Now with a little bit of SSL and Let's Encrypt

- apache.conf Include listen.conf AFTER loading modules (ssl) - mod_ssl needs socache_shmcb uses mime and setenvif (in vhost) - mod_alias (for LE/dehydrated) - sites-available/00[12]-default-ssl.conf (untested!)
2016-10-06 22:19:33 +02:00 · 2016-10-06 22:19:33 +02:00 · 92eda1e5ba
parent d53ffc4ede
commit 92eda1e5ba
11 changed files with 590 additions and 3 deletions
--- a/apache.conf
+++ b/apache.conf
@ -26,13 +26,13 @@ LoadModule authz_core_module /usr/libexec/httpd/mod_authz_core.so
 LoadModule log_config_module /usr/libexec/httpd/mod_log_config.so
 LoadModule unixd_module /usr/libexec/httpd/mod_unixd.so
 # Include listen ports
 Include listen.conf
 # Admin wants these modules:
 IncludeOptional mods-enabled/*.load
 IncludeOptional mods-enabled/*.conf
 # Include listen ports
 Include listen.conf
 ### Basic security settings
--- a/mods-available/alias.load
+++ b/mods-available/alias.load
@ -0,0 +1 @@
 LoadModule alias_module /usr/libexec/httpd/mod_alias.so
--- a/mods-available/mime.conf
+++ b/mods-available/mime.conf
@ -0,0 +1,240 @@
 <IfModule mod_mime.c>
 	#
 	# TypesConfig points to the file containing the list of mappings from
 	# filename extension to MIME-type.
 	#
 	TypesConfig /etc/apache/mime.types
 	#
 	# AddType allows you to add to or override the MIME configuration
 	# file mime.types for specific file types.
 	#
 	#AddType application/x-gzip .tgz
 	#
 	# AddEncoding allows you to have certain browsers uncompress
 	# information on the fly. Note: Not all browsers support this.
 	# Despite the name similarity, the following Add* directives have
 	# nothing to do with the FancyIndexing customization directives above.
 	#
 	#AddEncoding x-compress .Z
 	#AddEncoding x-gzip .gz .tgz
 	#AddEncoding x-bzip2 .bz2
 	#
 	# If the AddEncoding directives above are commented-out, then you
 	# probably should define those extensions to indicate media types:
 	#
 	AddType application/x-compress .Z
 	AddType application/x-gzip .gz .tgz
 	AddType application/x-bzip2 .bz2
 	#
 	# DefaultLanguage and AddLanguage allows you to specify the language of 
 	# a document. You can then use content negotiation to give a browser a 
 	# file in a language the user can understand.
 	#
 	# Specify a default language. This means that all data
 	# going out without a specific language tag (see below) will 
 	# be marked with this one. You probably do NOT want to set
 	# this unless you are sure it is correct for all cases.
 	#
 	# * It is generally better to not mark a page as 
 	# * being a certain language than marking it with the wrong
 	# * language!
 	#
 	# DefaultLanguage nl
 	#
 	# Note 1: The suffix does not have to be the same as the language
 	# keyword --- those with documents in Polish (whose net-standard
 	# language code is pl) may wish to use "AddLanguage pl .po" to
 	# avoid the ambiguity with the common suffix for perl scripts.
 	#
 	# Note 2: The example entries below illustrate that in some cases 
 	# the two character 'Language' abbreviation is not identical to 
 	# the two character 'Country' code for its country,
 	# E.g. 'Danmark/dk' versus 'Danish/da'.
 	#
 	# Note 3: In the case of 'ltz' we violate the RFC by using a three char
 	# specifier. There is 'work in progress' to fix this and get
 	# the reference data for rfc1766 cleaned up.
 	#
 	# Catalan (ca) - Croatian (hr) - Czech (cs) - Danish (da) - Dutch (nl)
 	# English (en) - Esperanto (eo) - Estonian (et) - French (fr) - German (de)
 	# Greek-Modern (el) - Hebrew (he) - Italian (it) - Japanese (ja)
 	# Korean (ko) - Luxembourgeois* (ltz) - Norwegian Nynorsk (nn)
 	# Norwegian (no) - Polish (pl) - Portugese (pt)
 	# Brazilian Portuguese (pt-BR) - Russian (ru) - Swedish (sv)
 	# Simplified Chinese (zh-CN) - Spanish (es) - Traditional Chinese (zh-TW)
 	#
