salt
/
apache-formula
geforkt von ExternalMirrors/apache-formula
Beobachten 1
Favorisieren 0
Fork 0
Code Releases 0 Aktivität
Saltstack Official Apache Formula
Du kannst nicht mehr als 25 Themen auswählen Themen müssen entweder mit einem Buchstaben oder einer Ziffer beginnen. Sie können Bindestriche („-“) enthalten und bis zu 35 Zeichen lang sein.
429 Commits
1 Branch
Branch: master
Branches Tags
${ item.name }
Erstelle Branch ${ searchTerm }
von „master“
${ noResults }
apache-formula/apache/files/FreeBSD/mod_ssl.conf.jinja

217 Zeilen
9.6KB
Originalformat Permalink Blame Verlauf 

  1. #

  2. # This file is managed by Salt! Do not edit by hand!

  3. #

  4. 

  5. LoadModule ssl_module libexec/apache24/mod_ssl.so

  6. 

  7. <IfModule mod_ssl.c>

  8. #

  9. # Pseudo Random Number Generator (PRNG):

  10. # Configure one or more sources to seed the PRNG of the SSL library.

  11. # The seed data should be of good random quality.

  12. # WARNING! On some platforms /dev/random blocks if not enough entropy

  13. # is available. This means you then cannot use the /dev/random device

  14. # because it would lead to very long connection times (as long as

  15. # it requires to make more entropy available). But usually those

  16. # platforms additionally provide a /dev/urandom device which doesn't

  17. # block. So, if available, use this one instead. Read the mod_ssl User

  18. # Manual for more details.

  19. #

  20. SSLRandomSeed startup builtin

  21. SSLRandomSeed startup file:/dev/urandom 512

  22. SSLRandomSeed connect builtin

  23. SSLRandomSeed connect file:/dev/urandom 512

  24. 

  25. ##

  26. ##  SSL Global Context

  27. ##

  28. ##  All SSL configuration in this context applies both to

  29. ##  the main server and all SSL-enabled virtual hosts.

  30. ##

  31. 

  32. #

  33. #   Some MIME-types for downloading Certificates and CRLs

  34. #

  35. AddType application/x-x509-ca-cert .crt

  36. AddType application/x-pkcs7-crl    .crl

  37. 

  38. #   Pass Phrase Dialog:

  39. #   Configure the pass phrase gathering process.

  40. #   The filtering dialog program (`builtin' is a internal

  41. #   terminal dialog) has to provide the pass phrase on stdout.

  42. SSLPassPhraseDialog  builtin

  43. 

  44. #   Inter-Process Session Cache:

  45. #   Configure the SSL Session Cache: First the mechanism 

  46. #   to use and second the expiring timeout (in seconds).

  47. #SSLSessionCache         dbm:${APACHE_RUN_DIR}/ssl_scache

  48. SSLSessionCache        shmcb:${APACHE_RUN_DIR}/ssl_scache(512000)

  49. SSLSessionCacheTimeout  300

  50. 

  51. #   Semaphore:

  52. #   Configure the path to the mutual exclusion semaphore the

  53. #   SSL engine uses internally for inter-process synchronization. 

  54. <IfVersion < 2.4>

  55. SSLMutex  file:${APACHE_RUN_DIR}/ssl_mutex

  56. </IfVersion>

  57. 

  58. #   SSL Cipher Suite:

  59. #   List the ciphers that the client is permitted to negotiate.

  60. #   See the mod_ssl documentation for a complete list.

  61. #   enable only secure ciphers:

  62. #SSLCipherSuite HIGH:MEDIUM:!ADH

  63. SSLCipherSuite EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA

  64. 

  65. # Mitigate the CRIME attack

  66. #SSLCompression off

  67. 

  68. #   Use this instead if you want to allow cipher upgrades via SGC facility.

