ASF Bugzilla – Attachment 37508 Details for
Bug 64827
Upgrade Apache from Apache/2.2.25 to Apache/2.4.43
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
https-ssl attachement for review.
httpd-ssl_2.4.43_Default.conf (text/plain), 9.87 KB, created by
Leonard Estos
on 2020-10-19 10:38:19 UTC
(
hide
)
Description:
https-ssl attachement for review.
Filename:
MIME Type:
Creator:
Leonard Estos
Created:
2020-10-19 10:38:19 UTC
Size:
9.87 KB
patch
obsolete
># ># This is the Apache server configuration file providing SSL support. ># It contains the configuration directives to instruct the server how to ># serve pages over an https connection. For detailed information about these ># directives see <URL:http://httpd.apache.org/docs/trunk/mod/mod_ssl.html> ># ># Do NOT simply read the instructions in here without understanding ># what they do. They're here only as hints or reminders. If you are unsure ># consult the online docs. You have been warned. ># > ># ># Pseudo Random Number Generator (PRNG): ># Configure one or more sources to seed the PRNG of the SSL library. ># The seed data should be of good random quality. ># WARNING! On some platforms /dev/random blocks if not enough entropy ># is available. This means you then cannot use the /dev/random device ># because it would lead to very long connection times (as long as ># it requires to make more entropy available). But usually those ># platforms additionally provide a /dev/urandom device which doesn't ># block. So, if available, use this one instead. Read the mod_ssl User ># Manual for more details. ># >#SSLRandomSeed startup file:/dev/random 512 >#SSLRandomSeed startup file:/dev/urandom 512 >#SSLRandomSeed connect file:/dev/random 512 >#SSLRandomSeed connect file:/dev/urandom 512 > > ># ># When we also provide SSL we have to listen to the ># standard HTTP port (see above) and to the HTTPS port ># ># Note: Configurations that use IPv6 but not IPv4-mapped addresses need two ># Listen directives: "Listen [::]:443" and "Listen 0.0.0.0:443" ># >Listen 443 > >## >## SSL Global Context >## >## All SSL configuration in this context applies both to >## the main server and all SSL-enabled virtual hosts. >## > ># Pass Phrase Dialog: ># Configure the pass phrase gathering process. ># The filtering dialog program (`builtin' is a internal ># terminal dialog) has to provide the pass phrase on stdout. >SSLPassPhraseDialog builtin > ># Inter-Process Session Cache: ># Configure the SSL Session Cache: First the mechanism ># to use and second the expiring timeout (in seconds). >#SSLSessionCache "dbm:${SRVROOT}/logs/ssl_scache" >SSLSessionCache "shmcb:${SRVROOT}/logs/ssl_scache(512000)" >SSLSessionCacheTimeout 300 > >## >## SSL Virtual Host Context >## > ><VirtualHost _default_:443> > ># General setup for the virtual host >DocumentRoot "${SRVROOT}/htdocs" >ServerName www.example.com:443 >ServerAdmin admin@example.com >ErrorLog "${SRVROOT}/logs/error.log" >TransferLog "${SRVROOT}/logs/access.log" > ># SSL Engine Switch: ># Enable/Disable SSL for this virtual host. >SSLEngine on > ># SSL Cipher Suite: ># List the ciphers that the client is permitted to negotiate. ># See the mod_ssl documentation for a complete list. ># Recent OpenSSL snapshots include Elliptic Curve Cryptograhpy (ECC) ># cipher suites (see RFC 4492) as part of "ALL". Edit this line ># if you need to disable any of those ciphers. >SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL > ># Server Certificate: ># Point SSLCertificateFile at a PEM encoded certificate. If ># the certificate is encrypted, then you will be prompted for a ># pass phrase. Note that a kill -HUP will prompt again. Keep ># in mind that if you have both an RSA and a DSA certificate you ># can configure both in parallel (to also allow the use of DSA ># ciphers, etc.) ># Some ECC cipher suites (http://www.ietf.org/rfc/rfc4492.txt) ># require an ECC certificate which can also be configured in ># parallel. >SSLCertificateFile "${SRVROOT}/conf/server.crt" >#SSLCertificateFile "${SRVROOT}/conf/server-dsa.crt" >#SSLCertificateFile "${SRVROOT}/conf/server-ecc.crt" > ># Server Private Key: ># If the key is not combined with the certificate, use this ># directive to point at the key file. Keep in mind that if ># you've both a RSA and a DSA private key you can configure ># both in parallel (to also allow the use of DSA ciphers, etc.) ># ECC keys, when in use, can also be configured in parallel >SSLCertificateKeyFile "${SRVROOT}/conf/server.key" >#SSLCertificateKeyFile "${SRVROOT}/conf/server-dsa.key" >#SSLCertificateKeyFile "${SRVROOT}/conf/server-ecc.key" > ># Certificate Authority (CA): ># Set the CA certificate verification path where to find CA ># certificates for client authentication or alternatively one ># huge file containing all of them (file must be PEM encoded) ># Note: Inside SSLCACertificatePath you need hash symlinks ># to point to the certificate files. Use the provided ># Makefile to update the hash symlinks after changes. >#SSLCACertificatePath "${SRVROOT}/conf/ssl.crt" >#SSLCACertificateFile "${SRVROOT}/conf/ssl.crt/ca-bundle.crt" > ># Certificate