 	AddLanguage am .amh
 	AddLanguage ar .ara
 	AddLanguage be .be
 	AddLanguage bg .bg
 	AddLanguage bn .bn
 	AddLanguage br .br
 	AddLanguage bs .bs
 	AddLanguage ca .ca
 	AddLanguage cs .cz .cs
 	AddLanguage cy .cy
 	AddLanguage da .dk
 	AddLanguage de .de
 	AddLanguage dz .dz
 	AddLanguage el .el
 	AddLanguage en .en
 	AddLanguage eo .eo
 	# es is ecmascript in /etc/mime.types
 	RemoveType  es
 	AddLanguage es .es
 	AddLanguage et .et
 	AddLanguage eu .eu
 	AddLanguage fa .fa
 	AddLanguage fi .fi
 	AddLanguage fr .fr
 	AddLanguage ga .ga
 	AddLanguage gl .glg
 	AddLanguage gu .gu
 	AddLanguage he .he
 	AddLanguage hi .hi
 	AddLanguage hr .hr
 	AddLanguage hu .hu
 	AddLanguage hy .hy
 	AddLanguage id .id
 	AddLanguage is .is
 	AddLanguage it .it
 	AddLanguage ja .ja
 	AddLanguage ka .ka
 	AddLanguage kk .kk
 	AddLanguage km .km
 	AddLanguage kn .kn
 	AddLanguage ko .ko
 	AddLanguage ku .ku
 	AddLanguage lo .lo
 	AddLanguage lt .lt
 	AddLanguage ltz .ltz
 	AddLanguage lv .lv
 	AddLanguage mg .mg
 	AddLanguage mk .mk
 	AddLanguage ml .ml
 	AddLanguage mr .mr
 	AddLanguage ms .msa
 	AddLanguage nb .nob
 	AddLanguage ne .ne
 	AddLanguage nl .nl
 	AddLanguage nn .nn
 	AddLanguage no .no
 	AddLanguage pa .pa
 	AddLanguage pl .po
 	AddLanguage pt-BR .pt-br
 	AddLanguage pt .pt
 	AddLanguage ro .ro
 	AddLanguage ru .ru
 	AddLanguage sa .sa
 	AddLanguage se .se
 	AddLanguage si .si
 	AddLanguage sk .sk
 	AddLanguage sl .sl
 	AddLanguage sq .sq
 	AddLanguage sr .sr
 	AddLanguage sv .sv
 	AddLanguage ta .ta
 	AddLanguage te .te
 	AddLanguage th .th
 	AddLanguage tl .tl
 	RemoveType  tr
 	# tr is troff in /etc/mime.types
 	AddLanguage tr .tr
 	AddLanguage uk .uk
 	AddLanguage ur .ur
 	AddLanguage vi .vi
 	AddLanguage wo .wo
 	AddLanguage xh .xh
 	AddLanguage zh-CN .zh-cn
 	AddLanguage zh-TW .zh-tw
 	#
 	# Commonly used filename extensions to character sets. You probably
 	# want to avoid clashes with the language extensions, unless you
 	# are good at carefully testing your setup after each change.
 	# See http://www.iana.org/assignments/character-sets for the
 	# official list of charset names and their respective RFCs.
 	#
 	AddCharset us-ascii	.ascii .us-ascii
 	AddCharset ISO-8859-1  .iso8859-1  .latin1
 	AddCharset ISO-8859-2  .iso8859-2  .latin2 .cen
 	AddCharset ISO-8859-3  .iso8859-3  .latin3
 	AddCharset ISO-8859-4  .iso8859-4  .latin4
 	AddCharset ISO-8859-5  .iso8859-5  .cyr .iso-ru
 	AddCharset ISO-8859-6  .iso8859-6  .arb .arabic
 	AddCharset ISO-8859-7  .iso8859-7  .grk .greek
 	AddCharset ISO-8859-8  .iso8859-8  .heb .hebrew
 	AddCharset ISO-8859-9  .iso8859-9  .latin5 .trk
 	AddCharset ISO-8859-10  .iso8859-10  .latin6
 	AddCharset ISO-8859-13  .iso8859-13
 	AddCharset ISO-8859-14  .iso8859-14  .latin8
 	AddCharset ISO-8859-15  .iso8859-15  .latin9
 	AddCharset ISO-8859-16  .iso8859-16  .latin10
 	AddCharset ISO-2022-JP .iso2022-jp .jis
 	AddCharset ISO-2022-KR .iso2022-kr .kis
 	AddCharset ISO-2022-CN .iso2022-cn .cis
 	AddCharset Big5		.Big5	   .big5 .b5
 	AddCharset cn-Big5	 .cn-big5
 	# For russian, more than one charset is used (depends on client, mostly):
 	AddCharset WINDOWS-1251 .cp-1251   .win-1251
 	AddCharset CP866	   .cp866
 	AddCharset KOI8	  .koi8
 	AddCharset KOI8-E	  .koi8-e
 	AddCharset KOI8-r	  .koi8-r .koi8-ru
 	AddCharset KOI8-U	  .koi8-u
 	AddCharset KOI8-ru	 .koi8-uk .ua
 	AddCharset ISO-10646-UCS-2 .ucs2
 	AddCharset ISO-10646-UCS-4 .ucs4
 	AddCharset UTF-7	   .utf7
 	AddCharset UTF-8	   .utf8
 	AddCharset UTF-16	  .utf16
 	AddCharset UTF-16BE	.utf16be
 	AddCharset UTF-16LE	.utf16le
 	AddCharset UTF-32	  .utf32
 	AddCharset UTF-32BE	.utf32be
 	AddCharset UTF-32LE	.utf32le
 	AddCharset euc-cn	  .euc-cn
 	AddCharset euc-gb	  .euc-gb
 	AddCharset euc-jp	  .euc-jp
 	AddCharset euc-kr	  .euc-kr
 	#Not sure how euc-tw got in - IANA doesn't list it???
