From 92eda1e5bace51490ecc3e497cd901326c1b12ac Mon Sep 17 00:00:00 2001 From: Sven Velt Date: Thu, 6 Oct 2016 22:19:33 +0200 Subject: [PATCH] Now with a little bit of SSL and Let's Encrypt - apache.conf Include listen.conf AFTER loading modules (ssl) - mod_ssl needs socache_shmcb uses mime and setenvif (in vhost) - mod_alias (for LE/dehydrated) - sites-available/00[12]-default-ssl.conf (untested!) --- apache.conf | 6 +- mods-available/alias.load | 1 + mods-available/mime.conf | 240 +++++++++++++++++++++++++++ mods-available/mime.load | 1 + mods-available/setenvif.conf | 32 ++++ mods-available/setenvif.load | 1 + mods-available/socache_shmcb.load | 1 + mods-available/ssl.conf | 90 ++++++++++ mods-available/ssl.load | 3 + sites-available/001-default-ssl.conf | 172 +++++++++++++++++++ sites-available/002-default-ssl.conf | 46 +++++ 11 files changed, 590 insertions(+), 3 deletions(-) create mode 100644 mods-available/alias.load create mode 100644 mods-available/mime.conf create mode 100644 mods-available/mime.load create mode 100644 mods-available/setenvif.conf create mode 100644 mods-available/setenvif.load create mode 100644 mods-available/socache_shmcb.load create mode 100644 mods-available/ssl.conf create mode 100644 mods-available/ssl.load create mode 100644 sites-available/001-default-ssl.conf create mode 100644 sites-available/002-default-ssl.conf diff --git a/apache.conf b/apache.conf index 6aef0c1..ca09a52 100644 --- a/apache.conf +++ b/apache.conf @@ -26,13 +26,13 @@ LoadModule authz_core_module /usr/libexec/httpd/mod_authz_core.so LoadModule log_config_module /usr/libexec/httpd/mod_log_config.so LoadModule unixd_module /usr/libexec/httpd/mod_unixd.so -# Include listen ports -Include listen.conf - # Admin wants these modules: IncludeOptional mods-enabled/*.load IncludeOptional mods-enabled/*.conf +# Include listen ports +Include listen.conf + ### Basic security settings diff --git a/mods-available/alias.load b/mods-available/alias.load new file mode 100644 index 0000000..aa80310 --- /dev/null +++ b/mods-available/alias.load @@ -0,0 +1 @@ +LoadModule alias_module /usr/libexec/httpd/mod_alias.so diff --git a/mods-available/mime.conf b/mods-available/mime.conf new file mode 100644 index 0000000..c775646 --- /dev/null +++ b/mods-available/mime.conf @@ -0,0 +1,240 @@ + + + # + # TypesConfig points to the file containing the list of mappings from + # filename extension to MIME-type. + # + TypesConfig /etc/apache/mime.types + + # + # AddType allows you to add to or override the MIME configuration + # file mime.types for specific file types. + # + #AddType application/x-gzip .tgz + # + # AddEncoding allows you to have certain browsers uncompress + # information on the fly. Note: Not all browsers support this. + # Despite the name similarity, the following Add* directives have + # nothing to do with the FancyIndexing customization directives above. + # + #AddEncoding x-compress .Z + #AddEncoding x-gzip .gz .tgz + #AddEncoding x-bzip2 .bz2 + # + # If the AddEncoding directives above are commented-out, then you + # probably should define those extensions to indicate media types: + # + AddType application/x-compress .Z + AddType application/x-gzip .gz .tgz + AddType application/x-bzip2 .bz2 + + # + # DefaultLanguage and AddLanguage allows you to specify the language of + # a document. You can then use content negotiation to give a browser a + # file in a language the user can understand. + # + # Specify a default language. This means that all data + # going out without a specific language tag (see below) will + # be marked with this one. You probably do NOT