Difference between revisions of "Apache Configuration"

From Harding Wiki
Jump to navigationJump to search
m
(Removing all content from page)
 
Line 1: Line 1:
= Apache Configurations on CVS.pha.com.au =


== 000-default ==
<pre>
NameVirtualHost *
<VirtualHost *>
        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/
        <Directory />
                Options FollowSymLinks
                AllowOverride None
        </Directory>
        <Directory /var/www/>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride None
                Order allow,deny
                allow from all
                # This directive allows us to have apache2's default start page
                # in /apache2-default/, but still have / go to the right place
                RedirectMatch ^/$ /apache2-default/
        </Directory>
        ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
        <Directory "/usr/lib/cgi-bin">
                AllowOverride None
                Options ExecCGI -MultiViews +SymLinksIfOwnerMatch
                Order allow,deny
                Allow from all
        </Directory>
        ErrorLog /var/log/apache2/error.log
        # Possible values include: debug, info, notice, warn, error, crit,
        # alert, emerg.
        LogLevel warn
        CustomLog /var/log/apache2/access.log combined
        ServerSignature On
    Alias /doc/ "/usr/share/doc/"
    <Directory "/usr/share/doc/">
        Options Indexes MultiViews FollowSymLinks
        AllowOverride None
        Order deny,allow
        Deny from all
        Allow from 127.0.0.0/255.0.0.0 ::1/128
    </Directory>
</VirtualHost>
</pre>
== 001-default ==
<pre>
root@cvs:/etc/apache2/sites-enabled# cat 001-default-ssl
# virtual host only port 443
NameVirtualHost 203.3.69.37:443
<VirtualHost cvs.pha.com.au:443>
#  SSL Engine Switch:
#  Enable/Disable SSL for this virtual host.
SSLEngine on
#  SSL Cipher Suite:
#  List the ciphers that the client is permitted to negotiate.
#  See the mod_ssl documentation for a complete list.
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
#  Server Certificate:
#  Point SSLCertificateFile at a PEM encoded certificate.  If
#  the certificate is encrypted, then you will be prompted for a
#  pass phrase.  Note that a kill -HUP will prompt again.  Keep
#  in mind that if you have both an RSA and a DSA certificate you
#  can configure both in parallel (to also allow the use of DSA
#  ciphers, etc.)
SSLCertificateFile /etc/apache2/ssl/cvs.crt
#SSLCertificateFile /etc/apache2/ssl.crt/server-dsa.crt
#  Server Private Key:
#  If the key is not combined with the certificate, use this
#  directive to point at the key file.  Keep in mind that if
#  you've both a RSA and a DSA private key you can configure
#  both in parallel (to also allow the use of DSA ciphers, etc.)
SSLCertificateKeyFile /etc/apache2/ssl/cvs.key
#SSLCertificateKeyFile /etc/apache2/ssl.key/server-dsa.key
#  Server Certificate Chain:
#  Point SSLCertificateChainFile at a file containing the
#  concatenation of PEM encoded CA certificates which form the
#  certificate chain for the server certificate. Alternatively
#  the referenced file can be the same as SSLCertificateFile
#  when the CA certificates are directly appended to the server
#  certificate for convinience.
#SSLCertificateChainFile /etc/apache2/ssl.crt/ca.crt
#  Certificate Authority (CA):
#  Set the CA certificate verification path where to find CA
#  certificates for client authentication or alternatively one
#  huge file containing all of them (file must be PEM encoded)
#  Note: Inside SSLCACertificatePath you need hash symlinks
#        to point to the certificate files. Use the provided
#        Makefile to update the hash symlinks after changes.
#SSLCACertificatePath /etc/apache2/ssl.crt
#SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt
#  Certificate Revocation Lists (CRL):
#  Set the CA revocation path where to find CA CRLs for client
#  authentication or alternatively one huge file containing all
#  of them (file must be PEM encoded)
#  Note: Inside SSLCARevocationPath you need hash symlinks
#        to point to the certificate files. Use the provided
#        Makefile to update the hash symlinks after changes.
#SSLCARevocationPath /etc/apache2/ssl.crl
#SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl
