file:/dev/urandom 512 |
e264b656 | 64 | #SSLRandomSeed connect file:/dev/random 512 |
0f26d055 JB |
65 | #SSLRandomSeed connect file:/dev/urandom 512 |
66 | ||
67 | # Logging: | |
68 | # The home of the dedicated SSL protocol logfile. Errors are | |
e264b656 | 69 | # additionally duplicated in the general error log file. Put |
0f26d055 JB |
70 | # this somewhere where it cannot be used for symlink attacks on |
71 | # a real server (i.e. somewhere where only root can write). | |
72 | # Log levels are (ascending order: higher ones include lower ones): | |
73 | # none, error, warn, info, trace, debug. | |
e264b656 | 74 | SSLLog logs/ssl_engine_log |
0f26d055 JB |
75 | SSLLogLevel info |
76 | ||
77 | <VirtualHost _default_:443> | |
78 | SSLEngine on | |
79 | #SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL | |
cd04f2d5 | 80 | SSLCertificateFile /etc/apache/server.crt |
81 | SSLCertificateKeyFile /etc/apache/server.key | |
82 | #SSLCertificateChainFile /etc/apache/conf/ssl.crt/ca.crt | |
83 | #SSLCACertificatePath /etc/apache/conf/ssl.crt | |
84 | #SSLCACertificateFile /etc/apache/conf/ssl.crt/ca-bundle.crt | |
85 | #SSLCARevocationPath /etc/apache/conf/ssl.crl | |
86 | #SSLCARevocationFile /etc/apache/conf/ssl.crl/ca-bundle.crl | |
0f26d055 | 87 | #SSLVerifyClient require |
e264b656 | 88 | #SSLVerifyDepth 10 |
0f26d055 JB |
89 | |
90 | #SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire | |
91 | <Files ~ "\.(cgi|shtml)$"> | |
e264b656 | 92 | SSLOptions +StdEnvVars |
0f26d055 | 93 | </Files> |
cd04f2d5 | 94 | <Directory "/home/services/apache/html/cgi-bin"> |
e264b656 | 95 | SSLOptions +StdEnvVars |
0f26d055 | 96 | </Directory> |
00570972 ER |
97 | |
98 | <IfModule mod_setenvif.c> | |
e264b656 | 99 | SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown |
00570972 ER |
100 | </IfModule> |
101 | ||
928b2984 ER |
102 | #<IfModule mod_log_config.c> |
103 | # CustomLog logs/ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" | |
104 | # # enable common log too, otherwise you be suprised of no access logs | |
105 | # CustomLog logs/access_log common | |
106 | #</IfModule> | |
0f26d055 | 107 | |
f30acac8 ER |
108 | </VirtualHost> |
109 | ||
110 | </IfModule> |