 	AddCharset EUC-TW	  .euc-tw
 	AddCharset gb2312	  .gb2312 .gb
 	AddCharset iso-10646-ucs-2 .ucs-2 .iso-10646-ucs-2
 	AddCharset iso-10646-ucs-4 .ucs-4 .iso-10646-ucs-4
 	AddCharset shift_jis   .shift_jis .sjis
 	AddCharset BRF		 .brf
 	#
 	# AddHandler allows you to map certain file extensions to "handlers":
 	# actions unrelated to filetype. These can be either built into the server
 	# or added with the Action directive (see below)
 	#
 	# To use CGI scripts outside of ScriptAliased directories:
 	# (You will also need to add "ExecCGI" to the "Options" directive.)
 	#
 	#AddHandler cgi-script .cgi
 	#
 	# For files that include their own HTTP headers:
 	#
 	#AddHandler send-as-is asis
 	#
 	# For server-parsed imagemap files:
 	#
 	#AddHandler imap-file map
 	#
 	# For type maps (negotiated resources):
 	# (This is enabled by default to allow the Apache "It Worked" page
 	#  to be distributed in multiple languages.)
 	#
 	AddHandler type-map var
 </IfModule>
 # vim: syntax=apache ts=4 sw=4 sts=4 sr noet
--- a/mods-available/mime.load
+++ b/mods-available/mime.load
@ -0,0 +1 @@
 LoadModule mime_module /usr/libexec/httpd/mod_mime.so
--- a/mods-available/setenvif.conf
+++ b/mods-available/setenvif.conf
@ -0,0 +1,32 @@
 <IfModule mod_setenvif.c>
 	#
 	# The following directives modify normal HTTP response behavior to
 	# handle known problems with browser implementations.
 	#
 	BrowserMatch "Mozilla/2" nokeepalive
 	BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0
 	BrowserMatch "RealPlayer 4\.0" force-response-1.0
 	BrowserMatch "Java/1\.0" force-response-1.0
 	BrowserMatch "JDK/1\.0" force-response-1.0
 	#
 	# The following directive disables redirects on non-GET requests for
 	# a directory that does not include the trailing slash.  This fixes a
 	# problem with Microsoft WebFolders which does not appropriately handle
 	# redirects for folders with DAV methods.
 	# Same deal with Apple's DAV filesystem and Gnome VFS support for DAV.
 	#
 	BrowserMatch "Microsoft Data Access Internet Publishing Provider" redirect-carefully
 	BrowserMatch "MS FrontPage" redirect-carefully
 	BrowserMatch "^WebDrive" redirect-carefully
 	BrowserMatch "^WebDAVFS/1.[012]" redirect-carefully
 	BrowserMatch "^gnome-vfs/1.0" redirect-carefully
 	BrowserMatch "^gvfs/1" redirect-carefully
 	BrowserMatch "^XML Spy" redirect-carefully
 	BrowserMatch "^Dreamweaver-WebDAV-SCM1" redirect-carefully
 	BrowserMatch " Konqueror/4" redirect-carefully
 </IfModule>
 # vim: syntax=apache ts=4 sw=4 sts=4 sr noet
--- a/mods-available/setenvif.load
+++ b/mods-available/setenvif.load
@ -0,0 +1 @@
 LoadModule setenvif_module /usr/libexec/httpd/mod_setenvif.so
--- a/mods-available/socache_shmcb.load
+++ b/mods-available/socache_shmcb.load
@ -0,0 +1 @@
 LoadModule socache_shmcb_module /usr/libexec/httpd/mod_socache_shmcb.so
--- a/mods-available/ssl.conf
+++ b/mods-available/ssl.conf
@ -0,0 +1,90 @@
 <IfModule mod_ssl.c>
 	# Pseudo Random Number Generator (PRNG):
 	# Configure one or more sources to seed the PRNG of the SSL library.
 	# The seed data should be of good random quality.
 	# WARNING! On some platforms /dev/random blocks if not enough entropy
 	# is available. This means you then cannot use the /dev/random device
 	# because it would lead to very long connection times (as long as
 	# it requires to make more entropy available). But usually those
 	# platforms additionally provide a /dev/urandom device which doesn't
 	# block. So, if available, use this one instead. Read the mod_ssl User
 	# Manual for more details.
 	#
 	SSLRandomSeed startup builtin
 	SSLRandomSeed startup file:/dev/urandom 512
 	SSLRandomSeed connect builtin
 	SSLRandomSeed connect file:/dev/urandom 512
 	##
 	##  SSL Global Context
 	##
 	##  All SSL configuration in this context applies both to
 	##  the main server and all SSL-enabled virtual hosts.
 	##
 	#
 	#   Some MIME-types for downloading Certificates and CRLs
 	#
 	<IfModule mod_mime.c>
 		AddType application/x-x509-ca-cert .crt
 		AddType application/x-pkcs7-crl	.crl
 	</IfModule>
 	#   Pass Phrase Dialog:
 	#   Configure the pass phrase gathering process.
 	#   The filtering dialog program (`builtin' is a internal
 	#   terminal dialog) has to provide the pass phrase on stdout.
 	SSLPassPhraseDialog  builtin
 	#   Inter-Process Session Cache:
 	#   Configure the SSL Session Cache: First the mechanism 
 	#   to use and second the expiring timeout (in seconds).
 	#   (The mechanism dbm has known memory leaks and should not be used).
 	#SSLSessionCache		 dbm:${APACHE_RUN_DIR}/ssl_scache
 	SSLSessionCache		shmcb:${APACHE_RUN_DIR}/ssl_scache(512000)
