Git-Url: http://git.frugalware.org/gitweb/gitweb.cgi?p=frugalware-current.git;a=commitdiff;h=e59921cfca49069fb0e040f64d73daad5f481db8
commit e59921cfca49069fb0e040f64d73daad5f481db8 Author: Krisztian VASAS <i...@frugalware.org> Date: Wed Mar 16 23:40:28 2011 +0100 apache-2.2.17-2-x86_64 - changed m8r to me - changes in httpd.conf: disabled global documentroot, vhost is used insted, some modules are disabled by default, "nogroup" group is used insted of #-1 - changes in ssl.conf: added NameVirtualHost, cosmetics diff --git a/source/network/apache/FrugalBuild b/source/network/apache/FrugalBuild index 5faa7d5..077079e 100644 --- a/source/network/apache/FrugalBuild +++ b/source/network/apache/FrugalBuild @@ -1,6 +1,6 @@ # Compiling Time: 1.06 SBU # Contributor: VMiklos <vmik...@frugalware.org> -# Maintainer: Zsolt Szalai <xbit.li...@chello.hu> +# Maintainer: Krisztian VASAS <i...@frugalware.org> pkgname=apache pkgver=2.2.17 diff --git a/source/network/apache/httpd.conf b/source/network/apache/httpd.conf index 429194e..4dff4f5 100644 --- a/source/network/apache/httpd.conf +++ b/source/network/apache/httpd.conf @@ -8,7 +8,7 @@ # # Do NOT simply read the instructions in here without understanding # what they do. They're here only as hints or reminders. If you are unsure -# consult the online docs. You have been warned. +# consult the online docs. You have been warned. # # The configuration directives are grouped into three basic sections: # 1. Directives that control the operation of the Apache server process as a @@ -54,7 +54,7 @@ ServerRoot "/usr" # <IfModule !mpm_winnt.c> <IfModule !mpm_netware.c> -#LockFile /var/log/httpd/accept.lock +# LockFile /var/log/httpd/accept.lock </IfModule> </IfModule> @@ -68,7 +68,7 @@ ServerRoot "/usr" # <IfModule !mpm_netware.c> <IfModule !perchild.c> -#ScoreBoardFile /var/log/httpd/apache_runtime_status +# ScoreBoardFile /var/log/httpd/apache_runtime_status </IfModule> </IfModule> @@ -78,7 +78,7 @@ ServerRoot "/usr" # identification number when it starts. # <IfModule !mpm_netware.c> -PidFile /var/run/httpd.pid + PidFile /var/run/httpd.pid </IfModule> # @@ -107,7 +107,7 @@ KeepAliveTimeout 15 ## ## Server-Pool Size Regulation (MPM specific) -## +## # prefork MPM # StartServers: number of server processes to start @@ -116,11 +116,11 @@ KeepAliveTimeout 15 # MaxClients: maximum number of server processes allowed to start # MaxRequestsPerChild: maximum number of requests a server process serves <IfModule prefork.c> -StartServers 5 -MinSpareServers 5 -MaxSpareServers 10 -MaxClients 150 -MaxRequestsPerChild 0 + StartServers 5 + MinSpareServers 5 + MaxSpareServers 10 + MaxClients 150 + MaxRequestsPerChild 0 </IfModule> # worker MPM @@ -131,12 +131,12 @@ MaxRequestsPerChild 0 # ThreadsPerChild: constant number of worker threads in each server process # MaxRequestsPerChild: maximum number of requests a server process serves <IfModule worker.c> -StartServers 2 -MaxClients 150 -MinSpareThreads 25 -MaxSpareThreads 75 -ThreadsPerChild 25 -MaxRequestsPerChild 0 + StartServers 2 + MaxClients 150 + MinSpareThreads 25 + MaxSpareThreads 75 + ThreadsPerChild 25 + MaxRequestsPerChild 0 </IfModule> # perchild MPM @@ -147,20 +147,20 @@ MaxRequestsPerChild 0 # MaxThreadsPerChild: maximum number of worker threads in each server process # MaxRequestsPerChild: maximum number of connections per server process <IfModule perchild.c> -NumServers 5 -StartThreads 5 -MinSpareThreads 5 -MaxSpareThreads 10 -MaxThreadsPerChild 20 -MaxRequestsPerChild 0 + NumServers 5 + StartThreads 5 + MinSpareThreads 5 + MaxSpareThreads 10 + MaxThreadsPerChild 20 + MaxRequestsPerChild 0 </IfModule> # WinNT MPM # ThreadsPerChild: constant number of worker threads in the server process # MaxRequestsPerChild: maximum number of requests a server process serves <IfModule mpm_winnt.c> -ThreadsPerChild 250 -MaxRequestsPerChild 0 + ThreadsPerChild 250 + MaxRequestsPerChild 0 </IfModule> # BeOS MPM @@ -168,10 +168,10 @@ MaxRequestsPerChild 0 # MaxClients: max number of threads we can have (1 thread == 1 client) # MaxRequestsPerThread: maximum number of requests each thread will process <IfModule beos.c> -StartThreads 10 -MaxClients 50 -MaxRequestsPerThread 10000 -</IfModule> + StartThreads 10 + MaxClients 50 + MaxRequestsPerThread 10000 +</IfModule> # NetWare MPM # ThreadStackSize: Stack size allocated for each worker thread @@ -179,30 +179,30 @@ MaxRequestsPerThread 10000 # MinSpareThreads: Minimum number of idle threads, to handle request spikes # MaxSpareThreads: Maximum number of idle threads # MaxThreads: Maximum number of worker threads alive at the same time -# MaxRequestsPerChild: Maximum number of requests a thread serves. It is +# MaxRequestsPerChild: Maximum number of requests a thread serves. It is # recommended that the default value of 0 be set for this -# directive on NetWare. This will allow the thread to -# continue to service requests indefinitely. +# directive on NetWare. This will allow the thread to +# continue to service requests indefinitely. <IfModule mpm_netware.c> -ThreadStackSize 65536 -StartThreads 250 -MinSpareThreads 25 -MaxSpareThreads 250 -MaxThreads 1000 -MaxRequestsPerChild 0 + ThreadStackSize 65536 + StartThreads 250 + MinSpareThreads 25 + MaxSpareThreads 