httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From thom...@apache.org
Subject cvs commit: httpd-2.0/docs/conf ssl-std.conf.in ssl-std.conf
Date Mon, 05 May 2003 13:12:30 GMT
thommay     2003/05/05 06:12:28

  Modified:    .        CHANGES configure.in
  Added:       docs/conf ssl-std.conf.in
  Removed:     docs/conf ssl-std.conf
  Log:
  Ensure that ssl-std.conf is generated at configure time, and switch
  to using the expanded config variables to work the same as httpd-std.conf
  
  PR: 19611
  
  Revision  Changes    Path
  1.1159    +4 -0      httpd-2.0/CHANGES
  
  Index: CHANGES
  ===================================================================
  RCS file: /home/cvs/httpd-2.0/CHANGES,v
  retrieving revision 1.1158
  retrieving revision 1.1159
  diff -u -r1.1158 -r1.1159
  --- CHANGES	4 May 2003 18:31:18 -0000	1.1158
  +++ CHANGES	5 May 2003 13:12:27 -0000	1.1159
  @@ -2,6 +2,10 @@
   
     [Remove entries to the current 2.0 section below, when backported]
   
  +  *) Ensure that ssl-std.conf is generated at configure time, and switch
  +     to using the expanded config variables to work the same as httpd-std.conf
  +     PR 19611 [Thom May]
  +
     *) Hook mod_rewrite's type checker before mod_mime's one. That way the
        RewriteRule [T=...] Flag should work as expected now. PR 19626.
        [André Malo]
  
  
  
  1.250     +1 -1      httpd-2.0/configure.in
  
  Index: configure.in
  ===================================================================
  RCS file: /home/cvs/httpd-2.0/configure.in,v
  retrieving revision 1.249
  retrieving revision 1.250
  diff -u -r1.249 -r1.250
  --- configure.in	24 Apr 2003 13:19:00 -0000	1.249
  +++ configure.in	5 May 2003 13:12:28 -0000	1.250
  @@ -567,7 +567,7 @@
   dnl Ensure that docs/conf is created.
   test -d docs/conf||$mkdir_p docs/conf
   
  -AC_OUTPUT($APACHE_OUTPUT_FILES docs/conf/httpd-std.conf include/ap_config_layout.h support/apxs
support/apachectl support/dbmmanage support/envvars-std support/log_server_status support/logresolve.pl
support/phf_abuse_log.cgi support/split-logfile build/rules.mk,[true],[
  +AC_OUTPUT($APACHE_OUTPUT_FILES docs/conf/httpd-std.conf docs/conf/ssl-std.conf include/ap_config_layout.h
support/apxs support/apachectl support/dbmmanage support/envvars-std support/log_server_status
support/logresolve.pl support/phf_abuse_log.cgi support/split-logfile build/rules.mk,[true],[
     APACHE_GEN_MAKEFILES
   ])
   
  
  
  
  1.1                  httpd-2.0/docs/conf/ssl-std.conf.in
  
  Index: ssl-std.conf.in
  ===================================================================
  #
  # This is the Apache server configuration file providing SSL support.
  # It contains the configuration directives to instruct the server how to
  # serve pages over an https connection. For detailing information about these 
  # directives see <URL:http://httpd.apache.org/docs-2.1/mod/mod_ssl.html>
  #
  #   For the moment, see <URL:http://www.modssl.org/docs/> for this info. 
  #   The documents are still being prepared from material donated by the
  #   modssl project.
  # 
  # Do NOT simply read the instructions in here without understanding
  # what they do.  They're here only as hints or reminders.  If you are unsure
  # consult the online docs. You have been warned.  
  #
  <IfDefine SSL>
  
  #   Until documentation is completed, please check http://www.modssl.org/
  #   for additional config examples and module docmentation.  Directives
  #   and features of mod_ssl are largely unchanged from the mod_ssl project
  #   for Apache 1.3.
  
  #
  # When we also provide SSL we have to listen to the 
  # standard HTTP port (see above) and to the HTTPS port
  #
  # Note: Configurations that use IPv6 but not IPv4-mapped addresses need two
  #       Listen directives: "Listen [::]:443" and "Listen 0.0.0.0:443"
  #
  Listen 443
  
  ##
  ##  SSL Global Context
  ##
  ##  All SSL configuration in this context applies both to
  ##  the main server and all SSL-enabled virtual hosts.
  ##
  
  #
  #   Some MIME-types for downloading Certificates and CRLs
  #
  AddType application/x-x509-ca-cert .crt
  AddType application/x-pkcs7-crl    .crl
  
  #   Pass Phrase Dialog:
  #   Configure the pass phrase gathering process.
  #   The filtering dialog program (`builtin' is a internal
  #   terminal dialog) has to provide the pass phrase on stdout.
  SSLPassPhraseDialog  builtin
  