 	SSLSessionCacheTimeout  300
 	#   Semaphore:
 	#   Configure the path to the mutual exclusion semaphore the
 	#   SSL engine uses internally for inter-process synchronization. 
 	#   (Disabled by default, the global Mutex directive consolidates by default
 	#   this)
 	#Mutex file:${APACHE_LOCK_DIR}/ssl_mutex ssl-cache
 	#   SSL Cipher Suite:
 	#   List the ciphers that the client is permitted to negotiate. See the
 	#   ciphers(1) man page from the openssl package for list of all available
 	#   options.
 	#   Enable only secure ciphers:
 	SSLCipherSuite HIGH:!aNULL
 	# SSL server cipher order preference:
 	# Use server priorities for cipher algorithm choice.
 	# Clients may prefer lower grade encryption.  You should enable this
 	# option if you want to enforce stronger encryption, and can afford
 	# the CPU cost, and did not override SSLCipherSuite in a way that puts
 	# insecure ciphers first.
 	# Default: Off
 	#SSLHonorCipherOrder on
 	#   The protocols to enable.
 	#   Available values: all, SSLv3, TLSv1, TLSv1.1, TLSv1.2
 	#   SSL v2  is no longer supported
 	SSLProtocol all -SSLv3
 	#   Allow insecure renegotiation with clients which do not yet support the
 	#   secure renegotiation protocol. Default: Off
 	#SSLInsecureRenegotiation on
 	#   Whether to forbid non-SNI clients to access name based virtual hosts.
 	#   Default: Off
 	#SSLStrictSNIVHostCheck On
 </IfModule>
 LogFormat "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" ssl_info
 LogFormat "%{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%{User-Agent}i\"" ssl_info_browser
 # vim: syntax=apache ts=4 sw=4 sts=4 sr noet
--- a/mods-available/ssl.load
+++ b/mods-available/ssl.load
@ -0,0 +1,3 @@
 # Depends: socache_shmcb
 # Suggests: setenvif mime
 LoadModule ssl_module /usr/libexec/httpd/mod_ssl.so
--- a/sites-available/001-default-ssl.conf
+++ b/sites-available/001-default-ssl.conf
@ -0,0 +1,172 @@
 <VirtualHost _default_:443>
 	#   General setup for the virtual host
 	DocumentRoot "/srv/www/apache"
 	#ServerName www.example.com:443
 	ServerAdmin webmaster@localhost
 	ErrorLog ${APACHE_LOG_DIR}/001-default-ssl.error.log
 	CustomLog ${APACHE_LOG_DIR}/001-default-ssl.access.log combined
 	#   SSL Engine Switch:
 	#   Enable/Disable SSL for this virtual host.
 	SSLEngine on
 	#   Server Certificate:
 	#   Point SSLCertificateFile at a PEM encoded certificate.  If
 	#   the certificate is encrypted, then you will be prompted for a
 	#   pass phrase.  Note that a kill -HUP will prompt again.  Keep
 	#   in mind that if you have both an RSA and a DSA certificate you
 	#   can configure both in parallel (to also allow the use of DSA
 	#   ciphers, etc.)
 	#   Some ECC cipher suites (http://www.ietf.org/rfc/rfc4492.txt)
 	#   require an ECC certificate which can also be configured in
 	#   parallel.
 	SSLCertificateFile "/etc/apache/server.crt"
 	#SSLCertificateFile "/etc/apache/server-dsa.crt"
 	#SSLCertificateFile "/etc/apache/server-ecc.crt"
 	#   Server Private Key:
 	#   If the key is not combined with the certificate, use this
 	#   directive to point at the key file.  Keep in mind that if
 	#   you've both a RSA and a DSA private key you can configure
 	#   both in parallel (to also allow the use of DSA ciphers, etc.)
 	#   ECC keys, when in use, can also be configured in parallel
 	SSLCertificateKeyFile "/etc/apache/server.key"
 	#SSLCertificateKeyFile "/etc/apache/server-dsa.key"
 	#SSLCertificateKeyFile "/etc/apache/server-ecc.key"
 	#   Server Certificate Chain:
 	#   Point SSLCertificateChainFile at a file containing the
 	#   concatenation of PEM encoded CA certificates which form the
 	#   certificate chain for the server certificate. Alternatively
 	#   the referenced file can be the same as SSLCertificateFile
 	#   when the CA certificates are directly appended to the server
 	#   certificate for convenience.
 	#SSLCertificateChainFile "/etc/apache/server-ca.crt"
