diff --git a/apache.conf b/apache.conf
index 6aef0c1..ca09a52 100644
--- a/apache.conf
+++ b/apache.conf
@@ -26,13 +26,13 @@ LoadModule authz_core_module /usr/libexec/httpd/mod_authz_core.so
LoadModule log_config_module /usr/libexec/httpd/mod_log_config.so
LoadModule unixd_module /usr/libexec/httpd/mod_unixd.so
-# Include listen ports
-Include listen.conf
-
# Admin wants these modules:
IncludeOptional mods-enabled/*.load
IncludeOptional mods-enabled/*.conf
+# Include listen ports
+Include listen.conf
+
### Basic security settings
diff --git a/mods-available/alias.load b/mods-available/alias.load
new file mode 100644
index 0000000..aa80310
--- /dev/null
+++ b/mods-available/alias.load
@@ -0,0 +1 @@
+LoadModule alias_module /usr/libexec/httpd/mod_alias.so
diff --git a/mods-available/mime.conf b/mods-available/mime.conf
new file mode 100644
index 0000000..c775646
--- /dev/null
+++ b/mods-available/mime.conf
@@ -0,0 +1,240 @@
+
+
+ #
+ # TypesConfig points to the file containing the list of mappings from
+ # filename extension to MIME-type.
+ #
+ TypesConfig /etc/apache/mime.types
+
+ #
+ # AddType allows you to add to or override the MIME configuration
+ # file mime.types for specific file types.
+ #
+ #AddType application/x-gzip .tgz
+ #
+ # AddEncoding allows you to have certain browsers uncompress
+ # information on the fly. Note: Not all browsers support this.
+ # Despite the name similarity, the following Add* directives have
+ # nothing to do with the FancyIndexing customization directives above.
+ #
+ #AddEncoding x-compress .Z
+ #AddEncoding x-gzip .gz .tgz
+ #AddEncoding x-bzip2 .bz2
+ #
+ # If the AddEncoding directives above are commented-out, then you
+ # probably should define those extensions to indicate media types:
+ #
+ AddType application/x-compress .Z
+ AddType application/x-gzip .gz .tgz
+ AddType application/x-bzip2 .bz2
+
+ #
+ # DefaultLanguage and AddLanguage allows you to specify the language of
+ # a document. You can then use content negotiation to give a browser a
+ # file in a language the user can understand.
+ #
+ # Specify a default language. This means that all data
+ # going out without a specific language tag (see below) will
+ # be marked with this one. You probably do NOT want to set
+ # this unless you are sure it is correct for all cases.
+ #
+ # * It is generally better to not mark a page as
+ # * being a certain language than marking it with the wrong
+ # * language!
+ #
+ # DefaultLanguage nl
+ #
+ # Note 1: The suffix does not have to be the same as the language
+ # keyword --- those with documents in Polish (whose net-standard
+ # language code is pl) may wish to use "AddLanguage pl .po" to
+ # avoid the ambiguity with the common suffix for perl scripts.
+ #
+ # Note 2: The example entries below illustrate that in some cases
+ # the two character 'Language' abbreviation is not identical to
+ # the two character 'Country' code for its country,
+ # E.g. 'Danmark/dk' versus 'Danish/da'.
+ #
+ # Note 3: In the case of 'ltz' we violate the RFC by using a three char
+ # specifier. There is 'work in progress' to fix this and get
+ # the reference data for rfc1766 cleaned up.