want to set + # this unless you are sure it is correct for all cases. + # + # * It is generally better to not mark a page as + # * being a certain language than marking it with the wrong + # * language! + # + # DefaultLanguage nl + # + # Note 1: The suffix does not have to be the same as the language + # keyword --- those with documents in Polish (whose net-standard + # language code is pl) may wish to use "AddLanguage pl .po" to + # avoid the ambiguity with the common suffix for perl scripts. + # + # Note 2: The example entries below illustrate that in some cases + # the two character 'Language' abbreviation is not identical to + # the two character 'Country' code for its country, + # E.g. 'Danmark/dk' versus 'Danish/da'. + # + # Note 3: In the case of 'ltz' we violate the RFC by using a three char + # specifier. There is 'work in progress' to fix this and get + # the reference data for rfc1766 cleaned up. + # + # Catalan (ca) - Croatian (hr) - Czech (cs) - Danish (da) - Dutch (nl) + # English (en) - Esperanto (eo) - Estonian (et) - French (fr) - German (de) + # Greek-Modern (el) - Hebrew (he) - Italian (it) - Japanese (ja) + # Korean (ko) - Luxembourgeois* (ltz) - Norwegian Nynorsk (nn) + # Norwegian (no) - Polish (pl) - Portugese (pt) + # Brazilian Portuguese (pt-BR) - Russian (ru) - Swedish (sv) + # Simplified Chinese (zh-CN) - Spanish (es) - Traditional Chinese (zh-TW) + # + AddLanguage am .amh + AddLanguage ar .ara + AddLanguage be .be + AddLanguage bg .bg + AddLanguage bn .bn + AddLanguage br .br + AddLanguage bs .bs + AddLanguage ca .ca + AddLanguage cs .cz .cs + AddLanguage cy .cy + AddLanguage da .dk + AddLanguage de .de + AddLanguage dz .dz + AddLanguage el .el + AddLanguage en .en + AddLanguage eo .eo + # es is ecmascript in /etc/mime.types + RemoveType es + AddLanguage es .es + AddLanguage et .et + AddLanguage eu .eu + AddLanguage fa .fa + AddLanguage fi .fi + AddLanguage fr .fr + AddLanguage ga .ga + AddLanguage gl .glg + AddLanguage gu .gu + AddLanguage he .he + AddLanguage hi .hi + AddLanguage hr .hr + AddLanguage hu .hu + AddLanguage hy .hy + AddLanguage id .id + AddLanguage is .is + AddLanguage it .it + AddLanguage ja .ja + AddLanguage ka .ka + AddLanguage kk .kk + AddLanguage km .km + AddLanguage kn .kn + AddLanguage ko .ko + AddLanguage ku .ku + AddLanguage lo .lo + AddLanguage lt .lt + AddLanguage ltz .ltz + AddLanguage lv .lv + AddLanguage mg .mg + AddLanguage mk .mk + AddLanguage ml .ml + AddLanguage mr .mr + AddLanguage ms .msa + AddLanguage nb .nob + AddLanguage ne .ne + AddLanguage nl .nl + AddLanguage nn .nn + AddLanguage no .no + AddLanguage pa .pa + AddLanguage pl .po + AddLanguage pt-BR .pt-br + AddLanguage pt .pt + AddLanguage ro .ro + AddLanguage ru .ru + AddLanguage sa .sa + AddLanguage se .se + AddLanguage si .si + AddLanguage sk .sk + AddLanguage sl .sl + AddLanguage sq .sq + AddLanguage sr .sr + AddLanguage sv .sv + AddLanguage ta .ta + AddLanguage te .te + AddLanguage th .th + AddLanguage tl .tl + RemoveType tr + # tr is troff in /etc/mime.types + AddLanguage tr .tr + AddLanguage uk .uk + AddLanguage ur .ur + AddLanguage vi .vi + AddLanguage wo .wo + AddLanguage xh .xh + AddLanguage zh-CN .zh-cn + AddLanguage zh-TW .zh-tw + + # + # Commonly used filename extensions to character sets. You probably + # want to avoid clashes with the language extensions, unless you + # are good at carefully testing your setup after each change. + # See http://www.iana.org/assignments/character-sets for the + # official list of charset names and their respective RFCs. + # + AddCharset us-ascii .ascii .us-ascii + AddCharset ISO-8859-1 .iso8859-1 .latin1 + AddCharset ISO-8859-2 .iso8859-2 .latin2 .cen + AddCharset ISO-8859-3 .iso8859-3 .latin3 + AddCharset ISO-8859-4 .iso8859-4 .latin4 + AddCharset ISO-8859-5 .iso8859-5 .cyr .iso-ru + AddCharset ISO-8859-6 .iso8859-6 .arb .arabic + AddCharset ISO-8859-7 .iso8859-7 .grk .greek + AddCharset ISO-8859-8 .iso8859-8 .heb .hebrew + AddCharset ISO-8859-9 .iso8859-9 .latin5 .trk + AddCharset ISO-8859-10 .iso8859-10 .latin6 + AddCharset ISO-8859-13 .iso8859-13 + AddCharset ISO-8859-14 .iso8859-14 .latin8 + AddCharset ISO-8859-15 .iso8859-15 .latin9 + AddCharset ISO-8859-16 .iso8859-16 .latin10 + AddCharset ISO-2022-JP .iso2022-jp .jis + AddCharset ISO-2022-KR .iso2022-kr .kis + AddCharset ISO-2022-CN .iso2022-cn .cis + AddCharset Big5 .Big5 .big5 .b5 + AddCharset cn-Big5 .cn-big5 + # For russian, more than one charset is used (depends on client, mostly): + AddCharset WINDOWS-1251 .cp-1251 .win-1251 + AddCharset CP866 .cp866 + AddCharset KOI8 .koi8 + AddCharset KOI8-E .koi8-e + AddCharset KOI8-r .koi8-r .koi8-ru + AddCharset KOI8-U .koi8-u + AddCharset KOI8-ru .koi8-uk .ua + AddCharset ISO-10646-UCS-2 .ucs2 + AddCharset ISO-10646-UCS-4 .ucs4 + AddCharset UTF-7 .utf7 + AddCharset UTF-8 .utf8 + AddCharset UTF-16 .utf16 + AddCharset UTF-16BE .utf16be + AddCharset UTF-16LE .utf16le + AddCharset UTF-32 .utf32 + AddCharset UTF-32BE .utf32be + AddCharset UTF-32LE .utf32le + AddCharset euc-cn .euc-cn + AddCharset euc-gb .euc-gb + AddCharset euc-jp .euc-jp + AddCharset euc-kr .euc-kr + #Not sure how euc-tw got in - IANA doesn't list it??? + AddCharset EUC-TW .euc-tw + AddCharset gb2312 .gb2312 .gb + AddCharset iso-10646-ucs-2 .ucs-2 .iso-10646-ucs-2 + AddCharset iso-10646-ucs-4 .ucs-4 .iso-10646-ucs-4 + AddCharset shift_jis .shift_jis .sjis + AddCharset BRF .brf + + # + # AddHandler allows you to map certain file extensions to "handlers": + # actions unrelated to filetype. These can be either built into the server + # or added with the Action directive (see below) + # + # To use CGI scripts outside of ScriptAliased directories: + # (You will also need to add "ExecCGI" to the "Options" directive.) + # + #AddHandler cgi-script .cgi + + # + # For files that include their own HTTP headers: + # + #AddHandler send-as-is asis + + # + # For server-parsed imagemap files: + # + #AddHandler imap-file map + + # + # For type maps (negotiated resources): + # (This is enabled by default to allow the Apache "It Worked" page + # to be distributed in multiple languages.) + # + AddHandler type-map var + + + +# vim: syntax=apache ts=4 sw=4 sts=4 sr noet diff --git a/mods-available/mime.load b/mods-available/mime.load new file mode 100644 index 0000000..aafcb94 --- /dev/null +++ b/mods-available/mime.load @@ -0,0 +1 @@ +LoadModule mime_module /usr/libexec/httpd/mod_mime.so diff --git a/mods-available/setenvif.conf b/mods-available/setenvif.conf new file mode 100644 index 0000000..b6c4cc4 --- /dev/null +++ b/mods-available/setenvif.conf @@ -0,0 +1,32 @@ + + + # + # The following directives modify normal HTTP response behavior to + # handle known problems with browser implementations. + # + BrowserMatch "Mozilla/2" nokeepalive + BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0 + BrowserMatch "RealPlayer 4\.0" force-response-1.0 + BrowserMatch "Java/1\.0" force-response-1.0 + BrowserMatch "JDK/1\.0" force-response-1.0 + + # + # The following directive disables redirects on non-GET requests for + # a directory that does not include the trailing slash. This fixes a + # problem with Microsoft WebFolders which does not appropriately handle + # redirects for folders with DAV methods. + # Same deal with Apple's DAV filesystem and Gnome VFS support for DAV. + # + BrowserMatch "Microsoft Data Access Internet Publishing Provider" redirect-carefully + BrowserMatch "MS FrontPage" redirect-carefully + BrowserMatch "^WebDrive" redirect-carefully + BrowserMatch "^WebDAVFS/1.