Backup of apache and ssl files for Flexydial Securities
Showing
2 changed files
with
215 additions
and
0 deletions
conf-files/httpd.conf
0 → 100644
This diff is collapsed.
Click to expand it.
conf-files/ssl.conf
0 → 100644
| 1 | # | ||
| 2 | # When we also provide SSL we have to listen to the | ||
| 3 | # the HTTPS port in addition. | ||
| 4 | # | ||
| 5 | Listen 443 https | ||
| 6 | |||
| 7 | ## | ||
| 8 | ## SSL Global Context | ||
| 9 | ## | ||
| 10 | ## All SSL configuration in this context applies both to | ||
| 11 | ## the main server and all SSL-enabled virtual hosts. | ||
| 12 | ## | ||
| 13 | |||
| 14 | # Pass Phrase Dialog: | ||
| 15 | # Configure the pass phrase gathering process. | ||
| 16 | # The filtering dialog program (`builtin' is a internal | ||
| 17 | # terminal dialog) has to provide the pass phrase on stdout. | ||
| 18 | SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog | ||
| 19 | |||
| 20 | # Inter-Process Session Cache: | ||
| 21 | # Configure the SSL Session Cache: First the mechanism | ||
| 22 | # to use and second the expiring timeout (in seconds). | ||
| 23 | SSLSessionCache shmcb:/run/httpd/sslcache(512000) | ||
| 24 | SSLSessionCacheTimeout 300 | ||
| 25 | |||
| 26 | # Pseudo Random Number Generator (PRNG): | ||
| 27 | # Configure one or more sources to seed the PRNG of the | ||
| 28 | # SSL library. The seed data should be of good random quality. | ||
| 29 | # WARNING! On some platforms /dev/random blocks if not enough entropy | ||
| 30 | # is available. This means you then cannot use the /dev/random device | ||
| 31 | # because it would lead to very long connection times (as long as | ||
| 32 | # it requires to make more entropy available). But usually those | ||
| 33 | # platforms additionally provide a /dev/urandom device which doesn't | ||
| 34 | # block. So, if available, use this one instead. Read the mod_ssl User | ||
| 35 | # Manual for more details. | ||
| 36 | SSLRandomSeed startup file:/dev/urandom 256 | ||
| 37 | SSLRandomSeed connect builtin | ||
| 38 | #SSLRandomSeed startup file:/dev/random 512 | ||
| 39 | #SSLRandomSeed connect file:/dev/random 512 | ||
| 40 | #SSLRandomSeed connect file:/dev/urandom 512 | ||
| 41 | |||
| 42 | # | ||
| 43 | # Use "SSLCryptoDevice" to enable any supported hardware | ||
| 44 | # accelerators. Use "openssl engine -v" to list supported | ||
| 45 | # engine names. NOTE: If you enable an accelerator and the | ||
| 46 | # server does not start, consult the error logs and ensure | ||
| 47 | # your accelerator is functioning properly. | ||
| 48 | # | ||
| 49 | SSLCryptoDevice builtin | ||
| 50 | #SSLCryptoDevice ubsec | ||
| 51 | |||
| 52 | ## | ||
| 53 | ## SSL Virtual Host Context | ||
| 54 | ## | ||
| 55 | |||
| 56 | <VirtualHost _default_:443> | ||
| 57 | |||
| 58 | # General setup for the virtual host, inherited from global configuration | ||
| 59 | #DocumentRoot "/var/www/html" | ||
| 60 | #ServerName www.example.com:443 | ||
| 61 | |||
| 62 | # Use separate log files for the SSL virtual host; note that LogLevel | ||
| 63 | # is not inherited from httpd.conf. | ||
| 64 | ErrorLog logs/ssl_error_log | ||
| 65 | TransferLog logs/ssl_access_log | ||
| 66 | LogLevel warn | ||
| 67 | |||
| 68 | # SSL Engine Switch: | ||
| 69 | # Enable/Disable SSL for this virtual host. | ||
| 70 | SSLEngine on | ||
| 71 | |||
| 72 | # List the protocol versions which clients are allowed to connect with. | ||
| 73 | # Disable SSLv3 by default (cf. RFC 7525 3.1.1). TLSv1 (1.0) should be | ||
| 74 | # disabled as quickly as practical. By the end of 2016, only the TLSv1.2 | ||
| 75 | # protocol or later should remain in use. | ||
| 76 | SSLProtocol TLSv1.1 TLSv1.2 | ||
| 77 | SSLProxyProtocol TLSv1.1 TLSv1.2 | ||
| 78 | |||
| 79 | # User agents such as web browsers are not configured for the user's | ||
| 80 | # own preference of either security or performance, therefore this | ||
| 81 | # must be the prerogative of the web server administrator who manages | ||
