httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "MATHIHALLI,MADHUSUDAN (HP-Cupertino,ex1)" <madhusudan_mathiha...@hp.com>
Subject RE: SSL configuration file [httpd-ssl.conf - new file to be added ]
Date Fri, 05 Oct 2001 04:22:21 GMT
Hi,
	Here's a stripped down version of httpd-ssl.conf. As you can see,
I've just stripped down some comments - there's only one statement per
config parameter, and I added the comment "See the mod_ssl manual for more
details".
Pl.letme know if it's okay.. If anybody still feels that there's too much of
documentation, pl. fee free to prune it.. 

Thx
-Madhu


<IfModule mod_ssl.c>
Listen @@Port@@
Listen 443
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl    .crl

#   Pass Phrase Dialog:
#   Configure the pass phrase gathering process.
#   The filtering dialog program (`builtin' is a internal
#   terminal dialog) has to provide the pass phrase on stdout.
SSLPassPhraseDialog  builtin

#   Inter-Process Session Cache:
#   Configure the SSL Session Cache: First either `none'
#   or `dbm:/path/to/file' for the mechanism to use and
#   second the expiring timeout (in seconds).
#SSLSessionCache        none
#SSLSessionCache        shmht:logs/ssl_scache(512000)
#SSLSessionCache        shmcb:logs/ssl_scache(512000)
SSLSessionCache         dbm:logs/ssl_scache
SSLSessionCacheTimeout  300

#   Semaphore:
#   Configure the path to the mutual explusion semaphore the
#   SSL engine uses internally for inter-process synchronization. 
SSLMutex  file:logs/ssl_mutex

#   Pseudo Random Number Generator (PRNG):
#   Configure one or more sources to seed the PRNG of the 
#   SSL library. See the mod_ssl User Manual for more details.
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
#SSLRandomSeed startup file:/dev/random  512
#SSLRandomSeed connect file:/dev/random  512

#   Logging:
#   The home of the dedicated SSL protocol logfile. Errors are
#   additionally duplicated in the general error log file.
#   Log levels are : none, error, warn, info, trace, debug.
SSLLog      logs/ssl_engine_log
SSLLogLevel info


##
## SSL Virtual Host Context
##

<VirtualHost _default_:443>

#  General setup for the virtual host
DocumentRoot "@@ServerRoot@@/htdocs"
ServerName new.host.name
ServerAdmin you@your.address
ErrorLog logs/error_log
TransferLog logs/access_log

#   SSL Engine Switch:
#   Enable/Disable SSL for this virtual host.
SSLEngine on

#   SSL Cipher Suite:
#   List the ciphers that the client is permitted to negotiate.
#   See the mod_ssl documentation for a complete list.
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

#   Server Certificate:
#   Point SSLCertificateFile at a PEM encoded certificate. Keep
#   in mind that if you've both a RSA and a DSA certificate you
#   can configure both in parallel.
SSLCertificateFile conf/ssl.crt/server.crt
#SSLCertificateFile conf/ssl.crt/server-dsa.crt

#   Server Private Key:
#   If the key is not combined with the certificate, use this
#   directive to point at the key file.
SSLCertificateKeyFile conf/ssl.key/server.key
#SSLCertificateKeyFile conf/ssl.key/server-dsa.key

#   Server Certificate Chain:
#   Point SSLCertificateChainFile at a file containing the
#   concatenation of PEM encoded CA certificates which form the
#   certificate chain for the server certificate.
#SSLCertificateChainFile conf/ssl.crt/ca.crt

#   Certificate Authority (CA):
#   Set the CA certificate verification path where to find CA
#   certificates for client authentication. The file must be
#   PEM encoded. See the mod_ssl documentation for more details.
SSLCACertificatePath conf/ssl.crt
#SSLCACertificateFile conf/ssl.crt/ca-bundle.crt

#   Certificate Revocation Lists (CRL):
#   Set the CA revocation path where to find CA CRLs for client
#   authentication. See the mod_ssl documentation for more details.
#SSLCARevocationPath conf/ssl.crl
#SSLCARevocationFile conf/ssl.crl/ca-bundle.crl

#   Client Authentication (Type):
#   Client certificate verification type and depth. Types are
#   none, optional, require and optional_no_ca. Depth is a
#   number which specifies how deeply to verify the certificate
#   issuer chain before deciding the certificate is not valid.
#SSLVerifyClient require
#SSLVerifyDepth  10

#   Access Control:
#   With SSLRequire you can do per-directory access control based
#   on arbitrary complex boolean expressions containing server
#   variable checks and other lookup directives. See the mod_ssl
#   documentation for more details.
#<Location />
#SSLRequire (    %{SSL_CIPHER} !~ m/^(EXP|NULL)-/ \
#           and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
#           and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
#           and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20       ) \
#          or %{REMOTE_ADDR} =~ m/^190\.13\.190\.[0-9]+$/
#</Location>

#   SSL Engine Options:
#   Set various options for the SSL engine. Options are :
#    FakeBasicAuth, ExportCertData, StdEnvVars, CompatEnvVars,
#    StrictRequire, OptRenegotiate.
#   See the mod_ssl documentation for more details.
#SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire

<Files ~ "\.(cgi|shtml)$">
    SSLOptions +StdEnvVars
</Files>
<Directory "cgi-bin">
    SSLOptions +StdEnvVars
</Directory>


#   SSL Protocol Adjustments:
#   When you need a different shutdown approach you can use one of the
#   following variables: ssl-unclean-shutdown, ssl-accurate-shutdown. 
#   See the mod_ssl documentation for more details.
#   NOTE: To disable keep-alive for certain clients, Use "nokeepalive".
#SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown

#   Per-Server Logging:
#   The home of a custom SSL log file. Use this when you want a
#   compact non-error SSL logfile on a virtual host basis.
CustomLog logs/ssl_request_log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

</VirtualHost>                                  

</IfModule>

Mime
View raw message