#  Client Authentication (Type):
#  Client certificate verification type and depth.  Types are
#  none, optional, require and optional_no_ca.  Depth is a
#  number which specifies how deeply to verify the certificate
#  issuer chain before deciding the certificate is not valid.
#SSLVerifyClient require
#SSLVerifyDepth  10
#  Access Control:
#  With SSLRequire you can do per-directory access control based
#  on arbitrary complex boolean expressions containing server
#  variable checks and other lookup directives.  The syntax is a
#  mixture between C and Perl.  See the mod_ssl documentation
#  for more details.
#<Location />
#SSLRequire (    %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
#            and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
#            and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
#            and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
#            and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20      ) \
#          or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
#</Location>
#  SSL Engine Options:
#  Set various options for the SSL engine.
#  o FakeBasicAuth:
#    Translate the client X.509 into a Basic Authorisation.  This means that
#    the standard Auth/DBMAuth methods can be used for access control.  The
#    user name is the `one line' version of the client's X.509 certificate.
#    Note that no password is obtained from the user. Every entry in the user
#    file needs this password: `xxj31ZMTZzkVA'.
#  o ExportCertData:
#    This exports two additional environment variables: SSL_CLIENT_CERT and
#    SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
#    server (always existing) and the client (only existing when client
#    authentication is used). This can be used to import the certificates
#    into CGI scripts.
#  o StdEnvVars:
#    This exports the standard SSL/TLS related `SSL_*' environment variables.
#    Per default this exportation is switched off for performance reasons,
#    because the extraction step is an expensive operation and is usually
#    useless for serving static content. So one usually enables the
#    exportation for CGI and SSI requests only.
#  o CompatEnvVars:
#    This exports obsolete environment variables for backward compatibility
#    to Apache-SSL 1.x, mod_ssl 2.0.x, Sioux 1.0 and Stronghold 2.x. Use this
#    to provide compatibility to existing CGI scripts.
#  o StrictRequire:
#    This denies access when "SSLRequireSSL" or "SSLRequire" applied even
#    under a "Satisfy any" situation, i.e. when it applies access is denied
#    and no other module can change it.
#  o OptRenegotiate:
#    This enables optimized SSL connection renegotiation handling when SSL
#    directives are used in per-directory context.
#SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
    SSLOptions +StdEnvVars
</Files>
<Directory "/usr/lib/cgi-bin">
    SSLOptions +StdEnvVars
</Directory>
#  SSL Protocol Adjustments:
#  The safe and default but still SSL/TLS standard compliant shutdown
#  approach is that mod_ssl sends the close notify alert but doesn't wait for
#  the close notify alert from client. When you need a different shutdown
#  approach you can use one of the following variables:
#  o ssl-unclean-shutdown:
#    This forces an unclean shutdown when the connection is closed, i.e. no
#    SSL close notify alert is send or allowed to received.  This violates
#    the SSL/TLS standard but is needed for some brain-dead browsers. Use
#    this when you receive I/O errors because of the standard approach where
#    mod_ssl sends the close notify alert.
#  o ssl-accurate-shutdown:
#    This forces an accurate shutdown when the connection is closed, i.e. a
#    SSL close notify alert is send and mod_ssl waits for the close notify
#    alert of the client. This is 100% SSL/TLS standard compliant, but in
#    practice often causes hanging connections with brain-dead browsers. Use
#    this only for browsers where you know that their SSL implementation
#    works correctly.
#  Notice: Most problems of broken clients are also related to the HTTP
#  keep-alive facility, so you usually additionally want to disable
#  keep-alive for those clients, too. Use variable "nokeepalive" for this.
#  Similarly, one has to force some clients to use HTTP/1.0 to workaround
#  their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
#  "force-response-1.0" for this.
SetEnvIf User-Agent ".*MSIE.*" \
        nokeepalive ssl-unclean-shutdown \
        downgrade-1.0 force-response-1.0