[012]" redirect-carefully + BrowserMatch "^gnome-vfs/1.0" redirect-carefully + BrowserMatch "^gvfs/1" redirect-carefully + BrowserMatch "^XML Spy" redirect-carefully + BrowserMatch "^Dreamweaver-WebDAV-SCM1" redirect-carefully + BrowserMatch " Konqueror/4" redirect-carefully + + + +# vim: syntax=apache ts=4 sw=4 sts=4 sr noet diff --git a/mods-available/setenvif.load b/mods-available/setenvif.load new file mode 100644 index 0000000..970f807 --- /dev/null +++ b/mods-available/setenvif.load @@ -0,0 +1 @@ +LoadModule setenvif_module /usr/libexec/httpd/mod_setenvif.so diff --git a/mods-available/socache_shmcb.load b/mods-available/socache_shmcb.load new file mode 100644 index 0000000..a14687c --- /dev/null +++ b/mods-available/socache_shmcb.load @@ -0,0 +1 @@ +LoadModule socache_shmcb_module /usr/libexec/httpd/mod_socache_shmcb.so diff --git a/mods-available/ssl.conf b/mods-available/ssl.conf new file mode 100644 index 0000000..6afc473 --- /dev/null +++ b/mods-available/ssl.conf @@ -0,0 +1,90 @@ + + + # Pseudo Random Number Generator (PRNG): + # Configure one or more sources to seed the PRNG of the SSL library. + # The seed data should be of good random quality. + # WARNING! On some platforms /dev/random blocks if not enough entropy + # is available. This means you then cannot use the /dev/random device + # because it would lead to very long connection times (as long as + # it requires to make more entropy available). But usually those + # platforms additionally provide a /dev/urandom device which doesn't + # block. So, if available, use this one instead. Read the mod_ssl User + # Manual for more details. + # + SSLRandomSeed startup builtin + SSLRandomSeed startup file:/dev/urandom 512 + SSLRandomSeed connect builtin + SSLRandomSeed connect file:/dev/urandom 512 + + ## + ## SSL Global Context + ## + ## All SSL configuration in this context applies both to + ## the main server and all SSL-enabled virtual hosts. + ## + + # + # Some MIME-types for downloading Certificates and CRLs + # + + AddType application/x-x509-ca-cert .crt + AddType application/x-pkcs7-crl .crl + + + # Pass Phrase Dialog: + # Configure the pass phrase gathering process. + # The filtering dialog program (`builtin' is a internal + # terminal dialog) has to provide the pass phrase on stdout. + SSLPassPhraseDialog builtin + + # Inter-Process Session Cache: + # Configure the SSL Session Cache: First the mechanism + # to use and second the expiring timeout (in seconds). + # (The mechanism dbm has known memory leaks and should not be used). + #SSLSessionCache dbm:${APACHE_RUN_DIR}/ssl_scache + SSLSessionCache shmcb:${APACHE_RUN_DIR}/ssl_scache(512000) + SSLSessionCacheTimeout 300 + + # Semaphore: + # Configure the path to the mutual exclusion semaphore the + # SSL engine uses internally for inter-process synchronization. + # (Disabled by default, the global Mutex directive consolidates by default + # this) + #Mutex file:${APACHE_LOCK_DIR}/ssl_mutex ssl-cache + + + # SSL Cipher Suite: + # List the ciphers that the client is permitted to negotiate. See the + # ciphers(1) man page from the openssl package for list of all available + # options. + # Enable only secure ciphers: + SSLCipherSuite HIGH:!aNULL + + # SSL server cipher order preference: + # Use server priorities for cipher algorithm choice. + # Clients