| 82 | # cpu load versus confidentiality, so enforce the server's cipher order. | ||
| 83 | SSLHonorCipherOrder on | ||
| 84 | |||
| 85 | # SSL Cipher Suite: | ||
| 86 | # List the ciphers that the client is permitted to negotiate. | ||
| 87 | # See the mod_ssl documentation for a complete list. | ||
| 88 | # The OpenSSL system profile is configured by default. See | ||
| 89 | # update-crypto-policies(8) for more details. | ||
| 90 | SSLCipherSuite PROFILE=SYSTEM | ||
| 91 | SSLProxyCipherSuite PROFILE=SYSTEM | ||
| 92 | |||
| 93 | # Server Certificate: | ||
| 94 | # Point SSLCertificateFile at a PEM encoded certificate. If | ||
| 95 | # the certificate is encrypted, then you will be prompted for a | ||
| 96 | # pass phrase. Note that a kill -HUP will prompt again. A new | ||
| 97 | # certificate can be generated using the genkey(1) command. | ||
| 98 | SSLCertificateFile /etc/pki/tls/certs/localhost.crt | ||
| 99 | |||
| 100 | # Server Private Key: | ||
| 101 | # If the key is not combined with the certificate, use this | ||
| 102 | # directive to point at the key file. Keep in mind that if | ||
| 103 | # you've both a RSA and a DSA private key you can configure | ||
| 104 | # both in parallel (to also allow the use of DSA ciphers, etc.) | ||
| 105 | SSLCertificateKeyFile /etc/pki/tls/private/localhost.key | ||
| 106 | |||
| 107 | # Server Certificate Chain: | ||
| 108 | # Point SSLCertificateChainFile at a file containing the | ||
| 109 | # concatenation of PEM encoded CA certificates which form the | ||
| 110 | # certificate chain for the server certificate. Alternatively | ||
| 111 | # the referenced file can be the same as SSLCertificateFile | ||
| 112 | # when the CA certificates are directly appended to the server | ||
| 113 | # certificate for convinience. | ||
| 114 | #SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt | ||
| 115 | |||
| 116 | # Certificate Authority (CA): | ||
| 117 | # Set the CA certificate verification path where to find CA | ||
| 118 | # certificates for client authentication or alternatively one | ||
| 119 | # huge file containing all of them (file must be PEM encoded) | ||
| 120 | #SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt | ||
| 121 | |||
| 122 | # Client Authentication (Type): | ||
| 123 | # Client certificate verification type and depth. Types are | ||
| 124 | # none, optional, require and optional_no_ca. Depth is a | ||
| 125 | # number which specifies how deeply to verify the certificate | ||
| 126 | # issuer chain before deciding the certificate is not valid. | ||
| 127 | #SSLVerifyClient require | ||
| 128 | #SSLVerifyDepth 10 | ||
| 129 | |||
| 130 | # Access Control: | ||
| 131 | # With SSLRequire you can do per-directory access control based | ||
| 132 | # on arbitrary complex boolean expressions containing server | ||
| 133 | # variable checks and other lookup directives. The syntax is a | ||
| 134 | # mixture between C and Perl. See the mod_ssl documentation | ||
| 135 | # for more details. | ||
| 136 | #<Location /> | ||
| 137 | #SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \ | ||
| 138 | # and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \ | ||
| 139 | # and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \ | ||
| 140 | # and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \ | ||
| 141 | # and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \ | ||
| 142 | # or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/ | ||
| 143 | #</Location> | ||
| 144 | |||
| 145 | # SSL Engine Options: | ||
| 146 | # Set various options for the SSL engine. | ||
| 147 | # o FakeBasicAuth: | ||
| 148 | # Translate the client X.509 into a Basic Authorisation. This means that | ||
| 149 | # the standard Auth/DBMAuth methods can be used for access control. The | ||
| 150 | # user name is the `one line' version of the client's X.509 certificate. | ||
