SOURCES: apache-mod_ssl.conf - update settings from 2.2.0 sources:...
glen
glen at pld-linux.org
Wed Dec 14 23:09:15 CET 2005
Author: glen Date: Wed Dec 14 22:09:15 2005 GMT
Module: SOURCES Tag: HEAD
---- Log message:
- update settings from 2.2.0 sources: extra/httpd-ssl.conf
---- Files affected:
SOURCES:
apache-mod_ssl.conf (1.9 -> 1.10)
---- Diffs:
================================================================
Index: SOURCES/apache-mod_ssl.conf
diff -u SOURCES/apache-mod_ssl.conf:1.9 SOURCES/apache-mod_ssl.conf:1.10
--- SOURCES/apache-mod_ssl.conf:1.9 Fri Oct 15 20:57:51 2004
+++ SOURCES/apache-mod_ssl.conf Wed Dec 14 23:09:09 2005
@@ -1,40 +1,38 @@
# $Id$
-LoadModule ssl_module modules/mod_ssl.so
+LoadModule ssl_module modules/mod_ssl.so
-<IfModule mod_ssl.c>
-#
# This is the Apache server configuration file providing SSL support.
# It contains the configuration directives to instruct the server how to
-# serve pages over an https connection. For detailing information about these
-# directives see <URL:http://httpd.apache.org/docs-2.0/mod/mod_ssl.html>
-#
-# For the moment, see <URL:http://www.modssl.org/docs/> for this info.
-# The documents are still being prepared from material donated by the
-# modssl project.
-#
-# Do NOT simply read the instructions in here without understanding
-# what they do. They're here only as hints or reminders. If you are unsure
-# consult the online docs. You have been warned.
-#
-#<IfDefine SSL>
-
-# Until documentation is completed, please check http://www.modssl.org/
-# for additional config examples and module docmentation. Directives
-# and features of mod_ssl are largely unchanged from the mod_ssl project
-# for Apache 1.3.
+# serve pages over an https connection. For detailing information about these
+# directives see <URL:http://httpd.apache.org/docs/2.2/mod/mod_ssl.html>
+<IfModule mod_ssl.c>
#
-# When we also provide SSL we have to listen to the
-# standard HTTP port (see above) and to the HTTPS port
+# Pseudo Random Number Generator (PRNG):
+# Configure one or more sources to seed the PRNG of the SSL library.
+# The seed data should be of good random quality.
+# WARNING! On some platforms /dev/random blocks if not enough entropy
+# is available. This means you then cannot use the /dev/random device
+# because it would lead to very long connection times (as long as
+# it requires to make more entropy available). But usually those
+# platforms additionally provide a /dev/urandom device which doesn't
+# block. So, if available, use this one instead. Read the mod_ssl User
+# Manual for more details.
#
-Listen 443
+#SSLRandomSeed startup file:/dev/random 512
+#SSLRandomSeed startup file:/dev/urandom 512
+#SSLRandomSeed connect file:/dev/random 512
+#SSLRandomSeed connect file:/dev/urandom 512
+
+#
+# When we also provide SSL we have to listen to the
+# standard HTTP port (see above) and to the HTTPS port
#
-# Dynamic Shared Object (DSO) Support
+# Note: Configurations that use IPv6 but not IPv4-mapped addresses need two
+# Listen directives: "Listen [::]:443" and "Listen 0.0.0.0:443"
#
-# To be able to use the functionality of a module which was built as a DSO you
-# ErrorLog logs/dummy-host.example.com-error_log
-# CustomLog logs/dummy-host.example.com-access_log common
+Listen 443
##
## SSL Global Context
@@ -56,35 +54,16 @@
SSLPassPhraseDialog builtin
# Inter-Process Session Cache:
-# Configure the SSL Session Cache: First the mechanism
+# Configure the SSL Session Cache: First the mechanism
# to use and second the expiring timeout (in seconds).
-#SSLSessionCache none
-#SSLSessionCache shmht:logs/ssl_scache(512000)
-#SSLSessionCache shmcb:logs/ssl_scache(512000)
-SSLSessionCache dbm:/var/cache/apache/ssl_scache
-SSLSessionCacheTimeout 300
+#SSLSessionCache dbm:/var/run/ssl_scache
+SSLSessionCache shmcb:/var/run/ssl_scache(512000)
+SSLSessionCacheTimeout 300
# Semaphore:
# Configure the path to the mutual exclusion semaphore the
-# SSL engine uses internally for inter-process synchronization.