  #   Inter-Process Session Cache:
  #   Configure the SSL Session Cache: First the mechanism 
  #   to use and second the expiring timeout (in seconds).
  #SSLSessionCache        none
  #SSLSessionCache        shmht:@exp_logfiledir@/ssl_scache(512000)
  #SSLSessionCache        shmcb:@exp_logfiledir@/ssl_scache(512000)
  SSLSessionCache         dbm:@exp_logfiledir@/ssl_scache
  SSLSessionCacheTimeout  300
  
  #   Semaphore:
  #   Configure the path to the mutual exclusion semaphore the
  #   SSL engine uses internally for inter-process synchronization. 
  SSLMutex  file:@exp_logfiledir@/ssl_mutex
  
  #   Pseudo Random Number Generator (PRNG):
  #   Configure one or more sources to seed the PRNG of the 
  #   SSL library. The seed data should be of good random quality.
  #   WARNING! On some platforms /dev/random blocks if not enough entropy
  #   is available. This means you then cannot use the /dev/random device
  #   because it would lead to very long connection times (as long as
  #   it requires to make more entropy available). But usually those
  #   platforms additionally provide a /dev/urandom device which doesn't
  #   block. So, if available, use this one instead. Read the mod_ssl User
  #   Manual for more details.
  SSLRandomSeed startup builtin
  SSLRandomSeed connect builtin
  #SSLRandomSeed startup file:/dev/random  512
  #SSLRandomSeed startup file:/dev/urandom 512
  #SSLRandomSeed connect file:/dev/random  512
  #SSLRandomSeed connect file:/dev/urandom 512
  
  ##
  ## SSL Virtual Host Context
  ##
  
  <VirtualHost _default_:443>
  
  #  General setup for the virtual host
  DocumentRoot "@exp_htdocsdir@"
  ServerName new.host.name:443
  ServerAdmin you@your.address
  ErrorLog @exp_logfiledir@/error_log
  TransferLog @exp_logfiledir@/access_log
  
  #   SSL Engine Switch:
  #   Enable/Disable SSL for this virtual host.
  SSLEngine on
  
  #   SSL Cipher Suite:
  #   List the ciphers that the client is permitted to negotiate.
  #   See the mod_ssl documentation for a complete list.
  SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
  
  #   Server Certificate:
  #   Point SSLCertificateFile at a PEM encoded certificate.  If
  #   the certificate is encrypted, then you will be prompted for a
  #   pass phrase.  Note that a kill -HUP will prompt again.  Keep
  #   in mind that if you have both an RSA and a DSA certificate you
  #   can configure both in parallel (to also allow the use of DSA
  #   ciphers, etc.)
  SSLCertificateFile @exp_sysconfdir@/ssl.crt/server.crt
  #SSLCertificateFile @exp_sysconfdir@/ssl.crt/server-dsa.crt
  
  #   Server Private Key:
  #   If the key is not combined with the certificate, use this
  #   directive to point at the key file.  Keep in mind that if
  #   you've both a RSA and a DSA private key you can configure
  #   both in parallel (to also allow the use of DSA ciphers, etc.)
  SSLCertificateKeyFile @exp_sysconfdir@/ssl.key/server.key
  #SSLCertificateKeyFile @exp_sysconfdir@/ssl.key/server-dsa.key
  
  #   Server Certificate Chain:
  #   Point SSLCertificateChainFile at a file containing the
  #   concatenation of PEM encoded CA certificates which form the
  #   certificate chain for the server certificate. Alternatively
  #   the referenced file can be the same as SSLCertificateFile
  #   when the CA certificates are directly appended to the server
  #   certificate for convinience.
  #SSLCertificateChainFile @exp_sysconfdir@/ssl.crt/ca.crt
  
  #   Certificate Authority (CA):
  #   Set the CA certificate verification path where to find CA
  #   certificates for client authentication or alternatively one
  #   huge file containing all of them (file must be PEM encoded)
  #   Note: Inside SSLCACertificatePath you need hash symlinks
  #         to point to the certificate files. Use the provided
  #         Makefile to update the hash symlinks after changes.
  #SSLCACertificatePath @exp_sysconfdir@/ssl.crt
  #SSLCACertificateFile @exp_sysconfdir@/ssl.crt/ca-bundle.crt
  
  #   Certificate Revocation Lists (CRL):
  #   Set the CA revocation path where to find CA CRLs for client
  #   authentication or alternatively one huge file containing all
  #   of them (file must be PEM encoded)
  #   Note: Inside SSLCARevocationPath you need hash symlinks
  #         to point to the certificate files. Use the provided
  #         Makefile to update the hash symlinks after changes.
  #SSLCARevocationPath @exp_sysconfdir@/ssl.crl
  #SSLCARevocationFile @exp_sysconfdir@/ssl.crl/ca-bundle.crl
  