250 + MaxThreads 1000 + MaxRequestsPerChild 0 </IfModule> # OS/2 MPM # StartServers: Number of server processes to maintain -# MinSpareThreads: Minimum number of idle threads per process, +# MinSpareThreads: Minimum number of idle threads per process, # to handle request spikes # MaxSpareThreads: Maximum number of idle threads per process # MaxRequestsPerChild: Maximum number of connections per server process <IfModule mpmt_os2.c> -StartServers 2 -MinSpareThreads 5 -MaxSpareThreads 10 -MaxRequestsPerChild 0 + StartServers 2 + MinSpareThreads 5 + MaxSpareThreads 10 + MaxRequestsPerChild 0 </IfModule> # @@ -210,11 +210,10 @@ MaxRequestsPerChild 0 # ports, instead of the default. See also the <VirtualHost> # directive. # -# Change this to Listen on specific IP addresses as shown below to +# Change this to Listen on specific IP addresses as shown below to # prevent Apache from glomming onto all bound IP addresses (0.0.0.0) # #Listen 12.34.56.78:80 - Listen 80 # @@ -229,38 +228,38 @@ Listen 80 # Example: # LoadModule foo_module modules/mod_foo.so # -LoadModule authz_host_module lib/apache/mod_authz_host.so +#LoadModule authz_host_module lib/apache/mod_authz_host.so LoadModule actions_module lib/apache/mod_actions.so LoadModule alias_module lib/apache/mod_alias.so LoadModule asis_module lib/apache/mod_asis.so LoadModule auth_basic_module lib/apache/mod_auth_basic.so LoadModule authn_file_module lib/apache/mod_authn_file.so -LoadModule authn_anon_module lib/apache/mod_authn_anon.so -LoadModule authz_dbm_module lib/apache/mod_authz_dbm.so +#LoadModule authn_anon_module lib/apache/mod_authn_anon.so +#LoadModule authz_dbm_module lib/apache/mod_authz_dbm.so LoadModule authz_user_module lib/apache/mod_authz_user.so -LoadModule authz_groupfile_module lib/apache/mod_authz_groupfile.so +#LoadModule authz_groupfile_module lib/apache/mod_authz_groupfile.so LoadModule auth_digest_module lib/apache/mod_auth_digest.so LoadModule autoindex_module lib/apache/mod_autoindex.so LoadModule cgi_module lib/apache/mod_cgi.so -LoadModule dav_module lib/apache/mod_dav.so -LoadModule dav_fs_module lib/apache/mod_dav_fs.so +#LoadModule dav_module lib/apache/mod_dav.so +#LoadModule dav_fs_module lib/apache/mod_dav_fs.so LoadModule dir_module lib/apache/mod_dir.so LoadModule env_module lib/apache/mod_env.so LoadModule expires_module lib/apache/mod_expires.so -LoadModule ext_filter_module lib/apache/mod_ext_filter.so +#LoadModule ext_filter_module lib/apache/mod_ext_filter.so LoadModule headers_module lib/apache/mod_headers.so -LoadModule include_module lib/apache/mod_include.so +#LoadModule include_module lib/apache/mod_include.so LoadModule info_module lib/apache/mod_info.so LoadModule log_config_module lib/apache/mod_log_config.so LoadModule mime_module lib/apache/mod_mime.so LoadModule negotiation_module lib/apache/mod_negotiation.so LoadModule rewrite_module lib/apache/mod_rewrite.so LoadModule setenvif_module lib/apache/mod_setenvif.so -LoadModule speling_module lib/apache/mod_speling.so +#LoadModule speling_module lib/apache/mod_speling.so LoadModule ssl_module lib/apache/mod_ssl.so LoadModule status_module lib/apache/mod_status.so LoadModule userdir_module lib/apache/mod_userdir.so -LoadModule vhost_alias_module lib/apache/mod_vhost_alias.so +#LoadModule vhost_alias_module lib/apache/mod_vhost_alias.so # # ExtendedStatus controls whether Apache will generate "full" status @@ -283,20 +282,20 @@ LoadModule vhost_alias_module lib/apache/mod_vhost_alias.so <IfModule !mpm_winnt.c> <IfModule !mpm_netware.c> -# -# If you wish httpd to run as a different user or group, you must run -# httpd as root initially and it will switch. -# -# User/Group: The name (or #number) of the user/group to run httpd as. -# . On SCO (ODT 3) use "User nouser" and "Group nogroup". -# . On HPUX you may not be able to use shared memory as nobody, and the -# suggested workaround is to create a user www and use that user. -# NOTE that some kernels refuse to setgid(Group) or semctl(IPC_SET) -# when the value of (unsigned)Group is above 60000; -# don't use Group #-1 on these systems! -# -User nobody -Group #-1 + # + # If you wish httpd to run as a different user or group, you must run + # httpd as root initially and it will switch. + # + # User/Group: The name (or #number) of the user/group to run httpd as. + # . On SCO (ODT 3) use "User nouser" and "Group nogroup". + # . On HPUX you may not be able to use shared memory as nobody, and the + # suggested workaround is to create a user www and use that user. + # NOTE that some kernels refuse to setgid(Group) or semctl(IPC_SET) + # when the value of (unsigned)Group is above 60000; + # don't use Group #-1 on these systems! + # + User nobody + Group nogroup </IfModule> </IfModule> @@ -305,7 +304,7 @@ Group #-1 # e-mailed. This address appears on some server-generated pages, such # as error documents. e.g. ad...