may prefer lower grade encryption. You should enable this + # option if you want to enforce stronger encryption, and can afford + # the CPU cost, and did not override SSLCipherSuite in a way that puts + # insecure ciphers first. + # Default: Off + #SSLHonorCipherOrder on + + # The protocols to enable. + # Available values: all, SSLv3, TLSv1, TLSv1.1, TLSv1.2 + # SSL v2 is no longer supported + SSLProtocol all -SSLv3 + + # Allow insecure renegotiation with clients which do not yet support the + # secure renegotiation protocol. Default: Off + #SSLInsecureRenegotiation on + + # Whether to forbid non-SNI clients to access name based virtual hosts. + # Default: Off + #SSLStrictSNIVHostCheck On + + + +LogFormat "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" ssl_info +LogFormat "%{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%{User-Agent}i\"" ssl_info_browser + +# vim: syntax=apache ts=4 sw=4 sts=4 sr noet diff --git a/mods-available/ssl.load b/mods-available/ssl.load new file mode 100644 index 0000000..4a2cb67 --- /dev/null +++ b/mods-available/ssl.load @@ -0,0 +1,3 @@ +# Depends: socache_shmcb +# Suggests: setenvif mime +LoadModule ssl_module /usr/libexec/httpd/mod_ssl.so diff --git a/sites-available/001-default-ssl.conf b/sites-available/001-default-ssl.conf new file mode 100644 index 0000000..ed5481f --- /dev/null +++ b/sites-available/001-default-ssl.conf @@ -0,0 +1,172 @@ + + + # General setup for the virtual host + DocumentRoot "/srv/www/apache" + #ServerName www.example.com:443 + ServerAdmin webmaster@localhost + ErrorLog ${APACHE_LOG_DIR}/001-default-ssl.error.log + CustomLog ${APACHE_LOG_DIR}/001-default-ssl.access.log combined + + # SSL Engine Switch: + # Enable/Disable SSL for this virtual host. + SSLEngine on + + # Server Certificate: + # Point SSLCertificateFile at a PEM encoded certificate. If + # the certificate is encrypted, then you will be prompted for a + # pass phrase. Note that a kill -HUP will prompt again. Keep + # in mind that if you have both an RSA and a DSA certificate you + # can configure both in parallel (to also allow the use of DSA + # ciphers, etc.) + # Some ECC cipher suites (http://www.ietf.org/rfc/rfc4492.txt) + # require an ECC certificate which can also be configured in + # parallel. + SSLCertificateFile "/etc/apache/server.crt" + #SSLCertificateFile "/etc/apache/server-dsa.crt" + #SSLCertificateFile "/etc/apache/server-ecc.crt" + + # Server Private Key: + # If the key is not combined with the certificate, use this + # directive to point at the key file. Keep in mind that if + # you've both a RSA and a DSA private key you can configure + # both in parallel (to also allow the use of DSA ciphers, etc.) + # ECC keys, when in use, can also be configured in parallel + SSLCertificateKeyFile "/etc/apache/server.key" + #SSLCertificateKeyFile "/etc/apache/server-dsa.key" + #SSLCertificateKeyFile "/etc/apache/server-ecc.key" + + # Server Certificate Chain: + # Point SSLCertificateChainFile at a file containing the + # concatenation of PEM encoded CA certificates which form the + # certificate chain for the server certificate. Alternatively + # the referenced file can be the same as SSLCertificateFile + # when the CA certificates are directly appended to the server + # certificate for convenience. + #SSLCertificateChainFile "/etc/apache/server-ca.crt" + + # Certificate Authority (CA): + # Set the CA certificate verification path where to find CA + # certificates for client authentication or alternatively one + # huge file containing all of them (file must be PEM encoded) + # Note: Inside SSLCACertificatePath you need