Author: glen Date: Wed Dec 14 22:09:15 2005 GMT Module: SOURCES Tag: HEAD ---- Log message: - update settings from 2.2.0 sources: extra/httpd-ssl.conf
---- Files affected: SOURCES: apache-mod_ssl.conf (1.9 -> 1.10) ---- Diffs: ================================================================ Index: SOURCES/apache-mod_ssl.conf diff -u SOURCES/apache-mod_ssl.conf:1.9 SOURCES/apache-mod_ssl.conf:1.10 --- SOURCES/apache-mod_ssl.conf:1.9 Fri Oct 15 20:57:51 2004 +++ SOURCES/apache-mod_ssl.conf Wed Dec 14 23:09:09 2005 @@ -1,40 +1,38 @@ # $Id$ -LoadModule ssl_module modules/mod_ssl.so +LoadModule ssl_module modules/mod_ssl.so -<IfModule mod_ssl.c> -# # This is the Apache server configuration file providing SSL support. # It contains the configuration directives to instruct the server how to -# serve pages over an https connection. For detailing information about these -# directives see <URL:http://httpd.apache.org/docs-2.0/mod/mod_ssl.html> -# -# For the moment, see <URL:http://www.modssl.org/docs/> for this info. -# The documents are still being prepared from material donated by the -# modssl project. -# -# Do NOT simply read the instructions in here without understanding -# what they do. They're here only as hints or reminders. If you are unsure -# consult the online docs. You have been warned. -# -#<IfDefine SSL> - -# Until documentation is completed, please check http://www.modssl.org/ -# for additional config examples and module docmentation. Directives -# and features of mod_ssl are largely unchanged from the mod_ssl project -# for Apache 1.3. +# serve pages over an https connection. For detailing information about these +# directives see <URL:http://httpd.apache.org/docs/2.2/mod/mod_ssl.html> +<IfModule mod_ssl.c> # -# When we also provide SSL we have to listen to the -# standard HTTP port (see above) and to the HTTPS port +# Pseudo Random Number Generator (PRNG): +# Configure one or more sources to seed the PRNG of the SSL library. +# The seed data should be of good random quality. +# WARNING! On some platforms /dev/random blocks if not enough entropy +# is available. This means you then cannot use the /dev/random device +# because it would lead to very long connection times (as long as +# it requires to make more entropy available). But usually those +# platforms additionally provide a /dev/urandom device which doesn't +# block. So, if available, use this one instead. Read the mod_ssl User +# Manual for more details. # -Listen 443 +#SSLRandomSeed startup file:/dev/random 512 +#SSLRandomSeed startup file:/dev/urandom 512 +#SSLRandomSeed connect file:/dev/random 512 +#SSLRandomSeed connect file:/dev/urandom 512 + +# +# When we also provide SSL we have to listen to the +# standard HTTP port (see above) and to the HTTPS port # -# Dynamic Shared Object (DSO) Support +# Note: Configurations that use IPv6 but not IPv4-mapped addresses need two +# Listen directives: "Listen [::]:443" and "Listen 0.0.0.0:443" # -# To be able to use the functionality of a module which was built as a DSO you -# ErrorLog logs/dummy-host.example.com-error_log -# CustomLog logs/dummy-host.example.com-access_log common +Listen 443 ## ## SSL Global Context @@ -56,35 +54,16 @@ SSLPassPhraseDialog builtin # Inter-Process Session Cache: -# Configure the SSL Session Cache: First the mechanism +# Configure the SSL Session Cache: First the mechanism # to use and second the expiring timeout (in seconds). -#SSLSessionCache none -#SSLSessionCache shmht:logs/ssl_scache(512000) -#SSLSessionCache shmcb:logs/ssl_scache(512000) -SSLSessionCache dbm:/var/cache/apache/ssl_scache -SSLSessionCacheTimeout 300 +#SSLSessionCache dbm:/var/run/ssl_scache +SSLSessionCache shmcb:/var/run/ssl_scache(512000) +SSLSessionCacheTimeout 300 # Semaphore: # Configure the path to the mutual exclusion semaphore the -# SSL engine uses internally for inter-process synchronization. -SSLMutex file:/var/run/apache/ssl_mutex - -# Pseudo Random Number Generator (PRNG): -# Configure one or more sources to seed the PRNG of the -# SSL library. The seed data should be of good random quality. -# WARNING! On some platforms /dev/random blocks if not enough entropy -# is available. This means you then cannot use the /dev/random device -# because it