  69. #   In this case you also have to use something like 

  70. #        SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128

  71. #   see http://httpd.apache.org/docs/2.2/ssl/ssl_howto.html.en#upgradeenc

  72. #SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

  73. 

  74. # enable only secure protocols: SSLv3 and TLSv1, but not SSLv2

  75. SSLProtocol all -SSLv2 -SSLv3

  76. 

  77. SSLHonorCipherOrder On

  78. 

  79. # (bettercrypto.org)

  80. # Add six earth month HSTS header for all users...

  81. Header add Strict-Transport-Security "max-age=15768000"

  82. # If you want to protect all subdomains, use the following header

  83. # ALL subdomains HAVE TO support HTTPS if you use this!

  84. # Strict-Transport-Security: max-age=15768000 ; includeSubDomains

  85. 

  86. #   SSL Engine Switch:

  87. #   Enable/Disable SSL for this virtual host.

  88. SSLEngine on

  89. SSLOptions +StrictRequire

  90. 

  91. #   A self-signed (snakeoil) certificate can be created by installing

  92. #   the ssl-cert package. See

  93. #   /usr/share/doc/apache2.2-common/README.Debian.gz for more info.

  94. #   If both key and certificate are stored in the same file, only the

  95. #   SSLCertificateFile directive is needed.

  96. SSLCertificateFile    {{ salt['pillar.get']('apache:ssl:default_cert', '/usr/local/etc/apache24/server.crt') }}

  97. SSLCertificateKeyFile {{ salt['pillar.get']('apache:ssl:default_key', '/usr/local/etc/apache24/server.key') }}

  98. 

  99. #   Server Certificate Chain:

  100. #   Point SSLCertificateChainFile at a file containing the

  101. #   concatenation of PEM encoded CA certificates which form the

  102. #   certificate chain for the server certificate. Alternatively

  103. #   the referenced file can be the same as SSLCertificateFile

  104. #   when the CA certificates are directly appended to the server

  105. #   certificate for convinience.

  106. #SSLCertificateChainFile /usr/local/etc/apache24/ssl.crt/server-ca.crt

  107. 

  108. #   Certificate Authority (CA):

  109. #   Set the CA certificate verification path where to find CA

  110. #   certificates for client authentication or alternatively one

  111. #   huge file containing all of them (file must be PEM encoded)

  112. #   Note: Inside SSLCACertificatePath you need hash symlinks

  113. #         to point to the certificate files. Use the provided

  114. #         Makefile to update the hash symlinks after changes.

  115. #SSLCACertificatePath /etc/ssl/certs/

  116. #SSLCACertificateFile /usr/local/etc/apache24/ssl.crt/ca-bundle.crt

  117. 

  118. #   Certificate Revocation Lists (CRL):

  119. #   Set the CA revocation path where to find CA CRLs for client

  120. #   authentication or alternatively one huge file containing all

  121. #   of them (file must be PEM encoded)

  122. #   Note: Inside SSLCARevocationPath you need hash symlinks

  123. #         to point to the certificate files. Use the provided

  124. #         Makefile to update the hash symlinks after changes.

  125. #SSLCARevocationPath /usr/local/etc/apache24/ssl.crl/

  126. #SSLCARevocationFile /usr/local/etc/apache24/ssl.crl/ca-bundle.crl

  127. 

  128. #   Client Authentication (Type):

  129. #   Client certificate verification type and depth.  Types are

  130. #   none, optional, require and optional_no_ca.  Depth is a

  131. #   number which specifies how deeply to verify the certificate

  132. #   issuer chain before deciding the certificate is not valid.

  133. #SSLVerifyClient require

  134. #SSLVerifyDepth  10

  135. 

  136. #   Access Control:

  137. #   With SSLRequire you can do per-directory access control based

  138. #   on arbitrary complex boolean expressions containing server

  139. #   variable checks and other lookup directives.  The syntax is a

  140. #   mixture between C and Perl.  See the mod_ssl documentation

  141. #   for more details.