+ #
+ # Catalan (ca) - Croatian (hr) - Czech (cs) - Danish (da) - Dutch (nl)
+ # English (en) - Esperanto (eo) - Estonian (et) - French (fr) - German (de)
+ # Greek-Modern (el) - Hebrew (he) - Italian (it) - Japanese (ja)
+ # Korean (ko) - Luxembourgeois* (ltz) - Norwegian Nynorsk (nn)
+ # Norwegian (no) - Polish (pl) - Portugese (pt)
+ # Brazilian Portuguese (pt-BR) - Russian (ru) - Swedish (sv)
+ # Simplified Chinese (zh-CN) - Spanish (es) - Traditional Chinese (zh-TW)
+ #
+ AddLanguage am .amh
+ AddLanguage ar .ara
+ AddLanguage be .be
+ AddLanguage bg .bg
+ AddLanguage bn .bn
+ AddLanguage br .br
+ AddLanguage bs .bs
+ AddLanguage ca .ca
+ AddLanguage cs .cz .cs
+ AddLanguage cy .cy
+ AddLanguage da .dk
+ AddLanguage de .de
+ AddLanguage dz .dz
+ AddLanguage el .el
+ AddLanguage en .en
+ AddLanguage eo .eo
+ # es is ecmascript in /etc/mime.types
+ RemoveType es
+ AddLanguage es .es
+ AddLanguage et .et
+ AddLanguage eu .eu
+ AddLanguage fa .fa
+ AddLanguage fi .fi
+ AddLanguage fr .fr
+ AddLanguage ga .ga
+ AddLanguage gl .glg
+ AddLanguage gu .gu
+ AddLanguage he .he
+ AddLanguage hi .hi
+ AddLanguage hr .hr
+ AddLanguage hu .hu
+ AddLanguage hy .hy
+ AddLanguage id .id
+ AddLanguage is .is
+ AddLanguage it .it
+ AddLanguage ja .ja
+ AddLanguage ka .ka
+ AddLanguage kk .kk
+ AddLanguage km .km
+ AddLanguage kn .kn
+ AddLanguage ko .ko
+ AddLanguage ku .ku
+ AddLanguage lo .lo
+ AddLanguage lt .lt
+ AddLanguage ltz .ltz
+ AddLanguage lv .lv
+ AddLanguage mg .mg
+ AddLanguage mk .mk
+ AddLanguage ml .ml
+ AddLanguage mr .mr
+ AddLanguage ms .msa
+ AddLanguage nb .nob
+ AddLanguage ne .ne
+ AddLanguage nl .nl
+ AddLanguage nn .nn
+ AddLanguage no .no
+ AddLanguage pa .pa
+ AddLanguage pl .po
+ AddLanguage pt-BR .pt-br
+ AddLanguage pt .pt
+ AddLanguage ro .ro
+ AddLanguage ru .ru
+ AddLanguage sa .sa
+ AddLanguage se .se
+ AddLanguage si .si
+ AddLanguage sk .sk
+ AddLanguage sl .sl
+ AddLanguage sq .sq
+ AddLanguage sr .sr
+ AddLanguage sv .sv
+ AddLanguage ta .ta
+ AddLanguage te .te
+ AddLanguage th .th
+ AddLanguage tl .tl
+ RemoveType tr
+ # tr is troff in /etc/mime.types
+ AddLanguage tr .tr
+ AddLanguage uk .uk
+ AddLanguage ur .ur
+ AddLanguage vi .vi
+ AddLanguage wo .wo
+ AddLanguage xh .xh
+ AddLanguage zh-CN .zh-cn
+ AddLanguage zh-TW .zh-tw
+
+ #
+ # Commonly used filename extensions to character sets. You probably
+ # want to avoid clashes with the language extensions, unless you
+ # are good at carefully testing your setup after each change.
+ # See http://www.iana.org/assignments/character-sets for the
+ # official list of charset names and their respective RFCs.
