SOURCES: apache-mod_ssl.conf - update settings from 2.2.0 sources:...

glen glen at pld-linux.org
Wed Dec 14 23:09:15 CET 2005 

Author: glen                         Date: Wed Dec 14 22:09:15 2005 GMT
Module: SOURCES                       Tag: HEAD
---- Log message:
- update settings from 2.2.0 sources: extra/httpd-ssl.conf

---- Files affected:
SOURCES:
   apache-mod_ssl.conf (1.9 -> 1.10) 

---- Diffs:

================================================================
Index: SOURCES/apache-mod_ssl.conf
diff -u SOURCES/apache-mod_ssl.conf:1.9 SOURCES/apache-mod_ssl.conf:1.10
--- SOURCES/apache-mod_ssl.conf:1.9	Fri Oct 15 20:57:51 2004
+++ SOURCES/apache-mod_ssl.conf	Wed Dec 14 23:09:09 2005
@@ -1,40 +1,38 @@
 # $Id$
-LoadModule ssl_module           modules/mod_ssl.so 
+LoadModule ssl_module           modules/mod_ssl.so
 
-<IfModule mod_ssl.c>
-#
 # This is the Apache server configuration file providing SSL support.
 # It contains the configuration directives to instruct the server how to
-# serve pages over an https connection. For detailing information about these 
-# directives see <URL:http://httpd.apache.org/docs-2.0/mod/mod_ssl.html>
-#
-#   For the moment, see <URL:http://www.modssl.org/docs/> for this info. 
-#   The documents are still being prepared from material donated by the
-#   modssl project.
-# 
-# Do NOT simply read the instructions in here without understanding
-# what they do.  They're here only as hints or reminders.  If you are unsure
-# consult the online docs. You have been warned.  
-#
-#<IfDefine SSL>
-
-#   Until documentation is completed, please check http://www.modssl.org/
-#   for additional config examples and module docmentation.  Directives
-#   and features of mod_ssl are largely unchanged from the mod_ssl project
-#   for Apache 1.3.
+# serve pages over an https connection. For detailing information about these
+# directives see <URL:http://httpd.apache.org/docs/2.2/mod/mod_ssl.html>
 
+<IfModule mod_ssl.c>
 #
-# When we also provide SSL we have to listen to the 
-# standard HTTP port (see above) and to the HTTPS port
+# Pseudo Random Number Generator (PRNG):
+# Configure one or more sources to seed the PRNG of the SSL library.
+# The seed data should be of good random quality.
+# WARNING! On some platforms /dev/random blocks if not enough entropy
+# is available. This means you then cannot use the /dev/random device
+# because it would lead to very long connection times (as long as
+# it requires to make more entropy available). But usually those
+# platforms additionally provide a /dev/urandom device which doesn't
+# block. So, if available, use this one instead. Read the mod_ssl User
+# Manual for more details.
 #
-Listen 443
+#SSLRandomSeed startup file:/dev/random  512
+#SSLRandomSeed startup file:/dev/urandom 512
+#SSLRandomSeed connect file:/dev/random  512
+#SSLRandomSeed connect file:/dev/urandom 512
 
+
+#
+# When we also provide SSL we have to listen to the
+# standard HTTP port (see above) and to the HTTPS port
 #
-# Dynamic Shared Object (DSO) Support
+# Note: Configurations that use IPv6 but not IPv4-mapped addresses need two
+#       Listen directives: "Listen [::]:443" and "Listen 0.0.0.0:443"
 #
-# To be able to use the functionality of a module which was built as a DSO you
-#    ErrorLog logs/dummy-host.example.com-error_log
-#    CustomLog logs/dummy-host.example.com-access_log common
+Listen 443
 
 ##
 ##  SSL Global Context
@@ -56,35 +54,16 @@
 SSLPassPhraseDialog  builtin
 
 #   Inter-Process Session Cache:
-#   Configure the SSL Session Cache: First the mechanism 
+#   Configure the SSL Session Cache: First the mechanism
 #   to use and second the expiring timeout (in seconds).
-#SSLSessionCache	none
-#SSLSessionCache	shmht:logs/ssl_scache(512000)
-#SSLSessionCache	shmcb:logs/ssl_scache(512000)
-SSLSessionCache		dbm:/var/cache/apache/ssl_scache
-SSLSessionCacheTimeout	300
+#SSLSessionCache         dbm:/var/run/ssl_scache
+SSLSessionCache        shmcb:/var/run/ssl_scache(512000)
+SSLSessionCacheTimeout  300
 