hash symlinks + # to point to the certificate files. Use the provided + # Makefile to update the hash symlinks after changes. + #SSLCACertificatePath "/etc/apache/ssl.crt" + #SSLCACertificateFile "/etc/apache/ssl.crt/ca-bundle.crt" + + # Certificate Revocation Lists (CRL): + # Set the CA revocation path where to find CA CRLs for client + # authentication or alternatively one huge file containing all + # of them (file must be PEM encoded). + # The CRL checking mode needs to be configured explicitly + # through SSLCARevocationCheck (defaults to "none" otherwise). + # Note: Inside SSLCARevocationPath you need hash symlinks + # to point to the certificate files. Use the provided + # Makefile to update the hash symlinks after changes. + #SSLCARevocationPath "/etc/apache/ssl.crl" + #SSLCARevocationFile "/etc/apache/ssl.crl/ca-bundle.crl" + #SSLCARevocationCheck chain + + # Client Authentication (Type): + # Client certificate verification type and depth. Types are + # none, optional, require and optional_no_ca. Depth is a + # number which specifies how deeply to verify the certificate + # issuer chain before deciding the certificate is not valid. + #SSLVerifyClient require + #SSLVerifyDepth 10 + + # TLS-SRP mutual authentication: + # Enable TLS-SRP and set the path to the OpenSSL SRP verifier + # file (containing login information for SRP user accounts). + # Requires OpenSSL 1.0.1 or newer. See the mod_ssl FAQ for + # detailed instructions on creating this file. Example: + # "openssl srp -srpvfile /etc/apache/passwd.srpv -add username" + #SSLSRPVerifierFile "/etc/apache/passwd.srpv" + + # Access Control: + # With SSLRequire you can do per-directory access control based + # on arbitrary complex boolean expressions containing server + # variable checks and other lookup directives. The syntax is a + # mixture between C and Perl. See the mod_ssl documentation + # for more details. + # + #SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \ + # and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \ + # and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \ + # and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \ + # and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \ + # or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/ + # + + # SSL Engine Options: + # Set various options for the SSL engine. + # o FakeBasicAuth: + # Translate the client X.509 into a Basic Authorisation. This means that + # the standard Auth/DBMAuth methods can be used for access control. The + # user name is the `one line' version of the client's X.509 certificate. + # Note that no password is obtained from the user. Every entry in the user + # file needs this password: `xxj31ZMTZzkVA'. + # o ExportCertData: + # This exports two additional environment variables: SSL_CLIENT_CERT and + # SSL_SERVER_CERT. These contain the PEM-encoded certificates of the + # server (always existing) and the client (only existing when client + # authentication is used). This can be used to import the certificates + # into CGI scripts. + # o StdEnvVars: + # This exports the standard SSL/TLS related `SSL_*' environment variables. + # Per default this exportation is switched off for performance reasons, + # because the extraction step is an expensive operation and is usually + # useless for serving static content. So one usually enables the + # exportation for CGI and SSI requests only. + # o StrictRequire: + # This denies access when "SSLRequireSSL" or "SSLRequire" applied even + # under a "Satisfy any" situation, i.e. when it applies access is denied + # and no other module can change it. + # o