Project

General

Profile

ssl.conf

Dennis Box, 10/22/2013 04:46 PM

 
1
#
2
# This is the Apache server configuration file providing SSL support.
3
# It contains the configuration directives to instruct the server how to
4
# serve pages over an https connection. For detailing information about these 
5
# directives see <URL:http://httpd.apache.org/docs/2.2/mod/mod_ssl.html>
6
# 
7
# Do NOT simply read the instructions in here without understanding
8
# what they do.  They're here only as hints or reminders.  If you are unsure
9
# consult the online docs. You have been warned.  
10
#
11

    
12
LoadModule ssl_module modules/mod_ssl.so
13

    
14
#
15
# When we also provide SSL we have to listen to the 
16
# the HTTPS port in addition.
17
#
18
Listen 443
19

    
20
##
21
##  SSL Global Context
22
##
23
##  All SSL configuration in this context applies both to
24
##  the main server and all SSL-enabled virtual hosts.
25
##
26

    
27
#
28
#   Some MIME-types for downloading Certificates and CRLs
29
#
30
AddType application/x-x509-ca-cert .crt
31
AddType application/x-pkcs7-crl    .crl
32

    
33
#   Pass Phrase Dialog:
34
#   Configure the pass phrase gathering process.
35
#   The filtering dialog program (`builtin' is a internal
36
#   terminal dialog) has to provide the pass phrase on stdout.
37
SSLPassPhraseDialog  builtin
38

    
39
#   Inter-Process Session Cache:
40
#   Configure the SSL Session Cache: First the mechanism 
41
#   to use and second the expiring timeout (in seconds).
42
#SSLSessionCache        dc:UNIX:/var/cache/mod_ssl/distcache
43
SSLSessionCache         shmcb:/var/cache/mod_ssl/scache(512000)
44
SSLSessionCacheTimeout  300
45

    
46
#   Semaphore:
47
#   Configure the path to the mutual exclusion semaphore the
48
#   SSL engine uses internally for inter-process synchronization. 
49
SSLMutex default
50

    
51
#   Pseudo Random Number Generator (PRNG):
52
#   Configure one or more sources to seed the PRNG of the 
53
#   SSL library. The seed data should be of good random quality.
54
#   WARNING! On some platforms /dev/random blocks if not enough entropy
55
#   is available. This means you then cannot use the /dev/random device
56
#   because it would lead to very long connection times (as long as
57
#   it requires to make more entropy available). But usually those
58
#   platforms additionally provide a /dev/urandom device which doesn't
59
#   block. So, if available, use this one instead. Read the mod_ssl User
60
#   Manual for more details.
61
SSLRandomSeed startup file:/dev/urandom  256
62
SSLRandomSeed connect builtin
63
#SSLRandomSeed startup file:/dev/random  512
64
#SSLRandomSeed connect file:/dev/random  512
65
#SSLRandomSeed connect file:/dev/urandom 512
66

    
67
#
68
# Use "SSLCryptoDevice" to enable any supported hardware
69
# accelerators. Use "openssl engine -v" to list supported
70
# engine names.  NOTE: If you enable an accelerator and the
71
# server does not start, consult the error logs and ensure
72
# your accelerator is functioning properly. 
73
#
74
SSLCryptoDevice builtin
75
#SSLCryptoDevice ubsec
76

    
77
##
78
## SSL Virtual Host Context
79
##
80

    
81
<VirtualHost _default_:443>
82

    
83
# General setup for the virtual host, inherited from global configuration
84
#DocumentRoot "/var/www/html"
85
#ServerName www.example.com:443
86

    
87
# Use separate log files for the SSL virtual host; note that LogLevel
88
# is not inherited from httpd.conf.
89
ErrorLog logs/ssl_error_log
90
TransferLog logs/ssl_access_log
91
LogLevel debug
92

    
93
#   SSL Engine Switch:
94
#   Enable/Disable SSL for this virtual host.
95
SSLEngine on
96

    
97
#   SSL Protocol support:
98
# List the enable protocol levels with which clients will be able to
99
# connect.  Disable SSLv2 access by default:
100
SSLProtocol all -SSLv2
101

    
102
#   SSL Cipher Suite:
103
# List the ciphers that the client is permitted to negotiate.
104
# See the mod_ssl documentation for a complete list.
105
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
106

    
107
#   Server Certificate:
108
# Point SSLCertificateFile at a PEM encoded certificate.  If
109
# the certificate is encrypted, then you will be prompted for a
110
# pass phrase.  Note that a kill -HUP will prompt again.  A new
111
# certificate can be generated using the genkey(1) command.
112
#SSLCertificateFile /etc/pki/tls/certs/localhost.crt
113
SSLCertificateFile /etc/grid-security/hostcert.pem
114

