###########################################################

##                  MOD_SSL CONFIGURATION

###########################################################

 

LoadModule ssl_module        /usr/lib/apache/libssl.so    # Itt töltődik be az ssl modul

Listen 80                                                                          # Ezeken a portokon figyelünk    

Listen 443

 

##  SSL Globális környezet

##

##  All SSL configuration in this context applies both to

##  the main server and all SSL-enabled virtual hosts.

##

 

#   Some MIME-types for downloading Certificates and CRLs

#

AddType application/x-x509-ca-cert .crt                        # A tanúsítvány mint fájl típus

AddType application/x-pkcs7-crl    .crl

 

#   Pass Phrase Dialog:

#   Configure the pass phrase gathering process.

#   The filtering dialog program (`builtin' is a internal

#   terminal dialog) has to provide the pass phrase on stdout.

SSLPassPhraseDialog  builtin                                          # Ezt célszerű így hagyni.

 

#   Inter-Process Session Cache:

#   Configure the SSL Session Cache: First either `none'

#   or `dbm:/path/to/file' for the mechanism to use and

#   second the expiring timeout (in seconds).

SSLSessionCache         dbm:logs/ssl_scache

SSLSessionCacheTimeout  300

 

#   Semaphore:

#   Configure the path to the mutual explusion semaphore the

#   SSL engine uses internally for inter-process synchronization.

SSLMutex  file:logs/ssl_mutex

 

#   Pseudo Random Number Generator (PRNG):

#   Configure one or more sources to seed the PRNG of the

#   SSL library. The seed data should be of good random quality.

SSLRandomSeed startup builtin

SSLRandomSeed connect builtin

#SSLRandomSeed startup file:/dev/random  512

#SSLRandomSeed startup file:/dev/urandom 512

#SSLRandomSeed connect file:/dev/random  512

#SSLRandomSeed connect file:/dev/urandom 512

 

#   Logging:

#   The home of the dedicated SSL protocol logfile. Errors are

#   additionally duplicated in the general error log file.  Put

#   this somewhere where it cannot be used for symlink attacks on

#   a real server (i.e. somewhere where only root can write).

#   Log levels are (ascending order: higher ones include lower ones):

#   none, error, warn, info, trace, debug.

SSLLog      logs/ssl_engine_log

SSLLogLevel info

 

##

## SSL Virtual Host Context

##

 

# General setup for the virtual host

DocumentRoot /home/httpd/html

#ServerName new.host.name

#ServerAdmin you@your.address

ErrorLog logs/ssl-error_log

TransferLog logs/ssl-access_log

#

#   SSL Engine Switch:

#   Enable/Disable SSL for this virtual host.

SSLEngine on

#

#   SSL Cipher Suite:

#   List the ciphers that the client is permitted to negotiate.

#   See the mod_ssl documentation for a complete list.

#SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

#

#   Server Certificate:

#   Point SSLCertificateFile at a PEM encoded certificate.  If

#   the certificate is encrypted, then you will be prompted for a

#   pass phrase.  Note that a kill -HUP will prompt again. A test

#   certificate can be generated with `make certificate' under

#   built time.

SSLCertificateFile    conf/server.crt

#

#   Server Private Key:

#   If the key is not combined with the certificate, use this

#   directive to point at the key file.

SSLCertificateKeyFile conf/server.key

#

#   Certificate Authority (CA):

#   Set the CA certificate verification path where to find CA

#   certificates for client authentication or alternatively one

#   huge file containing all of them (file must be PEM encoded)

#   Note: Inside SSLCACertificatePath you need hash symlinks

#         to point to the certificate files. Use the provided

#         Makefile to update the hash symlinks after changes.

#SSLCACertificatePath    @@ServerRoot@@/conf/ssl.crt

#SSLCACertificateFile    @@ServerRoot@@/conf/ssl.crt/ca-bundle.crt

#

#   Client Authentication (Type):

#   Client certificate verification type and depth.  Types are

#   none, optional, require and optional_no_ca.  Depth is a

#   number which specifies how deeply to verify the certificate

#   issuer chain before deciding the certificate is not valid.

SSLVerifyClient none

SSLVerifyDepth  10

#

#   Access Control:

#   With SSLRequire you can do per-directory access control based

#   on arbitrary complex boolean expressions containing server

#   variable checks and other lookup directives.  The syntax is a

#   mixture between C and Perl.  See the mod_ssl documentation

#   for more details.

#

#SSLRequire (    %{SSL_CIPHER} !~ m/^(EXP|NULL)-/ \

#            and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \

#            and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \

#            and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \

#            and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20       ) \

#           or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/

#

#   SSL Engine Options:

#   Set various options for the SSL engine.

#   FakeBasicAuth:

#     Translate the client X.509 into a Basic Authorisation.  This means that

#     the standard Auth/DBMAuth methods can be used for access control.  The

#     user name is the `one line' version of the client's X.509 certificate.

#     Note that no password is obtained from the user. Every entry in the user

#     file needs this password: `xxj31ZMTZzkVA'.

#   ExportCertData:

#     This exports two additional environment variables: SSL_CLIENT_CERT and

#     SSL_SERVER_CERT. These contain the PEM-encoded certificates of the

#     server (always existing) and the client (only existing when client

#     authentication is used). This can be used to import the certificates

#     into CGI scripts.

#   CompatEnvVars:

#     This exports obsolete environment variables for backward compatibility

#     to Apache-SSL 1.x, mod_ssl 2.0.x, Sioux 1.0 and Stronghold 2.x. Use this

#     to provide compatibility to existing CGI scripts.

#SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars

#

#   SSL Protocol Adjustments:

#   The safe and default but still SSL/TLS standard compliant shutdown

#   approach is that mod_ssl sends the close notify alert but doesn't wait for

#   the close notify alert from client. When you need a different shutdown

#   approach you can use one of the following variables:

#   ssl-unclean-shutdown:

#     This forces an unclean shutdown when the connection is closed, i.e. no

#     SSL close notify alert is send or allowed to received.  This violates

#     the SSL/TLS standard but is needed for some brain-dead browsers. Use

#     this when you receive I/O errors because of the standard approach where

#     mod_ssl sends the close notify alert.

#   ssl-accurate-shutdown:

#     This forces an accurate shutdown when the connection is closed, i.e. a

#     SSL close notify alert is send and mod_ssl waits for the close notify

#     alert of the client. This is 100% SSL/TLS standard compliant, but in

#     practice often causes hanging connections with brain-dead browsers. Use

#     this only for browsers where you know that their SSL implementation

#     works correctly.

#   Notice: Most problems of broken clients are also related to the HTTP

#   keep-alive facility, so you usually additionally want to disable

#   keep-alive for those clients, too. Use variable "nokeepalive" for this.

#SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown

#

#   Per-Server Logging:

#   The home of a custom SSL log file. Use this when you want a

#   compact non-error SSL logfile on a virtual host basis.

#CustomLog logs/ssl_request_log \

#          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

#