  #   Client Authentication (Type):
  #   Client certificate verification type and depth.  Types are
  #   none, optional, require and optional_no_ca.  Depth is a
  #   number which specifies how deeply to verify the certificate
  #   issuer chain before deciding the certificate is not valid.
  #SSLVerifyClient require
  #SSLVerifyDepth  10
  
  #   Access Control:
  #   With SSLRequire you can do per-directory access control based
  #   on arbitrary complex boolean expressions containing server
  #   variable checks and other lookup directives.  The syntax is a
  #   mixture between C and Perl.  See the mod_ssl documentation
  #   for more details.
  #<Location />
  #SSLRequire (    %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
  #            and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
  #            and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
  #            and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
  #            and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20       ) \
  #           or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
  #</Location>
  
  #   SSL Engine Options:
  #   Set various options for the SSL engine.
  #   o FakeBasicAuth:
  #     Translate the client X.509 into a Basic Authorisation.  This means that
  #     the standard Auth/DBMAuth methods can be used for access control.  The
  #     user name is the `one line' version of the client's X.509 certificate.
  #     Note that no password is obtained from the user. Every entry in the user
  #     file needs this password: `xxj31ZMTZzkVA'.
  #   o ExportCertData:
  #     This exports two additional environment variables: SSL_CLIENT_CERT and
  #     SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
  #     server (always existing) and the client (only existing when client
  #     authentication is used). This can be used to import the certificates
  #     into CGI scripts.
  #   o StdEnvVars:
  #     This exports the standard SSL/TLS related `SSL_*' environment variables.
  #     Per default this exportation is switched off for performance reasons,
  #     because the extraction step is an expensive operation and is usually
  #     useless for serving static content. So one usually enables the
  #     exportation for CGI and SSI requests only.
  #   o CompatEnvVars:
  #     This exports obsolete environment variables for backward compatibility
  #     to Apache-SSL 1.x, mod_ssl 2.0.x, Sioux 1.0 and Stronghold 2.x. Use this
  #     to provide compatibility to existing CGI scripts.
  #   o StrictRequire:
  #     This denies access when "SSLRequireSSL" or "SSLRequire" applied even
  #     under a "Satisfy any" situation, i.e. when it applies access is denied
  #     and no other module can change it.
  #   o OptRenegotiate:
  #     This enables optimized SSL connection renegotiation handling when SSL
  #     directives are used in per-directory context. 
  #SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire
  <Files ~ "\.(cgi|shtml|phtml|php3?)$">
      SSLOptions +StdEnvVars
  </Files>
  <Directory "@exp_cgidir@">
      SSLOptions +StdEnvVars
  </Directory>
  
  #   SSL Protocol Adjustments:
  #   The safe and default but still SSL/TLS standard compliant shutdown
  #   approach is that mod_ssl sends the close notify alert but doesn't wait for
  #   the close notify alert from client. When you need a different shutdown
  #   approach you can use one of the following variables:
  #   o ssl-unclean-shutdown:
  #     This forces an unclean shutdown when the connection is closed, i.e. no
  #     SSL close notify alert is send or allowed to received.  This violates
  #     the SSL/TLS standard but is needed for some brain-dead browsers. Use
  #     this when you receive I/O errors because of the standard approach where
  #     mod_ssl sends the close notify alert.
  #   o ssl-accurate-shutdown:
  #     This forces an accurate shutdown when the connection is closed, i.e. a
  #     SSL close notify alert is send and mod_ssl waits for the close notify
  #     alert of the client. This is 100% SSL/TLS standard compliant, but in
  #     practice often causes hanging connections with brain-dead browsers. Use
  #     this only for browsers where you know that their SSL implementation
  #     works correctly. 
  #   Notice: Most problems of broken clients are also related to the HTTP
  #   keep-alive facility, so you usually additionally want to disable
  #   keep-alive for those clients, too. Use variable "nokeepalive" for this.
  #   Similarly, one has to force some clients to use HTTP/1.0 to workaround
  #   their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
  #   "force-response-1.0" for this.
  SetEnvIf User-Agent ".*MSIE.*" \
           nokeepalive ssl-unclean-shutdown \
           downgrade-1.0 force-response-1.0
  
  #   Per-Server Logging:
  #   The home of a custom SSL log file. Use this when you want a
  #   compact non-error SSL logfile on a virtual host basis.
  CustomLog @exp_logfiledir@/ssl_request_log \
            "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
  
  </VirtualHost>                                  
  
  </IfDefine>
  
  
  
  

Mime
View raw message