@your-domain.com # -ServerAdmin you@your.address +#ServerAdmin you@your.address # # ServerName gives the name and port that the server uses to identify itself. @@ -316,13 +315,13 @@ ServerAdmin you@your.address # redirections will not work. See also the UseCanonicalName directive. # # If your host doesn't have a registered DNS name, enter its IP address here. -# You will have to access it by its address anyway, and this will make +# You will have to access it by its address anyway, and this will make # redirections work in a sensible way. # #ServerName new.host.name:80 # -# UseCanonicalName: Determines how Apache constructs self-referencing +# UseCanonicalName: Determines how Apache constructs self-referencing # URLs and the SERVER_NAME and SERVER_PORT variables. # When set "Off", Apache will use the Hostname and Port supplied # by the client. When set "On", Apache will use the value of the @@ -335,61 +334,7 @@ UseCanonicalName Off # documents. By default, all requests are taken from this directory, but # symbolic links and aliases may be used to point to other locations. # -DocumentRoot "/var/www/html" - -# -# Each directory to which Apache has access can be configured with respect -# to which services and features are allowed and/or disabled in that -# directory (and its subdirectories). -# -# First, we configure the "default" to be a very restrictive set of -# features. -# -<Directory /> - Options FollowSymLinks - AllowOverride None -</Directory> - -# -# Note that from this point forward you must specifically allow -# particular features to be enabled - so if something's not working as -# you might expect, make sure that you have specifically enabled it -# below. -# - -# -# This should be changed to whatever you set DocumentRoot to. -# -<Directory "/var/www/html"> - -# -# Possible values for the Options directive are "None", "All", -# or any combination of: -# Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews -# -# Note that "MultiViews" must be named *explicitly* --- "Options All" -# doesn't give it to you. -# -# The Options directive is both complicated and important. Please see -# http://httpd.apache.org/docs-2.0/mod/core.html#options -# for more information. -# - Options Indexes FollowSymLinks - -# -# AllowOverride controls what directives may be placed in .htaccess files. -# It can be "All", "None", or any combination of the keywords: -# Options FileInfo AuthConfig Limit -# - AllowOverride None - -# -# Controls who can get stuff from this server. -# - Order allow,deny - Allow from all - -</Directory> +#DocumentRoot "/var/www/html" # # UserDir: The name of the directory that is appended onto a user's home @@ -419,27 +364,26 @@ UserDir public_html # is requested. # # The index.html.var file (a type-map) is used to deliver content- -# negotiated documents. The MultiViews Option can be used for the +# negotiated documents. The MultiViews Option can be used for the # same purpose, but it is much slower. # - DirectoryIndex index.html index.html.var # # AccessFileName: The name of the file to look for in each directory -# for additional configuration directives. See also the AllowOverride +# for additional configuration directives. See also the AllowOverride # directive. # AccessFileName .htaccess # -# The following lines prevent .htaccess and .htpasswd files from being -# viewed by Web clients. +# The following lines prevent .htaccess and .htpasswd files from being +# viewed by Web clients. # <Files ~ "^\.ht"> - Order allow,deny - Deny from all + Order allow,deny + Deny from all </Files> # @@ -465,7 +409,7 @@ DefaultType text/plain # directive tells the module where the hint definitions are located. # <IfModule mod_mime_magic.c> - MIMEMagicFile /etc/httpd/conf/magic + MIMEMagicFile /etc/httpd/conf/magic </IfModule> # @@ -481,7 +425,7 @@ HostnameLookups Off # # EnableMMAP: Control whether memory-mapping is used to deliver # files (assuming that the underlying OS supports it). -# The default is on; turn this off if you serve from NFS-mounted +# The default is on; turn this off if you serve from NFS-mounted # filesystems. On some systems, turning it off (regardless of # filesystem) can improve performance; for details, please see # http://httpd.apache.org/docs-2.0/mod/core.html#enablemmap @@ -489,15 +433,22 @@ HostnameLookups Off #EnableMMAP off # -# EnableSendfile: Control whether the sendfile kernel support is +# EnableSendfile: Control whether the sendfile kernel support is # used to deliver files (assuming that the OS supports it). -# The default is on; turn this off if you serve from NFS-mounted +# The default is on; turn this off if you serve from NFS-mounted # filesystems. Please see # http://httpd.apache.org/docs-2.0/mod/core.html#enablesendfile # #EnableSendfile off # +# LogLevel: Control the number of messages logged to the error_log. +# Possible values include: debug, info, notice, warn, error, crit, +# alert, emerg. +# +LogLevel warn + +# # ErrorLog: The location of the error log file. # If you do not specify an ErrorLog directive within a <VirtualHost> # container, error messages relating to that virtual host will be @@ -507,13 +458,6 @@ HostnameLookups Off ErrorLog /var/log/httpd/error_log # -# LogLevel: Control the number of messages logged to the error_log. -# Possible values include: debug, info, notice, warn, error, crit, -# alert, emerg. -# -LogLevel warn - -# # The following directives define some format nicknames for use with # a CustomLog directive (see below). # @@ -559,8 +503,8 @@ ServerTokens Prod # # Optionally add a line containing the server version and virtual host -# name to server-generated