+ #
+ AddCharset us-ascii .ascii .us-ascii
+ AddCharset ISO-8859-1 .iso8859-1 .latin1
+ AddCharset ISO-8859-2 .iso8859-2 .latin2 .cen
+ AddCharset ISO-8859-3 .iso8859-3 .latin3
+ AddCharset ISO-8859-4 .iso8859-4 .latin4
+ AddCharset ISO-8859-5 .iso8859-5 .cyr .iso-ru
+ AddCharset ISO-8859-6 .iso8859-6 .arb .arabic
+ AddCharset ISO-8859-7 .iso8859-7 .grk .greek
+ AddCharset ISO-8859-8 .iso8859-8 .heb .hebrew
+ AddCharset ISO-8859-9 .iso8859-9 .latin5 .trk
+ AddCharset ISO-8859-10 .iso8859-10 .latin6
+ AddCharset ISO-8859-13 .iso8859-13
+ AddCharset ISO-8859-14 .iso8859-14 .latin8
+ AddCharset ISO-8859-15 .iso8859-15 .latin9
+ AddCharset ISO-8859-16 .iso8859-16 .latin10
+ AddCharset ISO-2022-JP .iso2022-jp .jis
+ AddCharset ISO-2022-KR .iso2022-kr .kis
+ AddCharset ISO-2022-CN .iso2022-cn .cis
+ AddCharset Big5 .Big5 .big5 .b5
+ AddCharset cn-Big5 .cn-big5
+ # For russian, more than one charset is used (depends on client, mostly):
+ AddCharset WINDOWS-1251 .cp-1251 .win-1251
+ AddCharset CP866 .cp866
+ AddCharset KOI8 .koi8
+ AddCharset KOI8-E .koi8-e
+ AddCharset KOI8-r .koi8-r .koi8-ru
+ AddCharset KOI8-U .koi8-u
+ AddCharset KOI8-ru .koi8-uk .ua
+ AddCharset ISO-10646-UCS-2 .ucs2
+ AddCharset ISO-10646-UCS-4 .ucs4
+ AddCharset UTF-7 .utf7
+ AddCharset UTF-8 .utf8
+ AddCharset UTF-16 .utf16
+ AddCharset UTF-16BE .utf16be
+ AddCharset UTF-16LE .utf16le
+ AddCharset UTF-32 .utf32
+ AddCharset UTF-32BE .utf32be
+ AddCharset UTF-32LE .utf32le
+ AddCharset euc-cn .euc-cn
+ AddCharset euc-gb .euc-gb
+ AddCharset euc-jp .euc-jp
+ AddCharset euc-kr .euc-kr
+ #Not sure how euc-tw got in - IANA doesn't list it???
+ AddCharset EUC-TW .euc-tw
+ AddCharset gb2312 .gb2312 .gb
+ AddCharset iso-10646-ucs-2 .ucs-2 .iso-10646-ucs-2
+ AddCharset iso-10646-ucs-4 .ucs-4 .iso-10646-ucs-4
+ AddCharset shift_jis .shift_jis .sjis
+ AddCharset BRF .brf
+
+ #
+ # AddHandler allows you to map certain file extensions to "handlers":
+ # actions unrelated to filetype. These can be either built into the server
+ # or added with the Action directive (see below)
+ #
+ # To use CGI scripts outside of ScriptAliased directories:
+ # (You will also need to add "ExecCGI" to the "Options" directive.)
+ #
+ #AddHandler cgi-script .cgi
+
+ #
+ # For files that include their own HTTP headers:
+ #
+ #AddHandler send-as-is asis
+
+ #
+ # For server-parsed imagemap files:
+ #
+ #AddHandler imap-file map
+
+ #
+ # For type maps (negotiated resources):
+ # (This is enabled by default to allow the Apache "It Worked" page
+ # to be distributed in multiple languages.)
+ #
+ AddHandler type-map var
+
+
+
+# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
diff --git a/mods-available/mime.load b/mods-available/mime.load
new file mode 100644
index 0000000..aafcb94
--- /dev/null
+++ b/mods-available/mime.load
@@ -0,0 +1 @@
+LoadModule mime_module /usr/libexec/httpd/mod_mime.so
diff --git a/mods-available/setenvif.conf b/mods-available/setenvif.conf
new file mode 100644
index 0000000..b6c4cc4
--- /dev/null
+++ b/mods-available/setenvif.conf
@@ -0,0 +1,32 @@
+
+
+ #
+ # The following directives modify normal HTTP response behavior to
+ # handle known problems with browser implementations.