would lead to very long connection times (as long as -# it requires to make more entropy available). But usually those -# platforms additionally provide a /dev/urandom device which doesn't -# block. So, if available, use this one instead. Read the mod_ssl User -# Manual for more details. -SSLRandomSeed startup builtin -SSLRandomSeed connect builtin -#SSLRandomSeed startup file:/dev/random 512 -#SSLRandomSeed startup file:/dev/urandom 512 -#SSLRandomSeed connect file:/dev/random 512 -#SSLRandomSeed connect file:/dev/urandom 512 +# SSL engine uses internally for inter-process synchronization. +SSLMutex file:/var/run/ssl_mutex ## ## SSL Virtual Host Context @@ -92,10 +71,10 @@ <VirtualHost _default_:443> -# General setup for the virtual host +# General setup for the virtual host DocumentRoot "/home/services/httpd/html" -ServerName new.host.name:443 -ServerAdmin [EMAIL PROTECTED] +ServerName www.example.com:443 +ServerAdmin [EMAIL PROTECTED] ErrorLog /var/log/httpd/error_log TransferLog /var/log/httpd/access_log @@ -111,11 +90,10 @@ # Server Certificate: # Point SSLCertificateFile at a PEM encoded certificate. If # the certificate is encrypted, then you will be prompted for a -# pass phrase. Note that a kill -HUP will prompt again. A test -# certificate can be generated with `make certificate' under -# built time. Keep in mind that if you've both a RSA and a DSA -# certificate you can configure both in parallel (to also allow -# the use of DSA ciphers, etc.) +# pass phrase. Note that a kill -HUP will prompt again. Keep +# in mind that if you have both an RSA and a DSA certificate you +# can configure both in parallel (to also allow the use of DSA +# ciphers, etc.) SSLCertificateFile /etc/httpd/ssl/server.crt #SSLCertificateFile /etc/httpd/ssl/server-dsa.crt @@ -199,22 +177,18 @@ # because the extraction step is an expensive operation and is usually # useless for serving static content. So one usually enables the # exportation for CGI and SSI requests only. -# o CompatEnvVars: -# This exports obsolete environment variables for backward compatibility -# to Apache-SSL 1.x, mod_ssl 2.0.x, Sioux 1.0 and Stronghold 2.x. Use this -# to provide compatibility to existing CGI scripts. # o StrictRequire: # This denies access when "SSLRequireSSL" or "SSLRequire" applied even # under a "Satisfy any" situation, i.e. when it applies access is denied # and no other module can change it. # o OptRenegotiate: # This enables optimized SSL connection renegotiation handling when SSL -# directives are used in per-directory context. -#SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire -<Files ~ "\.(cgi|shtml|phtml|php3?)$"> +# directives are used in per-directory context. +#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire +<FilesMatch "\.(cgi|shtml|phtml|php)$"> SSLOptions +StdEnvVars -</Files> -<Directory "/home/services/httpd/cgi-bin/"> +</FilesMatch> +<Directory "/home/services/httpd/cgi-bin"> SSLOptions +StdEnvVars </Directory> @@ -235,14 +209,14 @@ # alert of the client. This is 100% SSL/TLS standard compliant, but in # practice often causes hanging connections with brain-dead browsers. Use # this only for browsers where you know that their SSL implementation -# works correctly. +# works correctly. # Notice: Most problems of broken clients are also related to the HTTP # keep-alive facility, so you usually additionally want to disable # keep-alive for those clients, too. Use variable "nokeepalive" for this. # Similarly, one has to force some clients to use HTTP/1.0 to workaround # their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and # "force-response-1.0" for this. -SetEnvIf User-Agent ".*MSIE.*" \ +BrowserMatch ".*MSIE.*" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 @@ -252,8 +226,7 @@ CustomLog /var/log/httpd/ssl_request_log \ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" -</VirtualHost> - +</VirtualHost> </IfModule> # vim: filetype=apache ts=4 sw=4 et ================================================================ ---- CVS-web: http://cvs.pld-linux.org/SOURCES/apache-mod_ssl.conf?r1=1.9&r2=1.10&f=u _______________________________________________ pld-cvs-commit mailing list [email protected] http://lists.pld-linux.org/mailman/listinfo/pld-cvs-commit
