salt
/
apache-formula
forked from ExternalMirrors/apache-formula
Watch 1
Star 0
Fork 0
Code Releases 0 Activity
Saltstack Official Apache Formula
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
429 Commits
1 Branch
Tree: 6f3ab21d62
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '6f3ab21d62'
${ noResults }
apache-formula/apache/files/Debian/ssl.conf.jinja

87 lines
4.0KB
Raw Blame History 

  1. <IfModule mod_ssl.c>

  2. 

  3. 	# Pseudo Random Number Generator (PRNG):

  4. 	# Configure one or more sources to seed the PRNG of the SSL library.

  5. 	# The seed data should be of good random quality.

  6. 	# WARNING! On some platforms /dev/random blocks if not enough entropy

  7. 	# is available. This means you then cannot use the /dev/random device

  8. 	# because it would lead to very long connection times (as long as

  9. 	# it requires to make more entropy available). But usually those

  10. 	# platforms additionally provide a /dev/urandom device which doesn't

  11. 	# block. So, if available, use this one instead. Read the mod_ssl User

  12. 	# Manual for more details.

  13. 	#

  14. 	SSLRandomSeed startup builtin

  15. 	SSLRandomSeed startup file:/dev/urandom 512

  16. 	SSLRandomSeed connect builtin

  17. 	SSLRandomSeed connect file:/dev/urandom 512

  18. 

  19. 	##

  20. 	##  SSL Global Context

  21. 	##

  22. 	##  All SSL configuration in this context applies both to

  23. 	##  the main server and all SSL-enabled virtual hosts.

  24. 	##

  25. 

  26. 	#

  27. 	#   Some MIME-types for downloading Certificates and CRLs

  28. 	#

  29. 	AddType application/x-x509-ca-cert .crt

  30. 	AddType application/x-pkcs7-crl	.crl

  31. 

  32. 	#   Pass Phrase Dialog:

  33. 	#   Configure the pass phrase gathering process.

  34. 	#   The filtering dialog program (`builtin' is a internal

  35. 	#   terminal dialog) has to provide the pass phrase on stdout.

  36. 	SSLPassPhraseDialog  exec:/usr/share/apache2/ask-for-passphrase

  37. 

  38. 	#   Inter-Process Session Cache:

  39. 	#   Configure the SSL Session Cache: First the mechanism 

  40. 	#   to use and second the expiring timeout (in seconds).

  41. 	#   (The mechanism dbm has known memory leaks and should not be used).

  42. 	#SSLSessionCache		 dbm:${APACHE_RUN_DIR}/ssl_scache

  43. 	SSLSessionCache		shmcb:${APACHE_RUN_DIR}/ssl_scache(512000)

  44. 	SSLSessionCacheTimeout  300

  45. 

  46. 	#   Semaphore:

  47. 	#   Configure the path to the mutual exclusion semaphore the

  48. 	#   SSL engine uses internally for inter-process synchronization. 

  49. 	#   (Disabled by default, the global Mutex directive consolidates by default

  50. 	#   this)

  51. 	#Mutex file:${APACHE_LOCK_DIR}/ssl_mutex ssl-cache

  52. 

  53. 

  54. 	#   SSL Cipher Suite:

  55. 	#   List the ciphers that the client is permitted to negotiate. See the

  56. 	#   ciphers(1) man page from the openssl package for list of all available

  57. 	#   options.

  58. 	#   Enable only secure ciphers:

  59.         {# default from https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28default.29 #}

  60. 	SSLCipherSuite {{ salt['pillar.get']('apache:ssl:SSLCipherSuite', 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS') }}

  61. 

  62. 	# SSL server cipher order preference:

  63. 	# Use server priorities for cipher algorithm choice.

  64. 	# Clients may prefer lower grade encryption.  You should enable this

  65. 	# option if you want to enforce stronger encryption, and can afford

  66. 	# the CPU cost, and did not override SSLCipherSuite in a way that puts

  67. 	# insecure ciphers first.

  68. 	# Default: Off

  69. 	SSLHonorCipherOrder {{ salt['pillar.get']('apache:ssl:SSLHonorCipherOrder', 'On') }}

  70. 

  71. 	#   The protocols to enable.

  72. 	#   Available values: all, SSLv3, TLSv1, TLSv1.1, TLSv1.2

  73. 	#   SSL v2  is no longer supported

  74. 	SSLProtocol {{ salt['pillar.get']('apache:ssl:SSLProtocol', 'all -SSLv2 -SSLv3') }}

  75. 

  76. 	#   Allow insecure renegotiation with clients which do not yet support the

  77. 	#   secure renegotiation protocol. Default: Off

  78. 	#SSLInsecureRenegotiation on

  79. 

  80. 	#   Whether to forbid non-SNI clients to access name based virtual hosts.

  81. 	#   Default: Off

  82. 	#SSLStrictSNIVHostCheck On

  83. 

  84. </IfModule>

  85. 

  86. # vim: syntax=apache ts=4 sw=4 sts=4 sr noet