+ #
+ BrowserMatch "Mozilla/2" nokeepalive
+ BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0
+ BrowserMatch "RealPlayer 4\.0" force-response-1.0
+ BrowserMatch "Java/1\.0" force-response-1.0
+ BrowserMatch "JDK/1\.0" force-response-1.0
+
+ #
+ # The following directive disables redirects on non-GET requests for
+ # a directory that does not include the trailing slash. This fixes a
+ # problem with Microsoft WebFolders which does not appropriately handle
+ # redirects for folders with DAV methods.
+ # Same deal with Apple's DAV filesystem and Gnome VFS support for DAV.
+ #
+ BrowserMatch "Microsoft Data Access Internet Publishing Provider" redirect-carefully
+ BrowserMatch "MS FrontPage" redirect-carefully
+ BrowserMatch "^WebDrive" redirect-carefully
+ BrowserMatch "^WebDAVFS/1.[012]" redirect-carefully
+ BrowserMatch "^gnome-vfs/1.0" redirect-carefully
+ BrowserMatch "^gvfs/1" redirect-carefully
+ BrowserMatch "^XML Spy" redirect-carefully
+ BrowserMatch "^Dreamweaver-WebDAV-SCM1" redirect-carefully
+ BrowserMatch " Konqueror/4" redirect-carefully
+
+
+
+# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
diff --git a/mods-available/setenvif.load b/mods-available/setenvif.load
new file mode 100644
index 0000000..970f807
--- /dev/null
+++ b/mods-available/setenvif.load
@@ -0,0 +1 @@
+LoadModule setenvif_module /usr/libexec/httpd/mod_setenvif.so
diff --git a/mods-available/socache_shmcb.load b/mods-available/socache_shmcb.load
new file mode 100644
index 0000000..a14687c
--- /dev/null
+++ b/mods-available/socache_shmcb.load
@@ -0,0 +1 @@
+LoadModule socache_shmcb_module /usr/libexec/httpd/mod_socache_shmcb.so
diff --git a/mods-available/ssl.conf b/mods-available/ssl.conf
new file mode 100644
index 0000000..6afc473
--- /dev/null
+++ b/mods-available/ssl.conf
@@ -0,0 +1,90 @@
+
+
+ # Pseudo Random Number Generator (PRNG):
+ # Configure one or more sources to seed the PRNG of the SSL library.
+ # The seed data should be of good random quality.
+ # WARNING! On some platforms /dev/random blocks if not enough entropy
+ # is available. This means you then cannot use the /dev/random device
+ # because it would lead to very long connection times (as long as
+ # it requires to make more entropy available). But usually those
+ # platforms additionally provide a /dev/urandom device which doesn't
+ # block. So, if available, use this one instead. Read the mod_ssl User
+ # Manual for more details.
+ #
+ SSLRandomSeed startup builtin
+ SSLRandomSeed startup file:/dev/urandom 512
+ SSLRandomSeed connect builtin
+ SSLRandomSeed connect file:/dev/urandom 512
+
+ ##
+ ## SSL Global Context
+ ##
+ ## All SSL configuration in this context applies both to
+ ## the main server and all SSL-enabled virtual hosts.
+ ##
+
+ #
+ # Some MIME-types for downloading Certificates and CRLs
+ #
+
+ AddType application/x-x509-ca-cert .crt
+ AddType application/x-pkcs7-crl .crl
+
+
+ # Pass Phrase Dialog:
+ # Configure the pass phrase gathering process.
+ # The filtering dialog program (`builtin' is a internal
+ # terminal dialog) has to provide the pass phrase on stdout.
+ SSLPassPhraseDialog builtin
+
+ # Inter-Process Session Cache:
+ # Configure the SSL Session Cache: First the mechanism
+ # to use and second the expiring timeout (in seconds).
+ # (The mechanism dbm has known memory leaks and should not be used).
+ #SSLSessionCache dbm:${APACHE_RUN_DIR}/ssl_scache
+ SSLSessionCache shmcb:${APACHE_RUN_DIR}/ssl_scache(512000)
+ SSLSessionCacheTimeout 300
+
+ # Semaphore:
+ # Configure the path to the mutual exclusion semaphore the
+ # SSL engine uses internally for inter-process synchronization.
