Nawigacja

Back to AdminGuide/UpgradeDebian7to8

AdminGuide/UpgradeDebian7to8: default-ssl.conf

Plik default-ssl.conf, 7.5 KB (dodany przez jpo, 8 years temu)
xx

Line
1	<IfModule mod_ssl.c>
2	<VirtualHost _default_:443>
3	ServerAdmin webmaster@localhost
4
5	DocumentRoot /home/edokumenty/public_html
6	<Directory />
7	Options FollowSymLinks
8	AllowOverride None
9	</Directory>
10	<Directory /home/edokumenty/public_html>
11	Options -Indexes +FollowSymLinks +MultiViews
12	AllowOverride None
13	Order allow,deny
14	allow from all
15	</Directory>
16
17	<Directory "/home/edokumenty/public_html/apps/edokumenty/var">
18	Options -Indexes +FollowSymLinks +MultiViews
19	AllowOverride None
20	Order allow,deny
21	allow from all
22	</Directory>
23
24	ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
25	<Directory "/usr/lib/cgi-bin">
26	AllowOverride None
27	Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
28	Order allow,deny
29	Allow from all
30	</Directory>
31
32	ErrorLog /var/log/apache2/error.log
33
34	# Possible values include: debug, info, notice, warn, error, crit,
35	# alert, emerg.
36	LogLevel warn
37
38	#CustomLog /var/log/apache2/ssl_access.log combined
39
40	Alias /doc/ "/usr/share/doc/"
41	<Directory "/usr/share/doc/">
42	Options Indexes MultiViews FollowSymLinks
43	AllowOverride None
44	Order deny,allow
45	Deny from all
46	Allow from 127.0.0.0/255.0.0.0 ::1/128
47	</Directory>
48
49	# SSL Engine Switch:
50	# Enable/Disable SSL for this virtual host.
51	SSLEngine on
52
53	# A self-signed (snakeoil) certificate can be created by installing
54	# the ssl-cert package. See
55	# /usr/share/doc/apache2.2-common/README.Debian.gz for more info.
56	# If both key and certificate are stored in the same file, only the
57	# SSLCertificateFile directive is needed.
58	SSLCertificateFile /etc/ssl/certs/edokumenty.crt
59	SSLCertificateKeyFile /etc/ssl/certs/edokumenty.key
60
61
62	# Server Certificate Chain:
63	# Point SSLCertificateChainFile at a file containing the
64	# concatenation of PEM encoded CA certificates which form the
65	# certificate chain for the server certificate. Alternatively
66	# the referenced file can be the same as SSLCertificateFile
67	# when the CA certificates are directly appended to the server
68	# certificate for convinience.
69	#SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt
70
71	# Certificate Authority (CA):
72	# Set the CA certificate verification path where to find CA
73	# certificates for client authentication or alternatively one
74	# huge file containing all of them (file must be PEM encoded)
75	# Note: Inside SSLCACertificatePath you need hash symlinks
76	# to point to the certificate files. Use the provided
77	# Makefile to update the hash symlinks after changes.
78	#SSLCACertificatePath /etc/ssl/certs/
79	#SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt
80
81	# Certificate Revocation Lists (CRL):
82	# Set the CA revocation path where to find CA CRLs for client
83	# authentication or alternatively one huge file containing all
84	# of them (file must be PEM encoded)
85	# Note: Inside SSLCARevocationPath you need hash symlinks
86	# to point to the certificate files. Use the provided
87	# Makefile to update the hash symlinks after changes.
88	#SSLCARevocationPath /etc/apache2/ssl.crl/
89	#SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl
90
91	# Client Authentication (Type):
92	# Client certificate verification type and depth. Types are
93	# none, optional, require and optional_no_ca. Depth is a
94	# number which specifies how deeply to verify the certificate
95	# issuer chain before deciding the certificate is not valid.
96	#SSLVerifyClient require
97	#SSLVerifyDepth 10
98
99	# Access Control:
100	# With SSLRequire you can do per-directory access control based
101	# on arbitrary complex boolean expressions containing server
102	# variable checks and other lookup directives. The syntax is a
103	# mixture between C and Perl. See the mod_ssl documentation
104	# for more details.
105	#<Location />
106	#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP\|NULL)/ \
107	# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
108	# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
109	# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
110	# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
111	# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
112	#</Location>
113
114	# SSL Engine Options:
115	# Set various options for the SSL engine.
116	# o FakeBasicAuth:
117	# Translate the client X.509 into a Basic Authorisation. This means that
118	# the standard Auth/DBMAuth methods can be used for access control. The
119	# user name is the `one line' version of the client's X.509 certificate.
120	# Note that no password is obtained from the user. Every entry in the user
121	# file needs this password: `xxj31ZMTZzkVA'.
122	# o ExportCertData:
123	# This exports two additional environment variables: SSL_CLIENT_CERT and
124	# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
125	# server (always existing) and the client (only existing when client
126	# authentication is used). This can be used to import the certificates
127	# into CGI scripts.
128	# o StdEnvVars:
129	# This exports the standard SSL/TLS related `SSL_*' environment variables.
130	# Per default this exportation is switched off for performance reasons,
131	# because the extraction step is an expensive operation and is usually
132	# useless for serving static content. So one usually enables the
133	# exportation for CGI and SSI requests only.
134	# o StrictRequire:
135	# This denies access when "SSLRequireSSL" or "SSLRequire" applied even
136	# under a "Satisfy any" situation, i.e. when it applies access is denied
137	# and no other module can change it.
138	# o OptRenegotiate:
139	# This enables optimized SSL connection renegotiation handling when SSL
140	# directives are used in per-directory context.
141	#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
142	<FilesMatch "\.(cgi\|shtml\|phtml\|php)$">
143	SSLOptions +StdEnvVars
144	</FilesMatch>
145	<Directory /usr/lib/cgi-bin>
146	SSLOptions +StdEnvVars
147	</Directory>
148
149	# SSL Protocol Adjustments:
150	# The safe and default but still SSL/TLS standard compliant shutdown
151	# approach is that mod_ssl sends the close notify alert but doesn't wait for
152	# the close notify alert from client. When you need a different shutdown
153	# approach you can use one of the following variables:
154	# o ssl-unclean-shutdown:
155	# This forces an unclean shutdown when the connection is closed, i.e. no
156	# SSL close notify alert is send or allowed to received. This violates
157	# the SSL/TLS standard but is needed for some brain-dead browsers. Use
158	# this when you receive I/O errors because of the standard approach where
159	# mod_ssl sends the close notify alert.
160	# o ssl-accurate-shutdown:
161	# This forces an accurate shutdown when the connection is closed, i.e. a
162	# SSL close notify alert is send and mod_ssl waits for the close notify
163	# alert of the client. This is 100% SSL/TLS standard compliant, but in
164	# practice often causes hanging connections with brain-dead browsers. Use
165	# this only for browsers where you know that their SSL implementation
166	# works correctly.
167	# Notice: Most problems of broken clients are also related to the HTTP
168	# keep-alive facility, so you usually additionally want to disable
169	# keep-alive for those clients, too. Use variable "nokeepalive" for this.
170	# Similarly, one has to force some clients to use HTTP/1.0 to workaround
171	# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
172	# "force-response-1.0" for this.
173	BrowserMatch ".MSIE." \
174	nokeepalive ssl-unclean-shutdown \
175	downgrade-1.0 force-response-1.0
176
177	</VirtualHost>
178	</IfModule>

Pobierz w innym formacie:

Oryginalny format