pages (internal error documents, FTP directory -# listings, mod_status and mod_info output etc., but not CGI generated +# name to server-generated pages (internal error documents, FTP directory +# listings, mod_status and mod_info output etc., but not CGI generated # documents or custom error documents). # Set to "EMail" to also include a mailto: link to the ServerAdmin. # Set to one of: On | Off | EMail @@ -568,13 +512,13 @@ ServerTokens Prod ServerSignature On # -# Aliases: Add here as many aliases as you need (with no limit). The format is +# Aliases: Add here as many aliases as you need (with no limit). The format is # Alias fakename realname # # Note that if you include a trailing / on fakename then the server will # require it to be present in the URL. So "/icons" isn't aliased in this -# example, only "/icons/". If the fakename is slash-terminated, then the -# realname must also be slash terminated, and if the fakename omits the +# example, only "/icons/". If the fakename is slash-terminated, then the +# realname must also be slash terminated, and if the fakename omits the # trailing slash, the realname must also omit it. # # We include the /icons/ alias for FancyIndexed directory listings. If you @@ -583,10 +527,10 @@ ServerSignature On Alias /icons/ "/var/www/icons/" <Directory "/var/www/icons"> - Options Indexes MultiViews - AllowOverride None - Order allow,deny - Allow from all + Options Indexes MultiViews + AllowOverride None + Order allow,deny + Allow from all </Directory> # @@ -630,7 +574,7 @@ ScriptAlias /cgi-bin/ "/var/www/cgi-bin/" # Additional to mod_cgid.c settings, mod_cgid has Scriptsock <path> # for setting UNIX socket for communicating with cgid. # -#Scriptsock /var/run/cgisock +# Scriptsock /var/run/cgisock </IfModule> # @@ -638,10 +582,10 @@ ScriptAlias /cgi-bin/ "/var/www/cgi-bin/" # CGI directory exists, if you have that configured. # <Directory "/var/www/cgi-bin"> - AllowOverride None - Options None - Order allow,deny - Allow from all + AllowOverride None + Options None + Order allow,deny + Allow from all </Directory> # @@ -716,7 +660,7 @@ DefaultIcon /icons/unknown.gif # default, and append to directory listings. # # HeaderName is the name of a file which should be prepended to -# directory indexes. +# directory indexes. ReadmeName README.html HeaderName HEADER.html @@ -736,16 +680,16 @@ IndexIgnore .??* *~ *# HEADER* README* RCS CVS *,v *,t #AddEncoding x-gzip gz tgz # -# DefaultLanguage and AddLanguage allows you to specify the language of -# a document. You can then use content negotiation to give a browser a +# DefaultLanguage and AddLanguage allows you to specify the language of +# a document. You can then use content negotiation to give a browser a # file in a language the user can understand. # # Specify a default language. This means that all data -# going out without a specific language tag (see below) will +# going out without a specific language tag (see below) will # be marked with this one. You probably do NOT want to set # this unless you are sure it is correct for all cases. # -# * It is generally better to not mark a page as +# * It is generally better to not mark a page as # * being a certain language than marking it with the wrong # * language! # @@ -756,8 +700,8 @@ IndexIgnore .??* *~ *# HEADER* README* RCS CVS *,v *,t # language code is pl) may wish to use "AddLanguage pl .po" to # avoid the ambiguity with the common suffix for perl scripts. # -# Note 2: The example entries below illustrate that in some cases -# the two character 'Language' abbreviation is not identical to +# Note 2: The example entries below illustrate that in some cases +# the two character 'Language' abbreviation is not identical to # the two character 'Country' code for its country, # E.g. 'Danmark/dk' versus 'Danish/da'. # @@ -767,7 +711,7 @@ IndexIgnore .??* *~ *# HEADER* README* RCS CVS *,v *,t # # Danish (da) - Dutch (nl) - English (en) - Estonian (et) # French (fr) - German (de) - Greek-Modern (el) -# Italian (it) - Norwegian (no) - Norwegian Nynorsk (nn) - Korean (ko) +# Italian (it) - Norwegian (no) - Norwegian Nynorsk (nn) - Korean (ko) # Portugese (pt) - Luxembourgeois* (ltz) # Spanish (es) - Swedish (sv) - Catalan (ca) - Czech(cs) # Polish (pl) - Brazilian Portuguese (pt-br) - Japanese (ja) @@ -864,7 +808,7 @@ AddCharset UTF-8 .utf8 # See http://www.iana.org/assignments/character-sets # for a list of sorts. But browsers support few. # -AddCharset GB2312 .gb2312 .gb +AddCharset GB2312 .gb2312 .gb AddCharset utf-7 .utf7 AddCharset utf-8 .utf8 AddCharset big5 .big5 .b5 @@ -939,7 +883,7 @@ AddHandler type-map var # Putting this all together, we can internationalize error responses. # # We use Alias to redirect any /error/HTTP_<error>.html.var response to -# our collection of by-error message multi-language collections. We use +# our collection of by-error message multi-language collections. We use # includes to substitute the appropriate text. # # You can modify the messages' appearance without changing any of the @@ -948,7 +892,7 @@ AddHandler type-map var # Alias /error/include/ "/your/include/path/" # # which allows you to create your own set of files by starting with the -# /var/www/error/include/ files and copying them