+ # (Disabled by default, the global Mutex directive consolidates by default
+ # this)
+ #Mutex file:${APACHE_LOCK_DIR}/ssl_mutex ssl-cache
+
+
+ # SSL Cipher Suite:
+ # List the ciphers that the client is permitted to negotiate. See the
+ # ciphers(1) man page from the openssl package for list of all available
+ # options.
+ # Enable only secure ciphers:
+ SSLCipherSuite HIGH:!aNULL
+
+ # SSL server cipher order preference:
+ # Use server priorities for cipher algorithm choice.
+ # Clients may prefer lower grade encryption. You should enable this
+ # option if you want to enforce stronger encryption, and can afford
+ # the CPU cost, and did not override SSLCipherSuite in a way that puts
+ # insecure ciphers first.
+ # Default: Off
+ #SSLHonorCipherOrder on
+
+ # The protocols to enable.
+ # Available values: all, SSLv3, TLSv1, TLSv1.1, TLSv1.2
+ # SSL v2 is no longer supported
+ SSLProtocol all -SSLv3
+
+ # Allow insecure renegotiation with clients which do not yet support the
+ # secure renegotiation protocol. Default: Off
+ #SSLInsecureRenegotiation on
+
+ # Whether to forbid non-SNI clients to access name based virtual hosts.
+ # Default: Off
+ #SSLStrictSNIVHostCheck On
+
+
+
+LogFormat "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" ssl_info
+LogFormat "%{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%{User-Agent}i\"" ssl_info_browser
+
+# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
diff --git a/mods-available/ssl.load b/mods-available/ssl.load
new file mode 100644
index 0000000..4a2cb67
--- /dev/null
+++ b/mods-available/ssl.load
@@ -0,0 +1,3 @@
+# Depends: socache_shmcb
+# Suggests: setenvif mime
+LoadModule ssl_module /usr/libexec/httpd/mod_ssl.so
diff --git a/sites-available/001-default-ssl.conf b/sites-available/001-default-ssl.conf
new file mode 100644
index 0000000..ed5481f
--- /dev/null
+++ b/sites-available/001-default-ssl.conf
@@ -0,0 +1,172 @@
+
+
+ # General setup for the virtual host
+ DocumentRoot "/srv/www/apache"
+ #ServerName www.example.com:443
+ ServerAdmin webmaster@localhost
+ ErrorLog ${APACHE_LOG_DIR}/001-default-ssl.error.log
+ CustomLog ${APACHE_LOG_DIR}/001-default-ssl.access.log combined
+
+ # SSL Engine Switch:
+ # Enable/Disable SSL for this virtual host.
+ SSLEngine on
+
+ # Server Certificate:
+ # Point SSLCertificateFile at a PEM encoded certificate. If
+ # the certificate is encrypted, then you will be prompted for a
+ # pass phrase. Note that a kill -HUP will prompt again. Keep
+ # in mind that if you have both an RSA and a DSA certificate you
+ # can configure both in parallel (to also allow the use of DSA
+ # ciphers, etc.)
+ # Some ECC cipher suites (http://www.ietf.org/rfc/rfc4492.txt)
+ # require an ECC certificate which can also be configured in
+ # parallel.
+ SSLCertificateFile "/etc/apache/server.crt"
+ #SSLCertificateFile "/etc/apache/server-dsa.crt"
+ #SSLCertificateFile "/etc/apache/server-ecc.crt"
+
+ # Server Private Key:
+ # If the key is not combined with the certificate, use this
+ # directive to point at the key file. Keep in mind that if
+ # you've both a RSA and a DSA private key you can configure
+ # both in parallel (to also allow the use of DSA ciphers, etc.)