-SSLMutex file:/var/run/apache/ssl_mutex
-
-# Pseudo Random Number Generator (PRNG):
-# Configure one or more sources to seed the PRNG of the
-# SSL library. The seed data should be of good random quality.
-# WARNING! On some platforms /dev/random blocks if not enough entropy
-# is available. This means you then cannot use the /dev/random device
-# because it would lead to very long connection times (as long as
-# it requires to make more entropy available). But usually those
-# platforms additionally provide a /dev/urandom device which doesn't
-# block. So, if available, use this one instead. Read the mod_ssl User
-# Manual for more details.
-SSLRandomSeed startup builtin
-SSLRandomSeed connect builtin
-#SSLRandomSeed startup file:/dev/random 512
-#SSLRandomSeed startup file:/dev/urandom 512
-#SSLRandomSeed connect file:/dev/random 512
-#SSLRandomSeed connect file:/dev/urandom 512
+# SSL engine uses internally for inter-process synchronization.
+SSLMutex file:/var/run/ssl_mutex
##
## SSL Virtual Host Context
@@ -92,10 +71,10 @@
<VirtualHost _default_:443>
-# General setup for the virtual host
+# General setup for the virtual host
DocumentRoot "/home/services/httpd/html"
-ServerName new.host.name:443
-ServerAdmin you at your.address
+ServerName www.example.com:443
+ServerAdmin you at example.com
ErrorLog /var/log/httpd/error_log
TransferLog /var/log/httpd/access_log
@@ -111,11 +90,10 @@
# Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate. If
# the certificate is encrypted, then you will be prompted for a
-# pass phrase. Note that a kill -HUP will prompt again. A test
-# certificate can be generated with `make certificate' under
-# built time. Keep in mind that if you've both a RSA and a DSA
-# certificate you can configure both in parallel (to also allow
-# the use of DSA ciphers, etc.)
+# pass phrase. Note that a kill -HUP will prompt again. Keep
+# in mind that if you have both an RSA and a DSA certificate you
+# can configure both in parallel (to also allow the use of DSA
+# ciphers, etc.)
SSLCertificateFile /etc/httpd/ssl/server.crt
#SSLCertificateFile /etc/httpd/ssl/server-dsa.crt
@@ -199,22 +177,18 @@
# because the extraction step is an expensive operation and is usually
# useless for serving static content. So one usually enables the
# exportation for CGI and SSI requests only.
-# o CompatEnvVars:
-# This exports obsolete environment variables for backward compatibility
-# to Apache-SSL 1.x, mod_ssl 2.0.x, Sioux 1.0 and Stronghold 2.x. Use this
-# to provide compatibility to existing CGI scripts.
# o StrictRequire:
# This denies access when "SSLRequireSSL" or "SSLRequire" applied even
# under a "Satisfy any" situation, i.e. when it applies access is denied
# and no other module can change it.
# o OptRenegotiate:
# This enables optimized SSL connection renegotiation handling when SSL
-# directives are used in per-directory context.
-#SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire
-<Files ~ "\.(cgi|shtml|phtml|php3?)$">
+# directives are used in per-directory context.
+#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
+<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
-</Files>
-<Directory "/home/services/httpd/cgi-bin/">
+</FilesMatch>
+<Directory "/home/services/httpd/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
@@ -235,14 +209,14 @@
# alert of the client. This is 100% SSL/TLS standard compliant, but in
# practice often causes hanging connections with brain-dead browsers. Use
# this only for browsers where you know that their SSL implementation
-# works correctly.
+# works correctly.
# Notice: Most problems of broken clients are also related to the HTTP
# keep-alive facility, so you usually additionally want to disable
# keep-alive for those clients, too. Use variable "nokeepalive" for this.
# Similarly, one has to force some clients to use HTTP/1.0 to workaround
# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
# "force-response-1.0" for this.
-SetEnvIf User-Agent ".*MSIE.*" \
+BrowserMatch ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
@@ -252,8 +226,7 @@
CustomLog /var/log/httpd/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
-</VirtualHost>
-
+</VirtualHost>
</IfModule>
# vim: filetype=apache ts=4 sw=4 et
================================================================
---- CVS-web:
http://cvs.pld-linux.org/SOURCES/apache-mod_ssl.conf?r1=1.9&r2=1.10&f=u
More information about the pld-cvs-commit
mailing list