to /your/include/path/, +# /var/www/error/include/ files and copying them to /your/include/path/, # even on a per-VirtualHost basis. The default include files will display # your Apache version number and your ServerAdmin email address regardless # of the setting of ServerSignature. @@ -1000,8 +944,8 @@ BrowserMatch "JDK/1\.0" force-response-1.0 # # The following directive disables redirects on non-GET requests for -# a directory that does not include the trailing slash. This fixes a -# problem with Microsoft WebFolders which does not appropriately handle +# a directory that does not include the trailing slash. This fixes a +# problem with Microsoft WebFolders which does not appropriately handle # redirects for folders with DAV methods. # Same deal with Apple's DAV filesystem and Gnome VFS support for DAV. # @@ -1019,7 +963,7 @@ BrowserMatch "^gnome-vfs" redirect-carefully # SetHandler server-status # Order deny,allow # Deny from all -# Allow from .example.com +# Allow from 127.0.0.1 ::1 #</Location> # @@ -1028,10 +972,10 @@ BrowserMatch "^gnome-vfs" redirect-carefully # Change the ".example.com" to match your domain to enable. # #<Location /server-info> -# SetHandler server-info -# Order deny,allow -# Deny from all -# Allow from .example.com +# SetHandler server-info +# Order deny,allow +# Deny from all +# Allow from 127.0.0.1 ::1 #</Location> @@ -1041,7 +985,7 @@ BrowserMatch "^gnome-vfs" redirect-carefully # Uncomment this if you want SSL support! #<IfModule mod_ssl.c> -# Include /etc/httpd/conf/ssl.conf +# Include /etc/httpd/conf/ssl.conf #</IfModule> Include /etc/httpd/conf/modules.d/*.conf @@ -1054,7 +998,7 @@ Include /etc/httpd/conf/modules.d/*.conf # use only name-based virtual hosts so the server doesn't need to worry about # IP addresses. This is indicated by the asterisks in the directives below. # -# Please see the documentation at +# Please see the documentation at # <URL:http://httpd.apache.org/docs-2.0/vhosts/> # for further details before you try to setup virtual hosts. # @@ -1064,18 +1008,25 @@ Include /etc/httpd/conf/modules.d/*.conf # # Use name-based virtual hosting. # -#NameVirtualHost * +NameVirtualHost *:80 -# -# VirtualHost example: -# Almost any Apache directive may go into a VirtualHost container. -# The first VirtualHost section is used for requests without a known -# server name. -# -#<VirtualHost *> -# ServerAdmin webmas...@dummy-host.example.com -# DocumentRoot /www/docs/dummy-host.example.com -# ServerName dummy-host.example.com -# ErrorLog /var/log/httpd/dummy-host.example.com-error_log -# CustomLog /var/log/httpd/dummy-host.example.com-access_log common -#</VirtualHost> +<VirtualHost *:80> + ServerAdmin root@localhost + + DocumentRoot /var/www/html + <Directory /> + Options FollowSymLinks + AllowOverride None + </Directory> + <Directory "/var/www/html"> + Options Indexes FollowSymLinks MultiViews + AllowOverride None + Order allow,deny + Allow from all + </Directory> + + ErrorLog /var/log/httpd/error_log + CustomLog /var/log/httpd/access_log common + LogLevel warn + +</VirtualHost> diff --git a/source/network/apache/ssl.conf b/source/network/apache/ssl.conf index f59a329..c676705 100644 --- a/source/network/apache/ssl.conf +++ b/source/network/apache/ssl.conf @@ -1,32 +1,28 @@ # # This is the Apache server configuration file providing SSL support. # It contains the configuration directives to instruct the server how to -# serve pages over an https connection. For detailing information about these +# serve pages over an https connection. For detailing information about these # directives see <URL:http://httpd.apache.org/docs-2.0/mod/mod_ssl.html> # -# For the moment, see <URL:http://www.modssl.org/docs/> for this info. +# For the moment, see <URL:http://www.modssl.org/docs/> for this info. # The documents are still being prepared from material donated by the # modssl project. -# +# # Do NOT simply read the instructions in here without understanding # what they do. They're here only as hints or reminders. If you are unsure -# consult the online docs. You have been warned. +# consult the online docs. You have been warned. # <IfModule mod_ssl.c> -# Until documentation is completed, please check http://www.modssl.org/ -# for additional config examples and module docmentation. Directives -# and features of mod_ssl are largely unchanged from the mod_ssl project -# for Apache 1.3. - # -# When we also provide SSL we have to listen to the +# When we also provide SSL we have to listen to the # standard HTTP port (see above) and to the HTTPS port # # Note: Configurations that use IPv6 but not IPv4-mapped addresses need two # Listen directives: "Listen [::]:443" and "Listen 0.0.0.0:443" # Listen 443 +NameVirtualHost *:443 ## ## SSL Global Context @@ -48,7 +44,7 @@ AddType application/x-pkcs7-crl .crl SSLPassPhraseDialog builtin # Inter-Process Session Cache: -# Configure the SSL Session Cache: First the mechanism +# Configure the SSL Session Cache: First the mechanism # to use and second the expiring timeout (in seconds). #SSLSessionCache none #SSLSessionCache shmht:logs/ssl_scache(512000) @@ -58,11 +54,11 @@ SSLSessionCacheTimeout 300 # Semaphore: # Configure the path to the mutual exclusion semaphore the -# SSL engine uses internally