  #  Per-Server Logging:
  #  The home of a custom SSL log file. Use this when you want a
  #  compact non-error SSL logfile on a virtual host basis.
  CustomLog /var/log/apache2/ssl_request_log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
  #  General setup for the virtual host
  ServerName cvs.pha.com.au:443
  ServerAdmin webmaster@localhost
       
  DocumentRoot /var/www/
  <Directory />
      # ben. user authorization required across the entire virtual host
      AuthType Basic
      AuthName "PHA"
      AuthUserFile /u/www/passwords/cvs.users.htpasswd
      Require valid-user
      # phakt.pha.com.au
      Allow from 203.3.69.33
      # Cellestis
      Allow from 61.9.145.182
      Deny from All
      # either username / password OR clients from inside the LAN (via phakt) allowed
      Satisfy Any
      Options FollowSymLinks
      AllowOverride None
  </Directory>
  <Directory /var/www/>
      AuthType Basic
      AuthName "PHA"
      AuthUserFile /u/www/passwords/cvs.users.htpasswd
      Require valid-user
      Options Indexes FollowSymLinks MultiViews
      AllowOverride None
      Order allow,deny
      # This directive allows us to have apache2's default start page
      # in /apache2-default/, but still have / go to the right place
      # RedirectMatch ^/$ /apache2-default/
  </Directory>
  ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
  <Directory "/usr/lib/cgi-bin">
      AllowOverride None
      Options ExecCGI -MultiViews +SymLinksIfOwnerMatch
      Order allow,deny
      Allow from all
  </Directory>
  ErrorLog /var/log/apache2/ssl_error.log
  # Possible values include: debug, info, notice, warn, error, crit,
  # alert, emerg.
  LogLevel warn
  CustomLog /var/log/apache2/ssl_access.log combined
  ServerSignature On
       
  Alias /icons/ "/usr/share/apache2/icons/"
  <Directory "/usr/share/apache2/icons">
      Options Indexes MultiViews
      AllowOverride None
      Order allow,deny
      Allow from all
  </Directory>
  # ben. Fri, 22 Oct 2004 13:01:20 +1000
  # TODO could move to separate site file ala default
  #
  Alias /wiki/ "/usr/share/moin/htdocs/"
  # ben. Sun, 31 Oct 2004 12:02:10 +1100
  # Debian says this is a standard installation location
  # /usr/share/doc/moin/README.Debian
  # ScriptAlias /PHAWiki "/var/local/lib/wiki/moin.cgi"
  # ben. we put everything under /u/
  ScriptAlias /Wiki "/u/www/htdocs/wiki/moin.cgi"
  ScriptAlias /CVS  "/usr/lib/cgi-bin/viewcvs.cgi"
  <Directory /home>
  # <Directory /home/*/public_html>
        AllowOverride All
  </Directory>
  AddHandler    cgi-script .cgi
  Alias /default/  "/u/www/sites/bugzilla/default/"
  Alias /allwell/  "/u/www/sites/bugzilla/allwell/"
  Alias /cellestis/ "/u/www/sites/bugzilla/cellestis/"
  Alias /raa/      "/u/www/sites/bugzilla/allwell/"
  Alias /sds/      "/u/www/sites/bugzilla/sds/"
  Alias /tabcorp/  "/u/www/sites/bugzilla/tabcorp/"
  Alias /vemco/    "/u/www/sites/bugzilla/vemco/"
  Alias /pha/      "/u/www/sites/bugzilla/pha/"
  Alias /new/      "/u/www/sites/bugzilla/new/"
  <Directory "/u/www/sites/bugzilla/allwell/">
      AuthType Basic
      AuthName "Bugzilla Repository"
      AuthUserFile /u/www/passwords/cvs.users.htpasswd
      Require valid-user
      Options Indexes Includes FollowSymLinks ExecCGI
      AllowOverride None
      Order allow,deny
  </Directory>
  <Directory "/u/www/sites/bugzilla/cellestis/">
      AuthType Basic
      AuthName "Bugzilla Repository"
      AuthUserFile /u/www/passwords/cvs.users.htpasswd
      Require valid-user
      Options Indexes Includes FollowSymLinks ExecCGI
      AllowOverride None
      Order allow,deny
  </Directory>
  <Directory "/u/www/sites/bugzilla/pha/">
      AuthType Basic
      AuthName "Bugzilla Repository"
      AuthUserFile /u/www/passwords/cvs.users.htpasswd
      Require valid-user
      Options Indexes Includes FollowSymLinks ExecCGI
      AllowOverride None
      Order allow,deny
  </Directory>
  <Directory "/u/www/sites/bugzilla/sds/">
      AuthType Basic
      AuthName "Bugzilla Repository"
      AuthUserFile /u/www/passwords/cvs.users.htpasswd
      Require valid-user
      Options Indexes Includes FollowSymLinks ExecCGI
      AllowOverride None
      Order allow,deny
  </Directory>
  <Directory "/u/www/sites/bugzilla/tabcorp/">
      Options Indexes Includes FollowSymLinks ExecCGI
      AllowOverride None
      Order allow,deny
      Allow from all
  </Directory>
  <Directory "/u/www/sites/bugzilla/vemco/">