  142. #<Location />

  143. #SSLRequire (    %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \

  144. #            and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \

  145. #            and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \

  146. #            and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \

  147. #            and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20       ) \

  148. #           or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/

  149. #</Location>

  150. 

  151. #   SSL Engine Options:

  152. #   Set various options for the SSL engine.

  153. #   o FakeBasicAuth:

  154. #     Translate the client X.509 into a Basic Authorisation.  This means that

  155. #     the standard Auth/DBMAuth methods can be used for access control.  The

  156. #     user name is the `one line' version of the client's X.509 certificate.

  157. #     Note that no password is obtained from the user. Every entry in the user

  158. #     file needs this password: `xxj31ZMTZzkVA'.

  159. #   o ExportCertData:

  160. #     This exports two additional environment variables: SSL_CLIENT_CERT and

  161. #     SSL_SERVER_CERT. These contain the PEM-encoded certificates of the

  162. #     server (always existing) and the client (only existing when client

  163. #     authentication is used). This can be used to import the certificates

  164. #     into CGI scripts.

  165. #   o StdEnvVars:

  166. #     This exports the standard SSL/TLS related `SSL_*' environment variables.

  167. #     Per default this exportation is switched off for performance reasons,

  168. #     because the extraction step is an expensive operation and is usually

  169. #     useless for serving static content. So one usually enables the

  170. #     exportation for CGI and SSI requests only.

  171. #   o StrictRequire:

  172. #     This denies access when "SSLRequireSSL" or "SSLRequire" applied even

  173. #     under a "Satisfy any" situation, i.e. when it applies access is denied

  174. #     and no other module can change it.

  175. #   o OptRenegotiate:

  176. #     This enables optimized SSL connection renegotiation handling when SSL

  177. #     directives are used in per-directory context.

  178. #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire

  179. <FilesMatch "\.(cgi|shtml|phtml|php)$">

  180. 	SSLOptions +StdEnvVars

  181. </FilesMatch>

  182. <Directory /usr/lib/cgi-bin>

  183. 	SSLOptions +StdEnvVars

  184. </Directory>

  185. 

  186. #   SSL Protocol Adjustments:

  187. #   The safe and default but still SSL/TLS standard compliant shutdown

  188. #   approach is that mod_ssl sends the close notify alert but doesn't wait for

  189. #   the close notify alert from client. When you need a different shutdown

  190. #   approach you can use one of the following variables:

  191. #   o ssl-unclean-shutdown:

  192. #     This forces an unclean shutdown when the connection is closed, i.e. no

  193. #     SSL close notify alert is send or allowed to received.  This violates

  194. #     the SSL/TLS standard but is needed for some brain-dead browsers. Use

  195. #     this when you receive I/O errors because of the standard approach where

  196. #     mod_ssl sends the close notify alert.

  197. #   o ssl-accurate-shutdown:

  198. #     This forces an accurate shutdown when the connection is closed, i.e. a

  199. #     SSL close notify alert is send and mod_ssl waits for the close notify

  200. #     alert of the client. This is 100% SSL/TLS standard compliant, but in

  201. #     practice often causes hanging connections with brain-dead browsers. Use

  202. #     this only for browsers where you know that their SSL implementation

  203. #     works correctly.

  204. #   Notice: Most problems of broken clients are also related to the HTTP

  205. #   keep-alive facility, so you usually additionally want to disable

  206. #   keep-alive for those clients, too. Use variable "nokeepalive" for this.

  207. #   Similarly, one has to force some clients to use HTTP/1.0 to workaround

  208. #   their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and

  209. #   "force-response-1.0" for this.

  210. BrowserMatch "MSIE [2-6]" \

  211. 	nokeepalive ssl-unclean-shutdown \

  212. 	downgrade-1.0 force-response-1.0

  213. # MSIE 7 and newer should be able to use keepalive

  214. BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

  215. 

  216. </IfModule>