Revocation Lists (CRL): ># Set the CA revocation path where to find CA CRLs for client ># authentication or alternatively one huge file containing all ># of them (file must be PEM encoded) ># Note: Inside SSLCARevocationPath you need hash symlinks ># to point to the certificate files. Use the provided ># Makefile to update the hash symlinks after changes. >#SSLCARevocationPath "${SRVROOT}/conf/ssl.crl" >#SSLCARevocationFile "${SRVROOT}/conf/ssl.crl/ca-bundle.crl" > ># Client Authentication (Type): ># Client certificate verification type and depth. Types are ># none, optional, require and optional_no_ca. Depth is a ># number which specifies how deeply to verify the certificate ># issuer chain before deciding the certificate is not valid. >#SSLVerifyClient require >#SSLVerifyDepth 10 > ># Access Control: ># With SSLRequire you can do per-directory access control based ># on arbitrary complex boolean expressions containing server ># variable checks and other lookup directives. The syntax is a ># mixture between C and Perl. See the mod_ssl documentation ># for more details. >#<Location /> >#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \ ># and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \ ># and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \ ># and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \ ># and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \ ># or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/ >#</Location> > ># SSL Engine Options: ># Set various options for the SSL engine. ># o FakeBasicAuth: ># Translate the client X.509 into a Basic Authorisation. This means that ># the standard Auth/DBMAuth methods can be used for access control. The ># user name is the `one line' version of the client's X.509 certificate. ># Note that no password is obtained from the user. Every entry in the user ># file needs this password: `xxj31ZMTZzkVA'. ># o ExportCertData: ># This exports two additional environment variables: SSL_CLIENT_CERT and ># SSL_SERVER_CERT. These contain the PEM-encoded certificates of the ># server (always existing) and the client (only existing when client ># authentication is used). This can be used to import the certificates ># into CGI scripts. ># o StdEnvVars: ># This exports the standard SSL/TLS related `SSL_*' environment variables. ># Per default this exportation is switched off for performance reasons, ># because the extraction step is an expensive operation and is usually ># useless for serving static content. So one usually enables the ># exportation for CGI and SSI requests only. ># o StrictRequire: ># This denies access when "SSLRequireSSL" or "SSLRequire" applied even ># under a "Satisfy any" situation, i.e. when it applies access is denied ># and no other module can change it. ># o OptRenegotiate: ># This enables optimized SSL connection renegotiation handling when SSL ># directives are used in per-directory context. >#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire ><FilesMatch "\.(cgi|shtml|phtml|php)$"> > SSLOptions +StdEnvVars ></FilesMatch> ><Directory "${SRVROOT}/cgi-bin"> > SSLOptions +StdEnvVars ></Directory> > ># SSL Protocol Adjustments: ># The safe and default but still SSL/TLS standard compliant shutdown ># approach is that mod_ssl sends the close notify alert but doesn't wait for ># the close notify alert from client. When you need a different shutdown ># approach you can use one of the following variables: ># o ssl-unclean-shutdown: ># This forces an unclean shutdown when the connection is closed, i.e. no ># SSL close notify alert is sent or allowed to be received. This violates ># the SSL/TLS standard but is needed for some brain-dead browsers. Use ># this when you receive I/O errors because of the standard approach where ># mod_ssl sends the close notify alert. ># o ssl-accurate-shutdown: ># This forces an accurate shutdown when the connection is closed, i.e. a ># SSL close notify alert is send and mod_ssl waits for the close notify ># alert of the client. This is 100% SSL/TLS standard compliant, but in ># practice often causes hanging connections with brain-dead browsers. Use ># this only for browsers where you know that their SSL implementation ># works correctly. ># Notice: Most problems of broken clients are also related to the HTTP ># keep-alive facility, so you usually additionally want to disable ># keep-alive for those clients, too. Use variable "nokeepalive" for this. ># Similarly, one has to force some clients to use HTTP/1.0 to workaround ># their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and ># "force-response-1.0" for this. >BrowserMatch ".*MSIE.*" \ > nokeepalive ssl-unclean-shutdown \ > downgrade-1.0 force-response-1.0 > ># Per-Server Logging: ># The home of a custom SSL log file. Use this when you want a ># compact non-error SSL logfile on a virtual host basis. >CustomLog "${SRVROOT}/logs/ssl_request.log" \ > "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" > ></VirtualHost>
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Actions:
View
Attachments on
bug 64827
: 37508