 	#   Certificate Authority (CA):
 	#   Set the CA certificate verification path where to find CA
 	#   certificates for client authentication or alternatively one
 	#   huge file containing all of them (file must be PEM encoded)
 	#   Note: Inside SSLCACertificatePath you need hash symlinks
 	#         to point to the certificate files. Use the provided
 	#         Makefile to update the hash symlinks after changes.
 	#SSLCACertificatePath "/etc/apache/ssl.crt"
 	#SSLCACertificateFile "/etc/apache/ssl.crt/ca-bundle.crt"
 	#   Certificate Revocation Lists (CRL):
 	#   Set the CA revocation path where to find CA CRLs for client
 	#   authentication or alternatively one huge file containing all
 	#   of them (file must be PEM encoded).
 	#   The CRL checking mode needs to be configured explicitly
 	#   through SSLCARevocationCheck (defaults to "none" otherwise).
 	#   Note: Inside SSLCARevocationPath you need hash symlinks
 	#         to point to the certificate files. Use the provided
 	#         Makefile to update the hash symlinks after changes.
 	#SSLCARevocationPath "/etc/apache/ssl.crl"
 	#SSLCARevocationFile "/etc/apache/ssl.crl/ca-bundle.crl"
 	#SSLCARevocationCheck chain
 	#   Client Authentication (Type):
 	#   Client certificate verification type and depth.  Types are
 	#   none, optional, require and optional_no_ca.  Depth is a
 	#   number which specifies how deeply to verify the certificate
 	#   issuer chain before deciding the certificate is not valid.
 	#SSLVerifyClient require
 	#SSLVerifyDepth  10
 	#   TLS-SRP mutual authentication:
 	#   Enable TLS-SRP and set the path to the OpenSSL SRP verifier
 	#   file (containing login information for SRP user accounts). 
 	#   Requires OpenSSL 1.0.1 or newer. See the mod_ssl FAQ for
 	#   detailed instructions on creating this file. Example:
 	#   "openssl srp -srpvfile /etc/apache/passwd.srpv -add username"
 	#SSLSRPVerifierFile "/etc/apache/passwd.srpv"
