|
| 1 | +# |
| 2 | +# This is the Apache server configuration file providing SSL support. |
| 3 | +# It contains the configuration directives to instruct the server how to |
| 4 | +# serve pages over an https connection. For detailed information about these |
| 5 | +# directives see <URL:http://httpd.apache.org/docs/2.4/mod/mod_ssl.html> |
| 6 | +# |
| 7 | +# Do NOT simply read the instructions in here without understanding |
| 8 | +# what they do. They're here only as hints or reminders. If you are unsure |
| 9 | +# consult the online docs. You have been warned. |
| 10 | +# |
| 11 | +# Required modules: mod_log_config, mod_setenvif, mod_ssl, |
| 12 | +# socache_shmcb_module (for default value of SSLSessionCache) |
| 13 | + |
| 14 | +# |
| 15 | +# Pseudo Random Number Generator (PRNG): |
| 16 | +# Configure one or more sources to seed the PRNG of the SSL library. |
| 17 | +# The seed data should be of good random quality. |
| 18 | +# WARNING! On some platforms /dev/random blocks if not enough entropy |
| 19 | +# is available. This means you then cannot use the /dev/random device |
| 20 | +# because it would lead to very long connection times (as long as |
| 21 | +# it requires to make more entropy available). But usually those |
| 22 | +# platforms additionally provide a /dev/urandom device which doesn't |
| 23 | +# block. So, if available, use this one instead. Read the mod_ssl User |
| 24 | +# Manual for more details. |
| 25 | +# |
| 26 | +#SSLRandomSeed startup file:/dev/random 512 |
| 27 | +#SSLRandomSeed startup file:/dev/urandom 512 |
| 28 | +#SSLRandomSeed connect file:/dev/random 512 |
| 29 | +#SSLRandomSeed connect file:/dev/urandom 512 |
| 30 | + |
| 31 | + |
| 32 | +# |
| 33 | +# When we also provide SSL we have to listen to the |
| 34 | +# standard HTTP port (see above) and to the HTTPS port |
| 35 | +# |
| 36 | +Listen 443 |
| 37 | +Listen [::]:443 |
| 38 | + |
| 39 | +## |
| 40 | +## SSL Global Context |
| 41 | +## |
| 42 | +## All SSL configuration in this context applies both to |
| 43 | +## the main server and all SSL-enabled virtual hosts. |
| 44 | +## |
| 45 | + |
| 46 | +# SSL Cipher Suite: |
| 47 | +# List the ciphers that the client is permitted to negotiate, |
| 48 | +# and that httpd will negotiate as the client of a proxied server. |
| 49 | +# See the OpenSSL documentation for a complete list of ciphers, and |
| 50 | +# ensure these follow appropriate best practices for this deployment. |
| 51 | +# httpd 2.2.30, 2.4.13 and later force-disable aNULL, eNULL and EXP ciphers, |
| 52 | +# while OpenSSL disabled these by default in 0.9.8zf/1.0.0r/1.0.1m/1.0.2a. |
| 53 | +SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES |
| 54 | +SSLProxyCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES |
| 55 | + |
| 56 | +# By the end of 2016, only TLSv1.2 ciphers should remain in use. |
| 57 | +# Older ciphers should be disallowed as soon as possible, while the |
| 58 | +# kRSA ciphers do not offer forward secrecy. These changes inhibit |
| 59 | +# older clients (such as IE6 SP2 or IE8 on Windows XP, or other legacy |
| 60 | +# non-browser tooling) from successfully connecting. |
| 61 | +# |
| 62 | +# To restrict mod_ssl to use only TLSv1.2 ciphers, and disable |
| 63 | +# those protocols which do not support forward secrecy, replace |
| 64 | +# the SSLCipherSuite and SSLProxyCipherSuite directives above with |
| 65 | +# the following two directives, as soon as practical. |
| 66 | +# SSLCipherSuite HIGH:MEDIUM:!SSLv3:!kRSA |
| 67 | +# SSLProxyCipherSuite HIGH:MEDIUM:!SSLv3:!kRSA |
| 68 | + |
| 69 | +# User agents such as web browsers are not configured for the user's |
| 70 | +# own preference of either security or performance, therefore this |
| 71 | +# must be the prerogative of the web server administrator who manages |
| 72 | +# cpu load versus confidentiality, so enforce the server's cipher order. |
| 73 | +SSLHonorCipherOrder on |
| 74 | + |
| 75 | +# SSL Protocol support: |
| 76 | +# List the protocol versions which clients are allowed to connect with. |
| 77 | +# Disable SSLv3 by default (cf. RFC 7525 3.1.1). TLSv1 (1.0) should be |
| 78 | +# disabled as quickly as practical. By the end of 2016, only the TLSv1.2 |
| 79 | +# protocol or later should remain in use. |
