Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 34699 Details for
Bug 25485
Req: ebuild for kolab server
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
41_mod_ssl.default-vhost.conf.template
41_mod_ssl.default-vhost.conf.template (text/plain), 8.36 KB, created by
Andreas Pokorny
on 2004-07-03 04:23:53 UTC
(
hide
)
Description:
41_mod_ssl.default-vhost.conf.template
Filename:
MIME Type:
Creator:
Andreas Pokorny
Created:
2004-07-03 04:23:53 UTC
Size:
8.36 KB
patch
obsolete
> ><IfDefine SSL> > <IfModule !mod_ssl.c> > LoadModule ssl_module extramodules/mod_ssl.so > </IfModule> ></IfDefine> > ><IfModule mod_ssl.c> > >## >## SSL Virtual Host Context >## > ><VirtualHost _default_:443> > ># General setup for the virtual host > >DocumentRoot "/var/www/localhost/htdocs" >#ServerName localhost:443 >#ServerAdmin root@localhost >ErrorLog logs/ssl_error_log ><IfModule mod_log_config.c> >TransferLog logs/ssl_access_log ></IfModule> ># SSL Engine Switch: ># Enable/Disable SSL for this virtual host. > >SSLEngine on > ># SSL Cipher Suite: ># List the ciphers that the client is permitted to negotiate. ># See the mod_ssl documentation for a complete list. > >SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL > ># Server Certificate: ># Point SSLCertificateFile at a PEM encoded certificate. If ># the certificate is encrypted, then you will be prompted for a ># pass phrase. Note that a kill -HUP will prompt again. A test ># certificate can be generated with `make certificate' under ># built time. Keep in mind that if you've both a RSA and a DSA ># certificate you can configure both in parallel (to also allow ># the use of DSA ciphers, etc.) > ># SSLCertificateFile conf/ssl/server.crt >SSLCertificateFile /etc/kolab/cert.pem > ># Server Private Key: ># If the key is not combined with the certificate, use this ># directive to point at the key file. Keep in mind that if ># you've both a RSA and a DSA private key you can configure ># both in parallel (to also allow the use of DSA ciphers, etc.) > >## SSLCertificateKeyFile conf/ssl/server.key >SSLCertificateKeyFile /etc/kolab/key.pem > ># Server Certificate Chain: ># Point SSLCertificateChainFile at a file containing the ># concatenation of PEM encoded CA certificates which form the ># certificate chain for the server certificate. Alternatively ># the referenced file can be the same as SSLCertificateFile ># when the CA certificates are directly appended to the server ># certificate for convinience. >#SSLCertificateChainFile conf/ssl/ca.crt > ># Certificate Authority (CA): ># Set the CA certificate verification path where to find CA ># certificates for client authentication or alternatively one ># huge file containing all of them (file must be PEM encoded) ># Note: Inside SSLCACertificatePath you need hash symlinks ># to point to the certificate files. Use the provided ># Makefile to update the hash symlinks after changes. >#SSLCACertificatePath conf/ssl/ssl.crt >#SSLCACertificateFile conf/ssl/ca-bundle.crt > ># Certificate Revocation Lists (CRL): ># Set the CA revocation path where to find CA CRLs for client ># authentication or alternatively one huge file containing all ># of them (file must be PEM encoded) ># Note: Inside SSLCARevocationPath you need hash symlinks ># to point to the certificate files. Use the provided ># Makefile to update the hash symlinks after changes. >#SSLCARevocationPath conf/ssl/ssl.crl >#SSLCARevocationFile conf/ssl/ca-bundle.crl > ># Client Authentication (Type): ># Client certificate verification type and depth. Types are ># none, optional, require and optional_no_ca. Depth is a ># number which specifies how deeply to verify the certificate ># issuer chain before deciding the certificate is not valid. >#SSLVerifyClient require >#SSLVerifyDepth 10 > ># Access Control: ># With SSLRequire you can do per-directory access control based ># on arbitrary complex boolean expressions containing server ># variable checks and other lookup directives. The syntax is a ># mixture between C and Perl. See the mod_ssl documentation ># for more details. >#<Location /> >#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \ ># and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \ ># and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \ ># and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \ ># and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \ ># or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/ >#</Location> > ># SSL Engine