 	#   Access Control:
 	#   With SSLRequire you can do per-directory access control based
 	#   on arbitrary complex boolean expressions containing server
 	#   variable checks and other lookup directives.  The syntax is a
 	#   mixture between C and Perl.  See the mod_ssl documentation
 	#   for more details.
 	#<Location />
 	#SSLRequire (    %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
 	#            and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
 	#            and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
 	#            and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
 	#            and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20       ) \
 	#           or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
 	#</Location>
 	#   SSL Engine Options:
 	#   Set various options for the SSL engine.
 	#   o FakeBasicAuth:
 	#     Translate the client X.509 into a Basic Authorisation.  This means that
 	#     the standard Auth/DBMAuth methods can be used for access control.  The
 	#     user name is the `one line' version of the client's X.509 certificate.
 	#     Note that no password is obtained from the user. Every entry in the user
 	#     file needs this password: `xxj31ZMTZzkVA'.
 	#   o ExportCertData:
 	#     This exports two additional environment variables: SSL_CLIENT_CERT and
 	#     SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
 	#     server (always existing) and the client (only existing when client
 	#     authentication is used). This can be used to import the certificates
 	#     into CGI scripts.
 	#   o StdEnvVars:
 	#     This exports the standard SSL/TLS related `SSL_*' environment variables.
 	#     Per default this exportation is switched off for performance reasons,
 	#     because the extraction step is an expensive operation and is usually
 	#     useless for serving static content. So one usually enables the
 	#     exportation for CGI and SSI requests only.
 	#   o StrictRequire:
 	#     This denies access when "SSLRequireSSL" or "SSLRequire" applied even
 	#     under a "Satisfy any" situation, i.e. when it applies access is denied
 	#     and no other module can change it.
 	#   o OptRenegotiate:
 	#     This enables optimized SSL connection renegotiation handling when SSL
 	#     directives are used in per-directory context. 
 	#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
 	<FilesMatch "\.(cgi|shtml|phtml|php)$">
 	    SSLOptions +StdEnvVars
 	</FilesMatch>
 	<Directory "/srv/www/apache/cgi-bin">
 	    SSLOptions +StdEnvVars
 	</Directory>
 	#   SSL Protocol Adjustments:
 	#   The safe and default but still SSL/TLS standard compliant shutdown
 	#   approach is that mod_ssl sends the close notify alert but doesn't wait for
 	#   the close notify alert from client. When you need a different shutdown
 	#   approach you can use one of the following variables:
 	#   o ssl-unclean-shutdown:
 	#     This forces an unclean shutdown when the connection is closed, i.e. no
 	#     SSL close notify alert is sent or allowed to be received.  This violates
 	#     the SSL/TLS standard but is needed for some brain-dead browsers. Use
 	#     this when you receive I/O errors because of the standard approach where