      Options Indexes Includes FollowSymLinks ExecCGI
      AllowOverride None
      Order allow,deny
      Allow from all
  </Directory>
  <Directory "/u/www/sites/bugzilla/new/">
      Options Indexes Includes FollowSymLinks ExecCGI
      AllowOverride AuthConfig
      AuthType Basic
      AuthName "New Test Bug Database"
      AuthUserFile /usr/local/apache/conf/bugzilla.users
      Require valid-user
      #Allow from pha.com.au
      #Satisfy any
    </Directory>
    <Location /svn>
        DAV svn
        SVNPath /u/svn/
        AuthzSVNAccessFile /u/svn/.svn-policy-file
        AuthName "PerformIQ SVN"
        AuthType Basic
        AuthUserFile /u/www/passwords/cvs.users.htpasswd
        Satisfy Any
        Require valid-user
    </Location>
</VirtualHost>
</pre>
== 005-admindev.pha.com.au-ssl ==
<pre>
root@cvs:/etc/apache2/sites-enabled# cat 005-admindev.pha.com.au-ssl
#-------------------------------------------------------------------------------
<VirtualHost admindev.pha.com.au:443>
  #  General setup for the virtual host
  ServerName    admindev.pha.com.au
  DocumentRoot  /u/www/pha/prod/admin
  ServerAdmin  plh@pha.com.au
# ben. do not use these for the moment
#  ErrorLog      /u/www/pha/logs/admin_ssl_error.log
#  TransferLog  /u/www/pha/logs/admin_ssl_access.log
  ScriptAlias  /cgi-bin/      "/u/www/pha/cgi-bin/"
  ScriptAlias  /py/            "/u/www/pha/prod/admin/py/"
  Alias        /classes/      "/u/www/pha/classes/"
  Alias        /tqau/          "/u/www/tq/au/htdocs/"
  Alias        /tqnz/          "/u/www/tq/nz/htdocs/"
  Alias        /info/          "/u/www/pha/prod/info/"
  Alias        /pha/          "/u/www/pha/prod/pha/php/"
  Alias        /php/          "/u/www/pha/prod/pha/php/"
  Alias        /css/          "/u/www/pha/prod/admin/css/"
  Alias        /js/            "/u/www/pha/prod/admin/js/"
  Alias        /includes/      "/u/www/pha/prod/pha/includes/"
  Alias        /uploadImages/  "/u/www/pha/prod/pha/uploadImages/"
  Alias        /downloads/    "/u/www/pha/downloads/"
  Alias        /papers/        "/u/www/pha/papers/"
  Alias        /images/        "/u/www/pha/prod/pha/images/"
 
  # ben. this does not work
  # Alias        /pha/images/    "/u/www/pha/prod/pha/pha/images/"
  #Alias        /olof-dev/      "/home/pha/olof/library/"
  <Directory /u/www/pha/prod/admin>
#      Options FollowSymLinks
        AllowOverride AuthConfig
        #Options ExecCGI Indexes FollowSymLinks
        Options ExecCGI FollowSymLinks
        AddHandler cgi-script .py
  </Directory>
  <Directory "/u/www/tq/au/htdocs">
      Options Indexes FollowSymLinks
      AuthUserFile "/usr/local/etc/apache/users/pha.admin"
      AuthName "TQAU Authorisation"
      AuthType Basic
      Require  valid-user
      AllowOverride None
      # AllowOverride AuthConfig
      # Order allow,deny
      # Allow from all
  </Directory>
  <Directory "/u/www/tq/nz/htdocs">
      Options Indexes FollowSymLinks
      AuthUserFile "/usr/local/etc/apache/users/pha.admin"
      AuthName "TQAU Authorisation"
      AuthType Basic
      Require  valid-user
      AllowOverride None
  </Directory>
  ######################################
  #
  #  PHA access directives for the admin directory
  #  top level editing and new page creation/deletion
  <Directory "/u/www/pha/prod/pha/php/admin">
      AuthUserFile "/usr/local/etc/apache/users/phausers.txt"
      AuthGroupFile "/usr/local/etc/apache/users/phagroups.txt"
      AuthName "PHA Authorisation"
      AuthType Basic
      <Limit GET POST>
        # anyone from the pha group can see this directory
        require group level1 level2
      </Limit>
  </Directory>
  #
  #  PHA access directives for the admin/level1 directory
  #  top level editing and new page creation/deletion
  <Directory "/u/www/pha/prod/pha/php/admin/level1">
      AuthUserFile "/usr/local/etc/apache/users/phausers.txt"
      AuthGroupFile "/usr/local/etc/apache/users/phagroups.txt"
      AuthName "Level 1 Authorisation"
      AuthType Basic
      <Limit GET POST>
        # add level 1 usernames here as they appear in phausers.txt
        require group level1
      </Limit>
  </Directory>
  #
  #  PHA access directives for the admin/level2 directory - everyone else
  #  page editing
  <Directory "/u/www/pha/prod/pha/php/admin/level2">
      AuthUserFile "/usr/local/etc/apache/users/phausers.txt"
      AuthGroupFile "/usr/local/etc/apache/users/phagroups.txt"
      AuthName "Level 2 Authorisation"