for inter-process synchronization. +# SSL engine uses internally for inter-process synchronization. SSLMutex file:/var/log/httpd/ssl_mutex # Pseudo Random Number Generator (PRNG): -# Configure one or more sources to seed the PRNG of the +# Configure one or more sources to seed the PRNG of the # SSL library. The seed data should be of good random quality. # WARNING! On some platforms /dev/random blocks if not enough entropy # is available. This means you then cannot use the /dev/random device @@ -82,168 +78,165 @@ SSLRandomSeed connect builtin ## SSL Virtual Host Context ## -<VirtualHost _default_:443> - -# General setup for the virtual host -DocumentRoot "/var/www/html" -ServerName your.hostname:443 -ServerAdmin you@your.address -ErrorLog /var/log/httpd/error_log -TransferLog /var/log/httpd/access_log - -# SSL Engine Switch: -# Enable/Disable SSL for this virtual host. -SSLEngine on - -# SSL Cipher Suite: -# List the ciphers that the client is permitted to negotiate. -# See the mod_ssl documentation for a complete list. -SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL - -# Server Certificate: -# Point SSLCertificateFile at a PEM encoded certificate. If -# the certificate is encrypted, then you will be prompted for a -# pass phrase. Note that a kill -HUP will prompt again. Keep -# in mind that if you have both an RSA and a DSA certificate you -# can configure both in parallel (to also allow the use of DSA -# ciphers, etc.) -SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt -#SSLCertificateFile /usr/conf/ssl.crt/server-dsa.crt - -# Server Private Key: -# If the key is not combined with the certificate, use this -# directive to point at the key file. Keep in mind that if -# you've both a RSA and a DSA private key you can configure -# both in parallel (to also allow the use of DSA ciphers, etc.) -SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key -#SSLCertificateKeyFile /usr/conf/ssl.key/server-dsa.key - -# Server Certificate Chain: -# Point SSLCertificateChainFile at a file containing the -# concatenation of PEM encoded CA certificates which form the -# certificate chain for the server certificate. Alternatively -# the referenced file can be the same as SSLCertificateFile -# when the CA certificates are directly appended to the server -# certificate for convinience. -#SSLCertificateChainFile /usr/conf/ssl.crt/ca.crt - -# Certificate Authority (CA): -# Set the CA certificate verification path where to find CA -# certificates for client authentication or alternatively one -# huge file containing all of them (file must be PEM encoded) -# Note: Inside SSLCACertificatePath you need hash symlinks -# to point to the certificate files. Use the provided -# Makefile to update the hash symlinks after changes. -#SSLCACertificatePath /usr/conf/ssl.crt -#SSLCACertificateFile /usr/conf/ssl.crt/ca-bundle.crt - -# Certificate Revocation Lists (CRL): -# Set the CA revocation path where to find CA CRLs for client -# authentication or alternatively one huge file containing all -# of them (file must be PEM encoded) -# Note: Inside SSLCARevocationPath you need hash symlinks -# to point to the certificate files. Use the provided -# Makefile to update the hash symlinks after changes. -#SSLCARevocationPath /usr/conf/ssl.crl -#SSLCARevocationFile /usr/conf/ssl.crl/ca-bundle.crl - -# Client Authentication (Type): -# Client certificate verification type and depth. Types are -# none, optional, require and optional_no_ca. Depth is a -# number which specifies how deeply to verify the certificate -# issuer chain before deciding the certificate is not valid. -#SSLVerifyClient require -#SSLVerifyDepth 10 - -# Access Control: -# With SSLRequire you can do per-directory access control based -# on arbitrary complex boolean expressions containing server -# variable checks and other lookup directives. The syntax is a -# mixture between C and Perl. See the mod_ssl documentation -# for more details. -#<Location /> -#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \ -# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \ -# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \ -# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \ -# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \ -# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/ -#</Location> - -# SSL Engine Options: -# Set various options for the SSL engine. -# o FakeBasicAuth: -# Translate the client X.509 into a Basic Authorisation. This means that -# the standard Auth/DBMAuth methods can be used for access control. The -# user name is the `one line' version of the client's X.509 certificate. -# Note that no password is obtained from the user. Every entry in the user -# file needs this password: `xxj31ZMTZzkVA'. -# o ExportCertData: -# This exports two additional environment variables: SSL_CLIENT_CERT and -# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the -# server (always existing) and the client (only existing when client -# authentication is used). This can be used to import the certificates -# into CGI scripts. -# o StdEnvVars: -# This exports the standard SSL/TLS related `SSL_*' environment variables. -# Per default this exportation is switched off for performance reasons, -# because the