68 lines
3.1 KiB
Django/Jinja
68 lines
3.1 KiB
Django/Jinja
# Use separate log files for the SSL virtual host; note that LogLevel
|
|
# is not inherited from httpd.conf.
|
|
ErrorLog logs/ssl_error_log
|
|
TransferLog logs/ssl_access_log
|
|
LogLevel warn
|
|
|
|
# SSL Engine Switch:
|
|
# Enable/Disable SSL for this virtual host.
|
|
SSLEngine on
|
|
|
|
# SSL Protocol support:
|
|
# List the enable protocol levels with which clients will be able to
|
|
# connect. Disable SSLv2 access by default:
|
|
SSLProtocol {{ apache_ssl_protocol|join(' ') }}
|
|
|
|
# SSL Cipher Suite:
|
|
# List the ciphers that the client is permitted to negotiate.
|
|
# See the mod_ssl documentation for a complete list.
|
|
SSLCipherSuite {{ apache_ssl_ciphersuite|join(':') }}
|
|
SSLHonorCipherOrder on
|
|
|
|
# Speed-optimized SSL Cipher configuration:
|
|
# If speed is your main concern (on busy HTTPS servers e.g.),
|
|
# you might want to force clients to specific, performance
|
|
# optimized ciphers. In this case, prepend those ciphers
|
|
# to the SSLCipherSuite list, and enable SSLHonorCipherOrder.
|
|
# Caveat: by giving precedence to RC4-SHA and AES128-SHA
|
|
# (as in the example below), most connections will no longer
|
|
# have perfect forward secrecy - if the server's key is
|
|
# compromised, captures of past or future traffic must be
|
|
# considered compromised, too.
|
|
#SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5
|
|
#SSLHonorCipherOrder on
|
|
|
|
# SSL Protocol Adjustments:
|
|
# The safe and default but still SSL/TLS standard compliant shutdown
|
|
# approach is that mod_ssl sends the close notify alert but doesn't wait for
|
|
# the close notify alert from client. When you need a different shutdown
|
|
# approach you can use one of the following variables:
|
|
# o ssl-unclean-shutdown:
|
|
# This forces an unclean shutdown when the connection is closed, i.e. no
|
|
# SSL close notify alert is send or allowed to received. This violates
|
|
# the SSL/TLS standard but is needed for some brain-dead browsers. Use
|
|
# this when you receive I/O errors because of the standard approach where
|
|
# mod_ssl sends the close notify alert.
|
|
# o ssl-accurate-shutdown:
|
|
# This forces an accurate shutdown when the connection is closed, i.e. a
|
|
# SSL close notify alert is send and mod_ssl waits for the close notify
|
|
# alert of the client. This is 100% SSL/TLS standard compliant, but in
|
|
# practice often causes hanging connections with brain-dead browsers. Use
|
|
# this only for browsers where you know that their SSL implementation
|
|
# works correctly.
|
|
# Notice: Most problems of broken clients are also related to the HTTP
|
|
# keep-alive facility, so you usually additionally want to disable
|
|
# keep-alive for those clients, too. Use variable "nokeepalive" for this.
|
|
# Similarly, one has to force some clients to use HTTP/1.0 to workaround
|
|
# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
|
|
# "force-response-1.0" for this.
|
|
BrowserMatch "MSIE [2-5]" \
|
|
nokeepalive ssl-unclean-shutdown \
|
|
downgrade-1.0 force-response-1.0
|
|
|
|
# Per-Server Logging:
|
|
# The home of a custom SSL log file. Use this when you want a
|
|
# compact non-error SSL logfile on a virtual host basis.
|
|
CustomLog logs/ssl_request_log \
|
|
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
|