      AuthType Basic
      <Limit GET POST>
        require group level1 level2
      </Limit>
  </Directory>
  ##########################################
  <Directory "/u/www/pha/prod/admin/js/">
      Options Indexes FollowSymLinks
      AllowOverride AuthConfig
      Order allow,deny
      Allow from all
  </Directory>
#  SSL Engine Switch:
#  Enable/Disable SSL for this virtual host.
SSLEngine on
#  SSL Cipher Suite:
#  List the ciphers that the client is permitted to negotiate.
#  See the mod_ssl documentation for a complete list.
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
#  Server Certificate:
#  Point SSLCertificateFile at a PEM encoded certificate.  If
#  the certificate is encrypted, then you will be prompted for a
#  pass phrase.  Note that a kill -HUP will prompt again.  Keep
#  in mind that if you have both an RSA and a DSA certificate you
#  can configure both in parallel (to also allow the use of DSA
#  ciphers, etc.)
SSLCertificateFile /etc/apache2/ssl/cvs.crt
#SSLCertificateFile /etc/apache2/ssl.crt/server-dsa.crt
#  Server Private Key:
#  If the key is not combined with the certificate, use this
#  directive to point at the key file.  Keep in mind that if
#  you've both a RSA and a DSA private key you can configure
#  both in parallel (to also allow the use of DSA ciphers, etc.)
SSLCertificateKeyFile /etc/apache2/ssl/cvs.key
#SSLCertificateKeyFile /etc/apache2/ssl.key/server-dsa.key
#  Server Certificate Chain:
#  Point SSLCertificateChainFile at a file containing the
#  concatenation of PEM encoded CA certificates which form the
#  certificate chain for the server certificate. Alternatively
#  the referenced file can be the same as SSLCertificateFile
#  when the CA certificates are directly appended to the server
#  certificate for convinience.
#SSLCertificateChainFile /etc/apache2/ssl.crt/ca.crt
#  Certificate Authority (CA):
#  Set the CA certificate verification path where to find CA
#  certificates for client authentication or alternatively one
#  huge file containing all of them (file must be PEM encoded)
#  Note: Inside SSLCACertificatePath you need hash symlinks
#        to point to the certificate files. Use the provided
#        Makefile to update the hash symlinks after changes.
#SSLCACertificatePath /etc/apache2/ssl.crt
#SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt
#  Certificate Revocation Lists (CRL):
#  Set the CA revocation path where to find CA CRLs for client
#  authentication or alternatively one huge file containing all
#  of them (file must be PEM encoded)
#  Note: Inside SSLCARevocationPath you need hash symlinks
#        to point to the certificate files. Use the provided
#        Makefile to update the hash symlinks after changes.
#SSLCARevocationPath /etc/apache2/ssl.crl
#SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl
#  Client Authentication (Type):
#  Client certificate verification type and depth.  Types are
#  none, optional, require and optional_no_ca.  Depth is a
#  number which specifies how deeply to verify the certificate
#  issuer chain before deciding the certificate is not valid.
#SSLVerifyClient require
#SSLVerifyDepth  10
#  Access Control:
#  With SSLRequire you can do per-directory access control based
#  on arbitrary complex boolean expressions containing server
#  variable checks and other lookup directives.  The syntax is a
#  mixture between C and Perl.  See the mod_ssl documentation
#  for more details.
#<Location />
#SSLRequire (    %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
#            and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
#            and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
#            and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
#            and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20      ) \
#          or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
#</Location>