 #   Semaphore:
 #   Configure the path to the mutual exclusion semaphore the
-#   SSL engine uses internally for inter-process synchronization. 
-SSLMutex  file:/var/run/apache/ssl_mutex
-
-#   Pseudo Random Number Generator (PRNG):
-#   Configure one or more sources to seed the PRNG of the 
-#   SSL library. The seed data should be of good random quality.
-#   WARNING! On some platforms /dev/random blocks if not enough entropy
-#   is available. This means you then cannot use the /dev/random device
-#   because it would lead to very long connection times (as long as
-#   it requires to make more entropy available). But usually those
-#   platforms additionally provide a /dev/urandom device which doesn't
-#   block. So, if available, use this one instead. Read the mod_ssl User
-#   Manual for more details.
-SSLRandomSeed startup builtin
-SSLRandomSeed connect builtin
-#SSLRandomSeed startup file:/dev/random  512
-#SSLRandomSeed startup file:/dev/urandom 512
-#SSLRandomSeed connect file:/dev/random  512
-#SSLRandomSeed connect file:/dev/urandom 512
+#   SSL engine uses internally for inter-process synchronization.
+SSLMutex  file:/var/run/ssl_mutex
 
 ##
 ## SSL Virtual Host Context
@@ -92,10 +71,10 @@
 
 <VirtualHost _default_:443>
 
-#  General setup for the virtual host
+#   General setup for the virtual host
 DocumentRoot "/home/services/httpd/html"
-ServerName new.host.name:443
-ServerAdmin you at your.address
+ServerName www.example.com:443
+ServerAdmin you at example.com
 ErrorLog /var/log/httpd/error_log
 TransferLog /var/log/httpd/access_log
 
@@ -111,11 +90,10 @@
 #   Server Certificate:
 #   Point SSLCertificateFile at a PEM encoded certificate.  If
 #   the certificate is encrypted, then you will be prompted for a
-#   pass phrase.  Note that a kill -HUP will prompt again. A test
-#   certificate can be generated with `make certificate' under
-#   built time. Keep in mind that if you've both a RSA and a DSA
-#   certificate you can configure both in parallel (to also allow
-#   the use of DSA ciphers, etc.)
+#   pass phrase.  Note that a kill -HUP will prompt again.  Keep
+#   in mind that if you have both an RSA and a DSA certificate you
+#   can configure both in parallel (to also allow the use of DSA
+#   ciphers, etc.)
 SSLCertificateFile /etc/httpd/ssl/server.crt
 #SSLCertificateFile /etc/httpd/ssl/server-dsa.crt
 
@@ -199,22 +177,18 @@
 #     because the extraction step is an expensive operation and is usually
 #     useless for serving static content. So one usually enables the
 #     exportation for CGI and SSI requests only.
-#   o CompatEnvVars:
-#     This exports obsolete environment variables for backward compatibility
-#     to Apache-SSL 1.x, mod_ssl 2.0.x, Sioux 1.0 and Stronghold 2.x. Use this
-#     to provide compatibility to existing CGI scripts.
 #   o StrictRequire:
 #     This denies access when "SSLRequireSSL" or "SSLRequire" applied even
 #     under a "Satisfy any" situation, i.e. when it applies access is denied
 #     and no other module can change it.
 #   o OptRenegotiate:
 #     This enables optimized SSL connection renegotiation handling when SSL
-#     directives are used in per-directory context. 
-#SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire
-<Files ~ "\.(cgi|shtml|phtml|php3?)$">
+#     directives are used in per-directory context.
+#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
+<FilesMatch "\.(cgi|shtml|phtml|php)$">
     SSLOptions +StdEnvVars
-</Files>
-<Directory "/home/services/httpd/cgi-bin/">
+</FilesMatch>
+<Directory "/home/services/httpd/cgi-bin">
     SSLOptions +StdEnvVars
 </Directory>
 
@@ -235,14 +209,14 @@
 #     alert of the client. This is 100% SSL/TLS standard compliant, but in
 #     practice often causes hanging connections with brain-dead browsers. Use
 #     this only for browsers where you know that their SSL implementation
-#     works correctly. 
+#     works correctly.
 #   Notice: Most problems of broken clients are also related to the HTTP
 #   keep-alive facility, so you usually additionally want to disable
 #   keep-alive for those clients, too. Use variable "nokeepalive" for this.
 #   Similarly, one has to force some clients to use HTTP/1.0 to workaround
 #   their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
 #   "force-response-1.0" for this.
-SetEnvIf User-Agent ".*MSIE.*" \
+BrowserMatch ".*MSIE.*" \
          nokeepalive ssl-unclean-shutdown \
          downgrade-1.0 force-response-1.0
 
@@ -252,8 +226,7 @@
 CustomLog /var/log/httpd/ssl_request_log \
           "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
 
-</VirtualHost>                                  
-
+</VirtualHost>
 
 </IfModule>
 # vim: filetype=apache ts=4 sw=4 et
================================================================

---- CVS-web:
    http://cvs.pld-linux.org/SOURCES/apache-mod_ssl.conf?r1=1.9&r2=1.10&f=u

More information about the pld-cvs-commit mailing list