################################################################### SSL Demo Configuration for Apache Haus Distribution # filename:conf/extras/mod_ahssl.conf## This is the Apache server configuration file providing SNI support.# It contains the configuration directives to instruct the server how to# serve pages through an HTTPS connection. For detailed information on these # directives see
# simply read the instructions in here without understanding# what they do. They ' re here is only as hints or reminders. If you are unsure# consult the online docs. You have been warned. # # Required Modules:mod_log_config, Mod_setenvif, mod_ssl,# socache_shmcb_module (for default value of Sslsessio NCache) Listen 443 https#### SSL Global context#### All SSL configuration in this Context applies both to## the main ser Ver and all ssl-enabled virtual hosts.### SSL protocols:# List The protocols that the client are permitted to negotiate . # See the MOD_SSL documentation for a complete list. Sslprotocol all# SSL Cipher suite:# List The ciphers that the client was permitted to negotiate.# see the Mod_ssl doc Umentation for a complete list. Sslciphersuite ecdhe-rsa-aes256-sha384:ecdhe-rsa-aes128-sha256:aes128-gcm-sha256:rc4:high:! md5:!anull:! EDH # SSL Honer Cipher Suite order:# forces the order of allowed Cipher suites to the order above.# see the Mod_ssl DocumEntation for a complete list. Sslhonorcipherorder on# Pass Phrase dialog:# Configure the pass Phrase gathering process.# the filtering Dialog prog Ram (' Builtin ' is a internal# Terminal dialog) have to provide the pass phrase on stdout. Sslpassphrasedialog builtin# inter-process session cache:# Configure The SSL session cache:first the mechanism # t o Use and second the expiring timeout (in seconds). #SSLSessionCache "Dbm:${srvroot}/logs/ssl_scache" Sslsessioncach E "Shmcb:${srvroot}/logs/ssl_scache (512000)" Sslsessioncachetimeout 300## Some mime-types for downloading Certifi Cates and Crls#addtype Application/x-x509-ca-cert. Crtaddtype application/x-pkcs7-crl. crl# SSL Engine Options:# Se T various options for the SSL engine.# o fakebasicauth:# Translate the client to a Basic authorisation. This means that# the standard Auth/dbmauth methods can is used for access control. the# user name is the ' one line ' version of the client ' s x.5certificate.# Note that no password are obtained from the user. Every entry in the user# file needs this password: ' Xxj31zmtzzkva '. # o exportcertdata:# this exports both Additio NAL Environment Variables:ssl_client_cert and# Ssl_server_cert. These contain the pem-encoded certificates of the# Server (always existing) and the client (only existing when client# Authentication is used). This can is used to import the certificates# into CGI scripts.# o stdenvvars:# This exports the standard SSL/TLS Related ' ssl_* ' environment variables.# Per default this exportation are switched off for performance reasons,# be Cause the extraction step is a expensive operation and is usually# useless for serving static content. So one usually enables the# exportation for CGI and SSI requests only.# O strictrequire:# this denies access whe N "Sslrequiressl" or "Sslrequire" applied even# under a "Satisfy any" situation, i.e. when it applies accessis denied# and no other module can change it.# o optrenegotiate:# This enables optimized SSL connection Renegoti ation handling when ssl# directives is used in per-directory context. #SSLOptions +fakebasicauth +exportcertdata +strictrequire
ssloptions +stdenvvars
ssloptions +stdenvvars
# SSL Protocol adjustments:# the safe and default but still SSL/TLS standard compliant shutdown# approach are that mo D_ssl sends the close notify alert but doesn ' t wait for for# the close notify alert from client. When you need a different shutdown# approach you can use one of the following variables:# o ssl-unclean-shutdown:# This forces a unclean shutdown when the connection are closed, i.e. no# SSL close notify alert is sent or allowed to Be received. This violates# the SSL/TLS standard and is needed for some brain-dead browsers. use# this if you receive I/O errors because of the standard approach where# Mod_ssl sends the close notify alert . # o ssl-accurate-shutdown:# This forces a accurate shutdown when the connection is closed, i.e. a# SSL close N Otify alert is send and Mod_ssl waits for the close notify# alert of the client. This is 100% SSL/TLS standard compliant, but in# practice often causes hanging connections with brain-dead BRowsers. use# This is browsers where you know the their SSL implementation# works correctly. # notice:most Problems of broken clients is also related to the http# keep-alive facility, so you usually additional Ly want to disable# keep-alive for those clients, too. Use variable "nokeepalive" for this.# Similarly, one have to force some clients to use http/1.0 to workaround# their BR Oken http/1.1 implementation. Use variables "downgrade-1.0" and# "force-response-1.0" for this. Browsermatch "MSIE [2-5]" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0# per-ser Ver logging:# the home of a custom SSL log file. The use of this is want a# compact Non-error SSL logfile on a virtual host basis. Customlog "${srvroot}/logs/ssl_request.log" \ "%t%h%{ssl_protocol}x%{ssl_cipher}x \"%r\ "%b" # # # SSL Virtual H OST context##
sslengine on ServerName localhost:443 sslcertificatefile "${srvroot}/conf/ssl/server.crt "Sslcertificatekeyfile" ${srvroot}/conf/ssl/server.key "DocumentRoot" ${srvroot}/htdocs "# DocumentRoot Access Handled globally in httpd.conf customlog "${srvroot}/logs/ssl_request.log" \ "%t%h%{ssl_protocol}x%{ssl_cip her}x \ "%r\"%b "
Options Indexes includes followsymlinks Allowoverri De authconfig Limit FileInfo Require all granted
sslengine on ServerName serverone.tld:443 sslcertificatefile "${SRVROOT}/CONF/SSL/SERVERONE.CRT" Sslcertificatekeyfile "${srvroot}/conf/ssl/serverone.key" DocumentRoot "${srvroot}/htdocs" CustomLog "${SRVROOT}/lo
Gs/ssl_request.log "\"%t%h%{ssl_protocol}x%{ssl_cipher}x \ "%r\"%b "
Options Indexes includes followsymlinks allowoverride authconfig Limit FileInfo Require all granted /directory>
sslengine on ServerName servertwo.tld:443 sslcertificatefile "${SRVROOT}/CONF/SSL/SERVERTWO.CRT" SSLCertificate KeyFile "${srvroot}/conf/ssl/servertwo.key" DocumentRoot "${srvroot}/htdocs" Customlog "${SRVROOT}/logs/ssl_ Request.log "\"%t%h%{ssl_protocol}x%{ssl_cipher}x \ "%r\"%b "
Options Indexes includes Fol Lowsymlinks allowoverride authconfig Limit FileInfo Require all granted
# End SNI Demonstration Config
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.