1. <IfModule mod_ssl.c>
  2. <VirtualHost *:443>
  3. ServerAdmin [email protected]
  5. ServerName bosh.galex-713.eu
  7. DocumentRoot /srv/www
  8. <Directory />
  9. Options FollowSymLinks
  10. LanguagePriority en fr it es la eo vo ar he
  11. ForceLanguagePriority Fallback
  12. AllowOverride None
  13. </Directory>
  14. <Directory /srv/www>
  15. Options FollowSymLinks MultiViews
  16. LanguagePriority en fr it es la eo vo ar he
  17. ForceLanguagePriority Fallback
  18. AllowOverride None
  19. Order allow,deny
  20. allow from all
  21. </Directory>
  23. <Location /http-bind>
  24. Order allow,deny
  25. Allow from all
  26. </Location>
  27. RewriteEngine On
  28. RewriteRule ^/http-bind$ https://bosh.galex-713.eu:5281/http-bind [P,L]
  30. ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
  31. <Directory "/usr/lib/cgi-bin">
  32. AllowOverride None
  33. Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
  34. Order allow,deny
  35. Allow from all
  36. </Directory>
  38. ErrorLog ${APACHE_LOG_DIR}/error.log
  40. # Possible values include: debug, info, notice, warn, error, crit,
  41. # alert, emerg.
  42. LogLevel warn
  44. CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined
  46. # SSL Engine Switch:
  47. # Enable/Disable SSL for this virtual host.
  48. SSLEngine on
  50. # A self-signed (snakeoil) certificate can be created by installing
  51. # the ssl-cert package. See
  52. # /usr/share/doc/apache2.2-common/README.Debian.gz for more info.
  53. # If both key and certificate are stored in the same file, only the
  54. # SSLCertificateFile directive is needed.
  55. SSLCertificateFile /etc/ssl/certs/bosh.galex-713.eu.pem
  56. SSLCertificateKeyFile /etc/ssl/private/bosh.galex-713.eu.key
  58. # Server Certificate Chain:
  59. # Point SSLCertificateChainFile at a file containing the
  60. # concatenation of PEM encoded CA certificates which form the
  61. # certificate chain for the server certificate. Alternatively
  62. # the referenced file can be the same as SSLCertificateFile
  63. # when the CA certificates are directly appended to the server
  64. # certificate for convinience.
  65. #SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt
  67. # Certificate Authority (CA):
  68. # Set the CA certificate verification path where to find CA
  69. # certificates for client authentication or alternatively one
  70. # huge file containing all of them (file must be PEM encoded)
  71. # Note: Inside SSLCACertificatePath you need hash symlinks
  72. # to point to the certificate files. Use the provided
  73. # Makefile to update the hash symlinks after changes.
  74. #SSLCACertificatePath /etc/ssl/certs/
  75. #SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt
  77. # Certificate Revocation Lists (CRL):
  78. # Set the CA revocation path where to find CA CRLs for client
  79. # authentication or alternatively one huge file containing all
  80. # of them (file must be PEM encoded)
  81. # Note: Inside SSLCARevocationPath you need hash symlinks
  82. # to point to the certificate files. Use the provided
  83. # Makefile to update the hash symlinks after changes.
  84. #SSLCARevocationPath /etc/apache2/ssl.crl/
  85. #SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl
  87. # Client Authentication (Type):
  88. # Client certificate verification type and depth. Types are
  89. # none, optional, require and optional_no_ca. Depth is a
  90. # number which specifies how deeply to verify the certificate
  91. # issuer chain before deciding the certificate is not valid.
  92. #SSLVerifyClient require
  93. #SSLVerifyDepth 10
  95. # Access Control:
  96. # With SSLRequire you can do per-directory access control based
  97. # on arbitrary complex boolean expressions containing server
  98. # variable checks and other lookup directives. The syntax is a
  99. # mixture between C and Perl. See the mod_ssl documentation
  100. # for more details.
  101. #<Location />
  102. #SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
  103. # and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
  104. # and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
  105. # and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
  106. # and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
  107. # or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
  108. #</Location>
  110. # SSL Engine Options:
  111. # Set various options for the SSL engine.
  112. # o FakeBasicAuth:
  113. # Translate the client X.509 into a Basic Authorisation. This means that
  114. # the standard Auth/DBMAuth methods can be used for access control. The
  115. # user name is the `one line' version of the client's X.509 certificate.
  116. # Note that no password is obtained from the user. Every entry in the user
  117. # file needs this password: `xxj31ZMTZzkVA'.
  118. # o ExportCertData:
  119. # This exports two additional environment variables: SSL_CLIENT_CERT and
  120. # SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
  121. # server (always existing) and the client (only existing when client
  122. # authentication is used). This can be used to import the certificates
  123. # into CGI scripts.
  124. # o StdEnvVars:
  125. # This exports the standard SSL/TLS related `SSL_*' environment variables.
  126. # Per default this exportation is switched off for performance reasons,
  127. # because the extraction step is an expensive operation and is usually
  128. # useless for serving static content. So one usually enables the
  129. # exportation for CGI and SSI requests only.
  130. # o StrictRequire:
  131. # This denies access when "SSLRequireSSL" or "SSLRequire" applied even
  132. # under a "Satisfy any" situation, i.e. when it applies access is denied
  133. # and no other module can change it.
  134. # o OptRenegotiate:
  135. # This enables optimized SSL connection renegotiation handling when SSL
  136. # directives are used in per-directory context.
  137. #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
  138. <FilesMatch "\.(cgi|shtml|phtml|php)$">
  139. SSLOptions +StdEnvVars
  140. </FilesMatch>
  141. <Directory /usr/lib/cgi-bin>
  142. SSLOptions +StdEnvVars
  143. </Directory>
  145. # SSL Protocol Adjustments:
  146. # The safe and default but still SSL/TLS standard compliant shutdown
  147. # approach is that mod_ssl sends the close notify alert but doesn't wait for
  148. # the close notify alert from client. When you need a different shutdown
  149. # approach you can use one of the following variables:
  150. # o ssl-unclean-shutdown:
  151. # This forces an unclean shutdown when the connection is closed, i.e. no
  152. # SSL close notify alert is send or allowed to received. This violates
  153. # the SSL/TLS standard but is needed for some brain-dead browsers. Use
  154. # this when you receive I/O errors because of the standard approach where
  155. # mod_ssl sends the close notify alert.
  156. # o ssl-accurate-shutdown:
  157. # This forces an accurate shutdown when the connection is closed, i.e. a
  158. # SSL close notify alert is send and mod_ssl waits for the close notify
  159. # alert of the client. This is 100% SSL/TLS standard compliant, but in
  160. # practice often causes hanging connections with brain-dead browsers. Use
  161. # this only for browsers where you know that their SSL implementation
  162. # works correctly.
  163. # Notice: Most problems of broken clients are also related to the HTTP
  164. # keep-alive facility, so you usually additionally want to disable
  165. # keep-alive for those clients, too. Use variable "nokeepalive" for this.
  166. # Similarly, one has to force some clients to use HTTP/1.0 to workaround
  167. # their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
  168. # "force-response-1.0" for this.
  169. BrowserMatch "MSIE [2-6]" \
  170. nokeepalive ssl-unclean-shutdown \
  171. downgrade-1.0 force-response-1.0
  172. # MSIE 7 and newer should be able to use keepalive
  173. BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
  175. </VirtualHost>
  176. </IfModule>