+ # ECC keys, when in use, can also be configured in parallel
+ SSLCertificateKeyFile "/etc/apache/server.key"
+ #SSLCertificateKeyFile "/etc/apache/server-dsa.key"
+ #SSLCertificateKeyFile "/etc/apache/server-ecc.key"
+
+ # Server Certificate Chain:
+ # Point SSLCertificateChainFile at a file containing the
+ # concatenation of PEM encoded CA certificates which form the
+ # certificate chain for the server certificate. Alternatively
+ # the referenced file can be the same as SSLCertificateFile
+ # when the CA certificates are directly appended to the server
+ # certificate for convenience.
+ #SSLCertificateChainFile "/etc/apache/server-ca.crt"
+
+ # Certificate Authority (CA):
+ # Set the CA certificate verification path where to find CA
+ # certificates for client authentication or alternatively one
+ # huge file containing all of them (file must be PEM encoded)
+ # Note: Inside SSLCACertificatePath you need hash symlinks
+ # to point to the certificate files. Use the provided
+ # Makefile to update the hash symlinks after changes.
+ #SSLCACertificatePath "/etc/apache/ssl.crt"
+ #SSLCACertificateFile "/etc/apache/ssl.crt/ca-bundle.crt"
+
+ # Certificate Revocation Lists (CRL):
+ # Set the CA revocation path where to find CA CRLs for client
+ # authentication or alternatively one huge file containing all
+ # of them (file must be PEM encoded).
+ # The CRL checking mode needs to be configured explicitly
+ # through SSLCARevocationCheck (defaults to "none" otherwise).
+ # Note: Inside SSLCARevocationPath you need hash symlinks
+ # to point to the certificate files. Use the provided
+ # Makefile to update the hash symlinks after changes.
+ #SSLCARevocationPath "/etc/apache/ssl.crl"
+ #SSLCARevocationFile "/etc/apache/ssl.crl/ca-bundle.crl"
+ #SSLCARevocationCheck chain
+
+ # Client Authentication (Type):
+ # Client certificate verification type and depth. Types are
+ # none, optional, require and optional_no_ca. Depth is a
+ # number which specifies how deeply to verify the certificate
+ # issuer chain before deciding the certificate is not valid.
+ #SSLVerifyClient require
+ #SSLVerifyDepth 10
+
+ # TLS-SRP mutual authentication:
+ # Enable TLS-SRP and set the path to the OpenSSL SRP verifier
+ # file (containing login information for SRP user accounts).
+ # Requires OpenSSL 1.0.1 or newer. See the mod_ssl FAQ for
+ # detailed instructions on creating this file. Example:
+ # "openssl srp -srpvfile /etc/apache/passwd.srpv -add username"
+ #SSLSRPVerifierFile "/etc/apache/passwd.srpv"
+
+ # Access Control:
+ # With SSLRequire you can do per-directory access control based
+ # on arbitrary complex boolean expressions containing server
+ # variable checks and other lookup directives. The syntax is a
+ # mixture between C and Perl. See the mod_ssl documentation
+ # for more details.
+ #
+ #SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
+ # and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
+ # and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
+ # and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
+ # and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
+ # or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
+ #
+
+ # SSL Engine Options:
+ # Set various options for the SSL engine.
+ # o FakeBasicAuth:
+ # Translate the client X.509 into a Basic Authorisation. This means that
+ # the standard Auth/DBMAuth methods can be used for access control. The
+ # user name is the `one line' version of the client's X.509 certificate.
+ # Note that no password is obtained from the user. Every entry in the user
+ # file needs this password: `xxj31ZMTZzkVA'.
+ # o ExportCertData:
+ # This exports two additional environment variables: SSL_CLIENT_CERT and
+ # SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
+ # server (always existing) and the client (only existing when client
+ # authentication is used). This can be used to import the certificates
+ # into CGI scripts.
+ # o StdEnvVars:
+ # This exports the standard SSL/TLS related `SSL_*' environment variables.
+ # Per default this exportation is switched off for performance reasons,
+ # because the extraction step is an expensive operation and is usually
+ # useless for serving static content. So one usually enables the
+ # exportation for CGI and SSI requests only.
+ # o StrictRequire:
+ # This denies access when "SSLRequireSSL" or "SSLRequire" applied even
+ # under a "Satisfy any" situation, i.e. when it applies access is denied
+ # and no other module can change it.