extraction step is an expensive operation and is usually -# useless for serving static content. So one usually enables the -# exportation for CGI and SSI requests only. -# o CompatEnvVars: -# This exports obsolete environment variables for backward compatibility -# to Apache-SSL 1.x, mod_ssl 2.0.x, Sioux 1.0 and Stronghold 2.x. Use this -# to provide compatibility to existing CGI scripts. -# o StrictRequire: -# This denies access when "SSLRequireSSL" or "SSLRequire" applied even -# under a "Satisfy any" situation, i.e. when it applies access is denied -# and no other module can change it. -# o OptRenegotiate: -# This enables optimized SSL connection renegotiation handling when SSL -# directives are used in per-directory context. -#SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire -<Files ~ "\.(cgi|shtml|phtml|php3?)$"> - SSLOptions +StdEnvVars -</Files> -<Directory "/usr/cgi-bin"> - SSLOptions +StdEnvVars -</Directory> - -# SSL Protocol Adjustments: -# The safe and default but still SSL/TLS standard compliant shutdown -# approach is that mod_ssl sends the close notify alert but doesn't wait for -# the close notify alert from client. When you need a different shutdown -# approach you can use one of the following variables: -# o ssl-unclean-shutdown: -# This forces an unclean shutdown when the connection is closed, i.e. no -# SSL close notify alert is send or allowed to received. This violates -# the SSL/TLS standard but is needed for some brain-dead browsers. Use -# this when you receive I/O errors because of the standard approach where -# mod_ssl sends the close notify alert. -# o ssl-accurate-shutdown: -# This forces an accurate shutdown when the connection is closed, i.e. a -# SSL close notify alert is send and mod_ssl waits for the close notify -# alert of the client. This is 100% SSL/TLS standard compliant, but in -# practice often causes hanging connections with brain-dead browsers. Use -# this only for browsers where you know that their SSL implementation -# works correctly. -# Notice: Most problems of broken clients are also related to the HTTP -# keep-alive facility, so you usually additionally want to disable -# keep-alive for those clients, too. Use variable "nokeepalive" for this. -# Similarly, one has to force some clients to use HTTP/1.0 to workaround -# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and -# "force-response-1.0" for this. -SetEnvIf User-Agent ".*MSIE.*" \ - nokeepalive ssl-unclean-shutdown \ - downgrade-1.0 force-response-1.0 - -# Per-Server Logging: -# The home of a custom SSL log file. Use this when you want a -# compact non-error SSL logfile on a virtual host basis. -CustomLog /var/log/httpd/ssl_request_log \ - "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" - -</VirtualHost> +<VirtualHost *:443> + # General setup for the virtual host + DocumentRoot "/var/www/html" + ServerAdmin root@localhost + ErrorLog /var/log/httpd/error_log + TransferLog /var/log/httpd/access_log + + # SSL Engine Switch: + # Enable/Disable SSL for this virtual host. + SSLEngine on + + # SSL Cipher Suite: + # List the ciphers that the client is permitted to negotiate. + # See the mod_ssl documentation for a complete list. + SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL + + # Server Certificate: + # Point SSLCertificateFile at a PEM encoded certificate. If + # the certificate is encrypted, then you will be prompted for a + # pass phrase. Note that a kill -HUP will prompt again. Keep + # in mind that if you have both an RSA and a DSA certificate you + # can configure both in parallel (to also allow the use of DSA + # ciphers, etc.) + SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt + #SSLCertificateFile /usr/conf/ssl.crt/server-dsa.crt + + # Server Private Key: + # If the key is not combined with the certificate, use this + # directive to point at the key file. Keep in mind that if + # you've both a RSA and a DSA private key you can configure + # both in parallel (to also allow the use of DSA ciphers, etc.) + SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key + #SSLCertificateKeyFile /usr/conf/ssl.key/server-dsa.key + + # Server Certificate Chain: + # Point SSLCertificateChainFile at a file containing the + # concatenation of PEM encoded CA certificates which form the + # certificate chain for the server certificate. Alternatively + # the referenced file can be the same as SSLCertificateFile + # when the CA certificates are directly appended to the server + # certificate for convinience. + #SSLCertificateChainFile /usr/conf/ssl.crt/ca.crt + + # Certificate Authority (CA): + # Set the CA certificate verification path where to find CA + # certificates for client authentication or alternatively one + # huge file containing all of them (file must be PEM encoded) + # Note: Inside SSLCACertificatePath you need hash symlinks + # to point to the certificate files. Use the provided + # Makefile to update the hash symlinks after changes. + #SSLCACertificatePath /usr/conf/ssl.crt + #SSLCACertificateFile /usr/conf/ssl.crt/ca-bundle.crt + + # Certificate Revocation Lists (CRL): + # Set the CA revocation path where to find CA CRLs for client + # authentication or alternatively one huge file containing all + # of them (file must