 	#     mod_ssl sends the close notify alert.
 	#   o ssl-accurate-shutdown:
 	#     This forces an accurate shutdown when the connection is closed, i.e. a
 	#     SSL close notify alert is send and mod_ssl waits for the close notify
 	#     alert of the client. This is 100% SSL/TLS standard compliant, but in
 	#     practice often causes hanging connections with brain-dead browsers. Use
 	#     this only for browsers where you know that their SSL implementation
 	#     works correctly. 
 	#   Notice: Most problems of broken clients are also related to the HTTP
 	#   keep-alive facility, so you usually additionally want to disable
 	#   keep-alive for those clients, too. Use variable "nokeepalive" for this.
 	#   Similarly, one has to force some clients to use HTTP/1.0 to workaround
 	#   their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
 	#   "force-response-1.0" for this.
 	BrowserMatch "MSIE [2-5]" \
 		 nokeepalive ssl-unclean-shutdown \
 		 downgrade-1.0 force-response-1.0
 	#   Per-Server Logging:
 	#   The home of a custom SSL log file. Use this when you want a
 	#   compact non-error SSL logfile on a virtual host basis.
 	CustomLog "/var/log/httpd/ssl_request_log" \
 		  "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
 </VirtualHost>                                  
 # vim: syntax=apache ts=4 sw=4 sts=4 sr noet
--- a/sites-available/002-default-ssl.conf
+++ b/sites-available/002-default-ssl.conf
@ -0,0 +1,46 @@
 <VirtualHost _default_:443>
 	DocumentRoot "/srv/www/apache"
 	#ServerName www.example.com:443
 	ServerAdmin webmaster@localhost
 	ErrorLog ${APACHE_LOG_DIR}/002-default-ssl.error.log
 	CustomLog ${APACHE_LOG_DIR}/002-default-ssl.access.log combined
 	SSLEngine on
 	SSLCertificateFile "/etc/apache/server.crt"
 	SSLCertificateKeyFile "/etc/apache/server.key"
 	#SSLCertificateChainFile "/etc/apache/server-ca.crt"
 	#SSLProtocol		All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
 	SSLProtocol		All -SSLv2 -SSLv3
 	SSLCipherSuite		EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
 	SSLHonorCipherOrder	On
 	SSLCompression		off 
 	SSLUseStapling		on 
 	SSLStaplingCache	"shmcb:logs/stapling-cache(150000)" 
 	# Requires Apache >= 2.4.11
 	SSLSessionTickets	Off
 	#Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
 	#Header always set X-Frame-Options DENY
 	#Header always set X-Content-Type-Options nosniff
 	<FilesMatch "\.(cgi|shtml|phtml|php)$">
 	    SSLOptions +StdEnvVars
 	</FilesMatch>
 	<Directory "/srv/www/apache/cgi-bin">
 	    SSLOptions +StdEnvVars
 	</Directory>
 	BrowserMatch "MSIE [2-5]" \
 		 nokeepalive ssl-unclean-shutdown \
 		 downgrade-1.0 force-response-1.0
 	CustomLog ${APACHE_LOG_DIR}/002-default-ssl.ssl_request.log ssl_info
 	CustomLog ${APACHE_LOG_DIR}/002-default-ssl.ssl_browser.log ssl_info_browser
 </VirtualHost>                                  
 # vim: syntax=apache ts=4 sw=4 sts=4 sr noet
		`@ -0,0 +1 @@`
							`LoadModule alias_module /usr/libexec/httpd/mod_alias.so`
		`@ -0,0 +1 @@`
							`LoadModule mime_module /usr/libexec/httpd/mod_mime.so`
		`@ -0,0 +1 @@`
							`LoadModule setenvif_module /usr/libexec/httpd/mod_setenvif.so`
		`@ -0,0 +1 @@`
							`LoadModule socache_shmcb_module /usr/libexec/httpd/mod_socache_shmcb.so`