#  SSL Engine Options:
#  Set various options for the SSL engine.
#  o FakeBasicAuth:
#    Translate the client X.509 into a Basic Authorisation.  This means that
#    the standard Auth/DBMAuth methods can be used for access control.  The
#    user name is the `one line' version of the client's X.509 certificate.
#    Note that no password is obtained from the user. Every entry in the user
#    file needs this password: `xxj31ZMTZzkVA'.
#  o ExportCertData:
#    This exports two additional environment variables: SSL_CLIENT_CERT and
#    SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
#    server (always existing) and the client (only existing when client
#    authentication is used). This can be used to import the certificates
#    into CGI scripts.
#  o StdEnvVars:
#    This exports the standard SSL/TLS related `SSL_*' environment variables.
#    Per default this exportation is switched off for performance reasons,
#    because the extraction step is an expensive operation and is usually
#    useless for serving static content. So one usually enables the
#    exportation for CGI and SSI requests only.
#  o CompatEnvVars:
#    This exports obsolete environment variables for backward compatibility
#    to Apache-SSL 1.x, mod_ssl 2.0.x, Sioux 1.0 and Stronghold 2.x. Use this
#    to provide compatibility to existing CGI scripts.
#  o StrictRequire:
#    This denies access when "SSLRequireSSL" or "SSLRequire" applied even
#    under a "Satisfy any" situation, i.e. when it applies access is denied
#    and no other module can change it.
#  o OptRenegotiate:
#    This enables optimized SSL connection renegotiation handling when SSL
#    directives are used in per-directory context.
#SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
    SSLOptions +StdEnvVars
</Files>
<Directory "/usr/lib/cgi-bin">
    SSLOptions +StdEnvVars
</Directory>
#  SSL Protocol Adjustments:
#  The safe and default but still SSL/TLS standard compliant shutdown
#  approach is that mod_ssl sends the close notify alert but doesn't wait for
#  the close notify alert from client. When you need a different shutdown
#  approach you can use one of the following variables:
#  o ssl-unclean-shutdown:
#    This forces an unclean shutdown when the connection is closed, i.e. no
#    SSL close notify alert is send or allowed to received.  This violates
#    the SSL/TLS standard but is needed for some brain-dead browsers. Use
#    this when you receive I/O errors because of the standard approach where
#    mod_ssl sends the close notify alert.
#  o ssl-accurate-shutdown:
#    This forces an accurate shutdown when the connection is closed, i.e. a
#    SSL close notify alert is send and mod_ssl waits for the close notify
#    alert of the client. This is 100% SSL/TLS standard compliant, but in
#    practice often causes hanging connections with brain-dead browsers. Use
#    this only for browsers where you know that their SSL implementation
#    works correctly.
#  Notice: Most problems of broken clients are also related to the HTTP
#  keep-alive facility, so you usually additionally want to disable
#  keep-alive for those clients, too. Use variable "nokeepalive" for this.
#  Similarly, one has to force some clients to use HTTP/1.0 to workaround
#  their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
#  "force-response-1.0" for this.
SetEnvIf User-Agent ".*MSIE.*" \
        nokeepalive ssl-unclean-shutdown \
        downgrade-1.0 force-response-1.0
#  Per-Server Logging:
#  The home of a custom SSL log file. Use this when you want a
#  compact non-error SSL logfile on a virtual host basis.
CustomLog /var/log/apache2/ssl_request_log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
#-------------------------------------------------------------------------------
</pre>

Latest revision as of 12:12, 2 December 2008

Retrieved from "https://www.harding.net.au/index.php?title=Apache_Configuration&oldid=51"