be PEM encoded) + # Note: Inside SSLCARevocationPath you need hash symlinks + # to point to the certificate files. Use the provided + # Makefile to update the hash symlinks after changes. + #SSLCARevocationPath /usr/conf/ssl.crl + #SSLCARevocationFile /usr/conf/ssl.crl/ca-bundle.crl + + # Client Authentication (Type): + # Client certificate verification type and depth. Types are + # none, optional, require and optional_no_ca. Depth is a + # number which specifies how deeply to verify the certificate + # issuer chain before deciding the certificate is not valid. + #SSLVerifyClient require + #SSLVerifyDepth 10 + + # Access Control: + # With SSLRequire you can do per-directory access control based + # on arbitrary complex boolean expressions containing server + # variable checks and other lookup directives. The syntax is a + # mixture between C and Perl. See the mod_ssl documentation + # for more details. + #<Location /> + #SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \ + # and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \ + # and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \ + # and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \ + # and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \ + # or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/ + #</Location> + + # SSL Engine Options: + # Set various options for the SSL engine. + # o FakeBasicAuth: + # Translate the client X.509 into a Basic Authorisation. This means that + # the standard Auth/DBMAuth methods can be used for access control. The + # user name is the `one line' version of the client's X.509 certificate. + # Note that no password is obtained from the user. Every entry in the user + # file needs this password: `xxj31ZMTZzkVA'. + # o ExportCertData: + # This exports two additional environment variables: SSL_CLIENT_CERT and + # SSL_SERVER_CERT. These contain the PEM-encoded certificates of the + # server (always existing) and the client (only existing when client + # authentication is used). This can be used to import the certificates + # into CGI scripts. + # o StdEnvVars: + # This exports the standard SSL/TLS related `SSL_*' environment variables. + # Per default this exportation is switched off for performance reasons, + # because the extraction step is an expensive operation and is usually + # useless for serving static content. So one usually enables the + # exportation for CGI and SSI requests only. + # o CompatEnvVars: + # This exports obsolete environment variables for backward compatibility + # to Apache-SSL 1.x, mod_ssl 2.0.x, Sioux 1.0 and Stronghold 2.x. Use this + # to provide compatibility to existing CGI scripts. + # o StrictRequire: + # This denies access when "SSLRequireSSL" or "SSLRequire" applied even + # under a "Satisfy any" situation, i.e. when it applies access is denied + # and no other module can change it. + # o OptRenegotiate: + # This enables optimized SSL connection renegotiation handling when SSL + # directives are used in per-directory context. + #SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire + <Files ~ "\.(cgi|shtml|phtml|php3?)$"> + SSLOptions +StdEnvVars + </Files> + <Directory "/usr/cgi-bin"> + SSLOptions +StdEnvVars + </Directory> + + # SSL Protocol Adjustments: + # The safe and default but still SSL/TLS standard compliant shutdown + # approach is that mod_ssl sends the close notify alert but doesn't wait for + # the close notify alert from client. When you need a different shutdown + # approach you can use one of the following variables: + # o ssl-unclean-shutdown: + # This forces an unclean shutdown when the connection is closed, i.e. no + # SSL close notify alert is send or allowed to received. This violates + # the SSL/TLS standard but is needed for some brain-dead browsers. Use + # this when you receive I/O errors because of the standard approach where + # mod_ssl sends the close notify alert. + # o ssl-accurate-shutdown: + # This forces an accurate shutdown when the connection is closed, i.e. a + # SSL close notify alert is send and mod_ssl waits for the close notify + # alert of the client. This is 100% SSL/TLS standard compliant, but in + # practice often causes hanging connections with brain-dead browsers. Use + # this only for browsers where you know that their SSL implementation + # works correctly. + # Notice: Most problems of broken clients are also related to the HTTP + # keep-alive facility, so you usually additionally want to disable + # keep-alive for those clients, too. Use variable "nokeepalive" for this. + # Similarly, one has to force some clients to use HTTP/1.0 to workaround + # their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and + # "force-response-1.0" for this. + SetEnvIf User-Agent ".*MSIE.*" \ + nokeepalive ssl-unclean-shutdown \ + downgrade-1.0 force-response-1.0 + + # Per-Server Logging: + # The home of a custom SSL log file. Use this when you want a + # compact non-error SSL logfile on a virtual host basis. + CustomLog /var/log/httpd/ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" + +</VirtualHost> </IfModule> _______________________________________________ Frugalware-git mailing list Frugalware-git@frugalware.org http://frugalware.org/mailman/listinfo/frugalware-git