OptRenegotiate: + # This enables optimized SSL connection renegotiation handling when SSL + # directives are used in per-directory context. + #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire + + SSLOptions +StdEnvVars + + + SSLOptions +StdEnvVars + + + # SSL Protocol Adjustments: + # The safe and default but still SSL/TLS standard compliant shutdown + # approach is that mod_ssl sends the close notify alert but doesn't wait for + # the close notify alert from client. When you need a different shutdown + # approach you can use one of the following variables: + # o ssl-unclean-shutdown: + # This forces an unclean shutdown when the connection is closed, i.e. no + # SSL close notify alert is sent or allowed to be received. This violates + # the SSL/TLS standard but is needed for some brain-dead browsers. Use + # this when you receive I/O errors because of the standard approach where + # mod_ssl sends the close notify alert. + # o ssl-accurate-shutdown: + # This forces an accurate shutdown when the connection is closed, i.e. a + # SSL close notify alert is send and mod_ssl waits for the close notify + # alert of the client. This is 100% SSL/TLS standard compliant, but in + # practice often causes hanging connections with brain-dead browsers. Use + # this only for browsers where you know that their SSL implementation + # works correctly. + # Notice: Most problems of broken clients are also related to the HTTP + # keep-alive facility, so you usually additionally want to disable + # keep-alive for those clients, too. Use variable "nokeepalive" for this. + # Similarly, one has to force some clients to use HTTP/1.0 to workaround + # their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and + # "force-response-1.0" for this. + BrowserMatch "MSIE [2-5]" \ + nokeepalive ssl-unclean-shutdown \ + downgrade-1.0 force-response-1.0 + + # Per-Server Logging: + # The home of a custom SSL log file. Use this when you want a + # compact non-error SSL logfile on a virtual host basis. + CustomLog "/var/log/httpd/ssl_request_log" \ + "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" + + + +# vim: syntax=apache ts=4 sw=4 sts=4 sr noet diff --git a/sites-available/002-default-ssl.conf b/sites-available/002-default-ssl.conf new file mode 100644 index 0000000..4f8a33d --- /dev/null +++ b/sites-available/002-default-ssl.conf @@ -0,0 +1,46 @@ + + + DocumentRoot "/srv/www/apache" + #ServerName www.example.com:443 + ServerAdmin webmaster@localhost + ErrorLog ${APACHE_LOG_DIR}/002-default-ssl.error.log + CustomLog ${APACHE_LOG_DIR}/002-default-ssl.access.log combined + + SSLEngine on + SSLCertificateFile "/etc/apache/server.crt" + SSLCertificateKeyFile "/etc/apache/server.key" + #SSLCertificateChainFile "/etc/apache/server-ca.crt" + + #SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 + SSLProtocol All -SSLv2 -SSLv3 + SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH + SSLHonorCipherOrder On + + SSLCompression off + SSLUseStapling on + + SSLStaplingCache "shmcb:logs/stapling-cache(150000)" + # Requires Apache >= 2.4.11 + SSLSessionTickets Off + + #Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" + #Header always set X-Frame-Options DENY + #Header always set X-Content-Type-Options nosniff + + + SSLOptions +StdEnvVars + + + SSLOptions +StdEnvVars + + + BrowserMatch "MSIE [2-5]" \ + nokeepalive ssl-unclean-shutdown \ + downgrade-1.0 force-response-1.0 + + CustomLog ${APACHE_LOG_DIR}/002-default-ssl.ssl_request.log ssl_info + CustomLog ${APACHE_LOG_DIR}/002-default-ssl.ssl_browser.log ssl_info_browser + + + +# vim: syntax=apache ts=4 sw=4 sts=4 sr noet