| 80 | +SSLProtocol all -SSLv3 |
| 81 | +SSLProxyProtocol all -SSLv3 |
| 82 | + |
| 83 | +# Pass Phrase Dialog: |
| 84 | +# Configure the pass phrase gathering process. |
| 85 | +# The filtering dialog program (`builtin' is an internal |
| 86 | +# terminal dialog) has to provide the pass phrase on stdout. |
| 87 | +SSLPassPhraseDialog builtin |
| 88 | + |
| 89 | +# Inter-Process Session Cache: |
| 90 | +# Configure the SSL Session Cache: First the mechanism |
| 91 | +# to use and second the expiring timeout (in seconds). |
| 92 | +#SSLSessionCache "dbm:/usr/local/apache2/logs/ssl_scache" |
| 93 | +SSLSessionCache "shmcb:/usr/local/apache2/logs/ssl_scache(512000)" |
| 94 | +SSLSessionCacheTimeout 300 |
| 95 | + |
| 96 | +# OCSP Stapling (requires OpenSSL 0.9.8h or later) |
| 97 | +# |
| 98 | +# This feature is disabled by default and requires at least |
| 99 | +# the two directives SSLUseStapling and SSLStaplingCache. |
| 100 | +# Refer to the documentation on OCSP Stapling in the SSL/TLS |
| 101 | +# How-To for more information. |
| 102 | +# |
| 103 | +# Enable stapling for all SSL-enabled servers: |
| 104 | +#SSLUseStapling On |
| 105 | + |
| 106 | +# Define a relatively small cache for OCSP Stapling using |
| 107 | +# the same mechanism that is used for the SSL session cache |
| 108 | +# above. If stapling is used with more than a few certificates, |
| 109 | +# the size may need to be increased. (AH01929 will be logged.) |
| 110 | +#SSLStaplingCache "shmcb:/usr/local/apache2/logs/ssl_stapling(32768)" |
| 111 | + |
| 112 | +# Seconds before valid OCSP responses are expired from the cache |
| 113 | +#SSLStaplingStandardCacheTimeout 3600 |
| 114 | + |
| 115 | +# Seconds before invalid OCSP responses are expired from the cache |
| 116 | +#SSLStaplingErrorCacheTimeout 600 |
| 117 | + |
| 118 | +## |
| 119 | +## SSL Virtual Host Context |
| 120 | +## |
| 121 | + |
| 122 | +<VirtualHost _default_:443> |
| 123 | + |
| 124 | +# General setup for the virtual host |
| 125 | +DocumentRoot "/var/www/html" |
| 126 | +ServerName example.com |
| 127 | +ServerAlias www.example.com |
| 128 | +ServerAdmin admin@example.com |
| 129 | + |
| 130 | +ErrorLog "/usr/local/apache2/logs/example.com.error_log" |
| 131 | +TransferLog "/usr/local/apache2/logs/access_log" |
| 132 | + |
| 133 | +Protocols h2 http/1.1 |
| 134 | + |
| 135 | +<Directory "/var/www/html"> |
| 136 | + DirectoryIndex index.php |
| 137 | + Options FollowSymLinks |
| 138 | + AllowOverride All |
| 139 | + Order allow,deny |
| 140 | + Allow from all |
| 141 | + <IfModule mod_authz_core.c> |
| 142 | + Require all granted |
| 143 | + </IfModule> |
| 144 | +</Directory> |
| 145 | + |
| 146 | +# Proxy .php requests to port 9000 of the php-fpm container |
| 147 | +<FilesMatch \.php$> |
| 148 | + SetHandler proxy:fcgi://cakephp:9000 |
| 149 | + # for Unix sockets, Apache 2.4.10 or higher |
| 150 | + # SetHandler proxy:unix:/path/to/fpm.sock|fcgi://dummy |
| 151 | +</FilesMatch> |
| 152 | + |
| 153 | +# SSL Engine Switch: |
| 154 | +# Enable/Disable SSL for this virtual host. |
| 155 | +SSLEngine on |
| 156 | + |
| 157 | +# Server Certificate: |
| 158 | +# Point SSLCertificateFile at a PEM encoded certificate. If |
| 159 | +# the certificate is encrypted, then you will be prompted for a |
| 160 | +# pass phrase. Note that a kill -HUP will prompt again. Keep |
| 161 | +# in mind that if you have both an RSA and a DSA certificate you |
| 162 | +# can configure both in parallel (to also allow the use of DSA |
| 163 | +# ciphers, etc.) |
| 164 | +# Some ECC cipher suites (http://www.ietf.org/rfc/rfc4492.txt) |
| 165 | +# require an ECC certificate which can also be configured in |
| 166 | +# parallel. |
| 167 | +SSLCertificateFile "/etc/letsencrypt/live/example.com/fullchain.pem" |
| 168 | +#SSLCertificateFile "/usr/local/apache2/conf/server.crt" |
| 169 | +#SSLCertificateFile "/usr/local/apache2/conf/server-dsa.crt" |
| 170 | +#SSLCertificateFile "/usr/local/apache2/conf/server-ecc.crt" |
| 171 | + |
| 172 | +# Server Private Key: |
| 173 | +# If the key is not combined with the certificate, use this |
| 174 | +# directive to point at the key file. Keep in mind that if |
| 175 | +# you've both a RSA and a DSA private key you can configure |