+ # o OptRenegotiate:
+ # This enables optimized SSL connection renegotiation handling when SSL
+ # directives are used in per-directory context.
+ #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
+
+ SSLOptions +StdEnvVars
+
+
+ SSLOptions +StdEnvVars
+
+
+ # SSL Protocol Adjustments:
+ # The safe and default but still SSL/TLS standard compliant shutdown
+ # approach is that mod_ssl sends the close notify alert but doesn't wait for
+ # the close notify alert from client. When you need a different shutdown
+ # approach you can use one of the following variables:
+ # o ssl-unclean-shutdown:
+ # This forces an unclean shutdown when the connection is closed, i.e. no
+ # SSL close notify alert is sent or allowed to be received. This violates
+ # the SSL/TLS standard but is needed for some brain-dead browsers. Use
+ # this when you receive I/O errors because of the standard approach where
+ # mod_ssl sends the close notify alert.
+ # o ssl-accurate-shutdown:
+ # This forces an accurate shutdown when the connection is closed, i.e. a
+ # SSL close notify alert is send and mod_ssl waits for the close notify
+ # alert of the client. This is 100% SSL/TLS standard compliant, but in
+ # practice often causes hanging connections with brain-dead browsers. Use
+ # this only for browsers where you know that their SSL implementation
+ # works correctly.
+ # Notice: Most problems of broken clients are also related to the HTTP
+ # keep-alive facility, so you usually additionally want to disable
+ # keep-alive for those clients, too. Use variable "nokeepalive" for this.
+ # Similarly, one has to force some clients to use HTTP/1.0 to workaround
+ # their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
+ # "force-response-1.0" for this.
+ BrowserMatch "MSIE [2-5]" \
+ nokeepalive ssl-unclean-shutdown \
+ downgrade-1.0 force-response-1.0
+
+ # Per-Server Logging:
+ # The home of a custom SSL log file. Use this when you want a
+ # compact non-error SSL logfile on a virtual host basis.
+ CustomLog "/var/log/httpd/ssl_request_log" \
+ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
+
+
+
+# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
diff --git a/sites-available/002-default-ssl.conf b/sites-available/002-default-ssl.conf
new file mode 100644
index 0000000..4f8a33d
--- /dev/null
+++ b/sites-available/002-default-ssl.conf
@@ -0,0 +1,46 @@
+
+
+ DocumentRoot "/srv/www/apache"
+ #ServerName www.example.com:443
+ ServerAdmin webmaster@localhost
+ ErrorLog ${APACHE_LOG_DIR}/002-default-ssl.error.log
+ CustomLog ${APACHE_LOG_DIR}/002-default-ssl.access.log combined
+
+ SSLEngine on
+ SSLCertificateFile "/etc/apache/server.crt"
+ SSLCertificateKeyFile "/etc/apache/server.key"
+ #SSLCertificateChainFile "/etc/apache/server-ca.crt"
+
+ #SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
+ SSLProtocol All -SSLv2 -SSLv3
+ SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
+ SSLHonorCipherOrder On
+
+ SSLCompression off
+ SSLUseStapling on
+
+ SSLStaplingCache "shmcb:logs/stapling-cache(150000)"
+ # Requires Apache >= 2.4.11
+ SSLSessionTickets Off
+
+ #Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
+ #Header always set X-Frame-Options DENY
+ #Header always set X-Content-Type-Options nosniff
+
+
+ SSLOptions +StdEnvVars
+
+
+ SSLOptions +StdEnvVars
+
+
+ BrowserMatch "MSIE [2-5]" \
+ nokeepalive ssl-unclean-shutdown \
+ downgrade-1.0 force-response-1.0
+
+ CustomLog ${APACHE_LOG_DIR}/002-default-ssl.ssl_request.log ssl_info
+ CustomLog ${APACHE_LOG_DIR}/002-default-ssl.ssl_browser.log ssl_info_browser
+
+
+
+# vim: syntax=apache ts=4 sw=4 sts=4 sr noet