Options: ># Set various options for the SSL engine. ># o FakeBasicAuth: ># Translate the client X.509 into a Basic Authorisation. This means that ># the standard Auth/DBMAuth methods can be used for access control. The ># user name is the `one line' version of the client's X.509 certificate. ># Note that no password is obtained from the user. Every entry in the user ># file needs this password: `xxj31ZMTZzkVA'. ># o ExportCertData: ># This exports two additional environment variables: SSL_CLIENT_CERT and ># SSL_SERVER_CERT. These contain the PEM-encoded certificates of the ># server (always existing) and the client (only existing when client ># authentication is used). This can be used to import the certificates ># into CGI scripts. ># o StdEnvVars: ># This exports the standard SSL/TLS related `SSL_*' environment variables. ># Per default this exportation is switched off for performance reasons, ># because the extraction step is an expensive operation and is usually ># useless for serving static content. So one usually enables the ># exportation for CGI and SSI requests only. ># o CompatEnvVars: ># This exports obsolete environment variables for backward compatibility ># to Apache-SSL 1.x, mod_ssl 2.0.x, Sioux 1.0 and Stronghold 2.x. Use this ># to provide compatibility to existing CGI scripts. ># o StrictRequire: ># This denies access when "SSLRequireSSL" or "SSLRequire" applied even ># under a "Satisfy any" situation, i.e. when it applies access is denied ># and no other module can change it. ># o OptRenegotiate: ># This enables optimized SSL connection renegotiation handling when SSL ># directives are used in per-directory context. >#SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire > ><Files ~ "\.(cgi|shtml|phtml|php?)$"> > > SSLOptions +StdEnvVars > ></Files> > ><Directory "/var/www/localhost/cgi-bin"> > > SSLOptions +StdEnvVars > ></Directory> > ># SSL Protocol Adjustments: ># The safe and default but still SSL/TLS standard compliant shutdown ># approach is that mod_ssl sends the close notify alert but doesn't wait for ># the close notify alert from client. When you need a different shutdown ># approach you can use one of the following variables: ># o ssl-unclean-shutdown: ># This forces an unclean shutdown when the connection is closed, i.e. no ># SSL close notify alert is send or allowed to received. This violates ># the SSL/TLS standard but is needed for some brain-dead browsers. Use ># this when you receive I/O errors because of the standard approach where ># mod_ssl sends the close notify alert. ># o ssl-accurate-shutdown: ># This forces an accurate shutdown when the connection is closed, i.e. a ># SSL close notify alert is send and mod_ssl waits for the close notify ># alert of the client. This is 100% SSL/TLS standard compliant, but in ># practice often causes hanging connections with brain-dead browsers. Use ># this only for browsers where you know that their SSL implementation ># works correctly. ># Notice: Most problems of broken clients are also related to the HTTP ># keep-alive facility, so you usually additionally want to disable ># keep-alive for those clients, too. Use variable "nokeepalive" for this. ># Similarly, one has to force some clients to use HTTP/1.0 to workaround ># their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and ># "force-response-1.0" for this. > ><IfModule mod_setenvif.c> > > SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown \ > downgrade-1.0 force-response-1.0 > ></IfModule> > ># Per-Server Logging: ># The home of a custom SSL log file. Use this when you want a ># compact non-error SSL logfile on a virtual host basis. > ><IfModule mod_log_config.c> >CustomLog logs/ssl_request_log \ > "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" ></IfModule> > ><IfModule mod_rewrite.c> >RewriteEngine On >RewriteOptions inherit ></IfModule> > ></VirtualHost> > ></IfModule> > > ><VirtualHost _default_:443> >SSLEngine on >SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL >SSLCertificateFile /etc/kolab/cert.pem >SSLCertificateKeyFile /etc/kolab/key.pem > ><Files ~ "\.(cgi|shtml|phtml|php4|php3?)$"> > SSLOptions +StdEnvVars ></Files> > ><Directory "/var/www/localhost/htdocs/cgi-bin"> > SSLOptions +StdEnvVars ></Directory> > ></VirtualHost> >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Actions:
View
Attachments on
bug 25485
:
34698
| 34699 |
34700
|
34701
|
34702
|
34720
|
34722
|
34723
|
34756
|
34757
|
34758
|
35079
|
35080
|
35960