| 176 | +# both in parallel (to also allow the use of DSA ciphers, etc.) |
| 177 | +# ECC keys, when in use, can also be configured in parallel |
| 178 | +SSLCertificateKeyFile "/etc/letsencrypt/live/example.com/privkey.pem" |
| 179 | +#SSLCertificateKeyFile "/usr/local/apache2/conf/server.key" |
| 180 | +#SSLCertificateKeyFile "/usr/local/apache2/conf/server-dsa.key" |
| 181 | +#SSLCertificateKeyFile "/usr/local/apache2/conf/server-ecc.key" |
| 182 | + |
| 183 | +# Server Certificate Chain: |
| 184 | +# Point SSLCertificateChainFile at a file containing the |
| 185 | +# concatenation of PEM encoded CA certificates which form the |
| 186 | +# certificate chain for the server certificate. Alternatively |
| 187 | +# the referenced file can be the same as SSLCertificateFile |
| 188 | +# when the CA certificates are directly appended to the server |
| 189 | +# certificate for convenience. |
| 190 | +SSLCertificateChainFile "/etc/letsencrypt/live/example.com/chain.pem" |
| 191 | +#SSLCertificateChainFile "/usr/local/apache2/conf/server-ca.crt" |
| 192 | + |
| 193 | +# Certificate Authority (CA): |
| 194 | +# Set the CA certificate verification path where to find CA |
| 195 | +# certificates for client authentication or alternatively one |
| 196 | +# huge file containing all of them (file must be PEM encoded) |
| 197 | +# Note: Inside SSLCACertificatePath you need hash symlinks |
| 198 | +# to point to the certificate files. Use the provided |
| 199 | +# Makefile to update the hash symlinks after changes. |
| 200 | +#SSLCACertificatePath "/usr/local/apache2/conf/ssl.crt" |
| 201 | +#SSLCACertificateFile "/usr/local/apache2/conf/ssl.crt/ca-bundle.crt" |
| 202 | + |
| 203 | +# Certificate Revocation Lists (CRL): |
| 204 | +# Set the CA revocation path where to find CA CRLs for client |
| 205 | +# authentication or alternatively one huge file containing all |
| 206 | +# of them (file must be PEM encoded). |
| 207 | +# The CRL checking mode needs to be configured explicitly |
| 208 | +# through SSLCARevocationCheck (defaults to "none" otherwise). |
| 209 | +# Note: Inside SSLCARevocationPath you need hash symlinks |
| 210 | +# to point to the certificate files. Use the provided |
| 211 | +# Makefile to update the hash symlinks after changes. |
| 212 | +#SSLCARevocationPath "/usr/local/apache2/conf/ssl.crl" |
| 213 | +#SSLCARevocationFile "/usr/local/apache2/conf/ssl.crl/ca-bundle.crl" |
| 214 | +#SSLCARevocationCheck chain |
| 215 | + |
| 216 | +# Client Authentication (Type): |
| 217 | +# Client certificate verification type and depth. Types are |
| 218 | +# none, optional, require and optional_no_ca. Depth is a |
| 219 | +# number which specifies how deeply to verify the certificate |
| 220 | +# issuer chain before deciding the certificate is not valid. |
| 221 | +#SSLVerifyClient require |
| 222 | +#SSLVerifyDepth 10 |
| 223 | + |
| 224 | +# TLS-SRP mutual authentication: |
| 225 | +# Enable TLS-SRP and set the path to the OpenSSL SRP verifier |
| 226 | +# file (containing login information for SRP user accounts). |
| 227 | +# Requires OpenSSL 1.0.1 or newer. See the mod_ssl FAQ for |
| 228 | +# detailed instructions on creating this file. Example: |
| 229 | +# "openssl srp -srpvfile /usr/local/apache2/conf/passwd.srpv -add username" |
| 230 | +#SSLSRPVerifierFile "/usr/local/apache2/conf/passwd.srpv" |
| 231 | + |
| 232 | +# Access Control: |
| 233 | +# With SSLRequire you can do per-directory access control based |
| 234 | +# on arbitrary complex boolean expressions containing server |
| 235 | +# variable checks and other lookup directives. The syntax is a |
| 236 | +# mixture between C and Perl. See the mod_ssl documentation |
| 237 | +# for more details. |
| 238 | +#<Location /> |
| 239 | +#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \ |
| 240 | +# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \ |
| 241 | +# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \ |
| 242 | +# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \ |
| 243 | +# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \ |
| 244 | +# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/ |
| 245 | +#</Location> |
| 246 | + |
| 247 | +# SSL Engine Options: |