| 151 | # Note that no password is obtained from the user. Every entry in the user | ||
| 152 | # file needs this password: `xxj31ZMTZzkVA'. | ||
| 153 | # o ExportCertData: | ||
| 154 | # This exports two additional environment variables: SSL_CLIENT_CERT and | ||
| 155 | # SSL_SERVER_CERT. These contain the PEM-encoded certificates of the | ||
| 156 | # server (always existing) and the client (only existing when client | ||
| 157 | # authentication is used). This can be used to import the certificates | ||
| 158 | # into CGI scripts. | ||
| 159 | # o StdEnvVars: | ||
| 160 | # This exports the standard SSL/TLS related `SSL_*' environment variables. | ||
| 161 | # Per default this exportation is switched off for performance reasons, | ||
| 162 | # because the extraction step is an expensive operation and is usually | ||
| 163 | # useless for serving static content. So one usually enables the | ||
| 164 | # exportation for CGI and SSI requests only. | ||
| 165 | # o StrictRequire: | ||
| 166 | # This denies access when "SSLRequireSSL" or "SSLRequire" applied even | ||
| 167 | # under a "Satisfy any" situation, i.e. when it applies access is denied | ||
| 168 | # and no other module can change it. | ||
| 169 | # o OptRenegotiate: | ||
| 170 | # This enables optimized SSL connection renegotiation handling when SSL | ||
| 171 | # directives are used in per-directory context. | ||
| 172 | #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire | ||
| 173 | <Files ~ "\.(cgi|shtml|phtml|php3?)$"> | ||
| 174 | SSLOptions +StdEnvVars | ||
| 175 | </Files> | ||
| 176 | <Directory "/var/www/cgi-bin"> | ||
| 177 | SSLOptions +StdEnvVars | ||
| 178 | </Directory> | ||
| 179 | |||
| 180 | # SSL Protocol Adjustments: | ||
| 181 | # The safe and default but still SSL/TLS standard compliant shutdown | ||
| 182 | # approach is that mod_ssl sends the close notify alert but doesn't wait for | ||
| 183 | # the close notify alert from client. When you need a different shutdown | ||
| 184 | # approach you can use one of the following variables: | ||
| 185 | # o ssl-unclean-shutdown: | ||
| 186 | # This forces an unclean shutdown when the connection is closed, i.e. no | ||
| 187 | # SSL close notify alert is send or allowed to received. This violates | ||
| 188 | # the SSL/TLS standard but is needed for some brain-dead browsers. Use | ||
| 189 | # this when you receive I/O errors because of the standard approach where | ||
| 190 | # mod_ssl sends the close notify alert. | ||
| 191 | # o ssl-accurate-shutdown: | ||
| 192 | # This forces an accurate shutdown when the connection is closed, i.e. a | ||
| 193 | # SSL close notify alert is send and mod_ssl waits for the close notify | ||
| 194 | # alert of the client. This is 100% SSL/TLS standard compliant, but in | ||
| 195 | # practice often causes hanging connections with brain-dead browsers. Use | ||
| 196 | # this only for browsers where you know that their SSL implementation | ||
| 197 | # works correctly. | ||
| 198 | # Notice: Most problems of broken clients are also related to the HTTP | ||
| 199 | # keep-alive facility, so you usually additionally want to disable | ||
| 200 | # keep-alive for those clients, too. Use variable "nokeepalive" for this. | ||
| 201 | # Similarly, one has to force some clients to use HTTP/1.0 to workaround | ||
| 202 | # their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and | ||
| 203 | # "force-response-1.0" for this. | ||
| 204 | BrowserMatch "MSIE [2-5]" \ | ||
| 205 | nokeepalive ssl-unclean-shutdown \ | ||
| 206 | downgrade-1.0 force-response-1.0 | ||
| 207 | |||
| 208 | # Per-Server Logging: | ||
| 209 | # The home of a custom SSL log file. Use this when you want a | ||
| 210 | # compact non-error SSL logfile on a virtual host basis. | ||
| 211 | CustomLog logs/ssl_request_log \ | ||
| 212 | "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" | ||
| 213 | |||
| 214 | </VirtualHost> | ||
| 215 |
-
Please register or sign in to post a comment