| 248 | +# Set various options for the SSL engine. |
| 249 | +# o FakeBasicAuth: |
| 250 | +# Translate the client X.509 into a Basic Authorisation. This means that |
| 251 | +# the standard Auth/DBMAuth methods can be used for access control. The |
| 252 | +# user name is the `one line' version of the client's X.509 certificate. |
| 253 | +# Note that no password is obtained from the user. Every entry in the user |
| 254 | +# file needs this password: `xxj31ZMTZzkVA'. |
| 255 | +# o ExportCertData: |
| 256 | +# This exports two additional environment variables: SSL_CLIENT_CERT and |
| 257 | +# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the |
| 258 | +# server (always existing) and the client (only existing when client |
| 259 | +# authentication is used). This can be used to import the certificates |
| 260 | +# into CGI scripts. |
| 261 | +# o StdEnvVars: |
| 262 | +# This exports the standard SSL/TLS related `SSL_*' environment variables. |
| 263 | +# Per default this exportation is switched off for performance reasons, |
| 264 | +# because the extraction step is an expensive operation and is usually |
| 265 | +# useless for serving static content. So one usually enables the |
| 266 | +# exportation for CGI and SSI requests only. |
| 267 | +# o StrictRequire: |
| 268 | +# This denies access when "SSLRequireSSL" or "SSLRequire" applied even |
| 269 | +# under a "Satisfy any" situation, i.e. when it applies access is denied |
| 270 | +# and no other module can change it. |
| 271 | +# o OptRenegotiate: |
| 272 | +# This enables optimized SSL connection renegotiation handling when SSL |
| 273 | +# directives are used in per-directory context. |
| 274 | +#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire |
| 275 | +<FilesMatch "\.(cgi|shtml|phtml|php)$"> |
| 276 | + SSLOptions +StdEnvVars |
| 277 | +</FilesMatch> |
| 278 | +<Directory "/usr/local/apache2/cgi-bin"> |
| 279 | + SSLOptions +StdEnvVars |
| 280 | +</Directory> |
| 281 | + |
| 282 | +Include /etc/letsencrypt/options-ssl-apache.conf |
| 283 | + |
| 284 | +# SSL Protocol Adjustments: |
| 285 | +# The safe and default but still SSL/TLS standard compliant shutdown |
| 286 | +# approach is that mod_ssl sends the close notify alert but doesn't wait for |
| 287 | +# the close notify alert from client. When you need a different shutdown |
| 288 | +# approach you can use one of the following variables: |
| 289 | +# o ssl-unclean-shutdown: |
| 290 | +# This forces an unclean shutdown when the connection is closed, i.e. no |
| 291 | +# SSL close notify alert is sent or allowed to be received. This violates |
| 292 | +# the SSL/TLS standard but is needed for some brain-dead browsers. Use |
| 293 | +# this when you receive I/O errors because of the standard approach where |
| 294 | +# mod_ssl sends the close notify alert. |
| 295 | +# o ssl-accurate-shutdown: |
| 296 | +# This forces an accurate shutdown when the connection is closed, i.e. a |
| 297 | +# SSL close notify alert is send and mod_ssl waits for the close notify |
| 298 | +# alert of the client. This is 100% SSL/TLS standard compliant, but in |
| 299 | +# practice often causes hanging connections with brain-dead browsers. Use |
| 300 | +# this only for browsers where you know that their SSL implementation |
| 301 | +# works correctly. |
| 302 | +# Notice: Most problems of broken clients are also related to the HTTP |
| 303 | +# keep-alive facility, so you usually additionally want to disable |
| 304 | +# keep-alive for those clients, too. Use variable "nokeepalive" for this. |
| 305 | +# Similarly, one has to force some clients to use HTTP/1.0 to workaround |
| 306 | +# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and |
| 307 | +# "force-response-1.0" for this. |
| 308 | +BrowserMatch "MSIE [2-5]" \ |
| 309 | + nokeepalive ssl-unclean-shutdown \ |
| 310 | + downgrade-1.0 force-response-1.0 |
| 311 | + |
| 312 | +# Per-Server Logging: |
| 313 | +# The home of a custom SSL log file. Use this when you want a |
| 314 | +# compact non-error SSL logfile on a virtual host basis. |
| 315 | +CustomLog "/usr/local/apache2/logs/ssl_request_log" \ |
| 316 | + "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" |
| 317 | + |
| 318 | +</VirtualHost> |
0 commit comments