    
115
#   Server Private Key:
116
#   If the key is not combined with the certificate, use this
117
#   directive to point at the key file.  Keep in mind that if
118
#   you've both a RSA and a DSA private key you can configure
119
#   both in parallel (to also allow the use of DSA ciphers, etc.)
120
#SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
121
SSLCertificateKeyFile /etc/grid-security/hostkey.pem
122

    
123
#   Server Certificate Chain:
124
#   Point SSLCertificateChainFile at a file containing the
125
#   concatenation of PEM encoded CA certificates which form the
126
#   certificate chain for the server certificate. Alternatively
127
#   the referenced file can be the same as SSLCertificateFile
128
#   when the CA certificates are directly appended to the server
129
#   certificate for convinience.
130
#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
131

    
132
#   Certificate Authority (CA):
133
#   Set the CA certificate verification path where to find CA
134
#   certificates for client authentication or alternatively one
135
#   huge file containing all of them (file must be PEM encoded)
136
#SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
137
SSLCACertificateFile /etc/grid-security/certificates/FNAL-SLCS.pem
138

    
139
#   Client Authentication (Type):
140
#   Client certificate verification type and depth.  Types are
141
#   none, optional, require and optional_no_ca.  Depth is a
142
#   number which specifies how deeply to verify the certificate
143
#   issuer chain before deciding the certificate is not valid.
144
SSLVerifyClient require
145
SSLVerifyDepth  1
146

    
147
#   Access Control:
148
#   With SSLRequire you can do per-directory access control based
149
#   on arbitrary complex boolean expressions containing server
150
#   variable checks and other lookup directives.  The syntax is a
151
#   mixture between C and Perl.  See the mod_ssl documentation
152
#   for more details.
153
#<Location />
154
#SSLRequire (    %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
155
#            and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
156
#            and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
157
#            and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
158
#            and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20       ) \
159
#           or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
160
#</Location>
161

    
162
#   SSL Engine Options:
163
#   Set various options for the SSL engine.
164
#   o FakeBasicAuth:
165
#     Translate the client X.509 into a Basic Authorisation.  This means that
166
#     the standard Auth/DBMAuth methods can be used for access control.  The
167
#     user name is the `one line' version of the client's X.509 certificate.
168
#     Note that no password is obtained from the user. Every entry in the user
169
#     file needs this password: `xxj31ZMTZzkVA'.
170
#   o ExportCertData:
171
#     This exports two additional environment variables: SSL_CLIENT_CERT and
172
#     SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
173
#     server (always existing) and the client (only existing when client
174
#     authentication is used). This can be used to import the certificates
175
#     into CGI scripts.
176
#   o StdEnvVars:
177
#     This exports the standard SSL/TLS related `SSL_*' environment variables.
178
#     Per default this exportation is switched off for performance reasons,
179
#     because the extraction step is an expensive operation and is usually
180
#     useless for serving static content. So one usually enables the
181
#     exportation for CGI and SSI requests only.
182
#   o StrictRequire:
183
#     This denies access when "SSLRequireSSL" or "SSLRequire" applied even
184
#     under a "Satisfy any" situation, i.e. when it applies access is denied
185
#     and no other module can change it.
186
#   o OptRenegotiate:
187
#     This enables optimized SSL connection renegotiation handling when SSL
188
#     directives are used in per-directory context. 
189
#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
190
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
191
    SSLOptions +StdEnvVars  
192
</Files>
193
<Directory "/var/www/cgi-bin">
194
    SSLOptions +StdEnvVars
195
</Directory>
196

    
197
<Directory "/">
198
    SSLOptions +StdEnvVars +FakeBasicAuth +ExportCertData
199
</Directory>
200
#   SSL Protocol Adjustments:
201
#   The safe and default but still SSL/TLS standard compliant shutdown
202
#   approach is that mod_ssl sends the close notify alert but doesn't wait for
203
#   the close notify alert from client. When you need a different shutdown
204
#   approach you can use one of the following variables:
205
#   o ssl-unclean-shutdown:
206
#     This forces an unclean shutdown when the connection is closed, i.e. no
207
#     SSL close notify alert is send or allowed to received.  This violates
208
#     the SSL/TLS standard but is needed for some brain-dead browsers. Use
209
#     this when you receive I/O errors because of the standard approach where
210
#     mod_ssl sends the close notify alert.
211
#   o ssl-accurate-shutdown:
212
#     This forces an accurate shutdown when the connection is closed, i.e. a
213
#     SSL close notify alert is send and mod_ssl waits for the close notify
214
#     alert of the client. This is 100% SSL/TLS standard compliant, but in
215
#     practice often causes hanging connections with brain-dead browsers. Use
216
#     this only for browsers where you know that their SSL implementation
217
#     works correctly. 
218
#   Notice: Most problems of broken clients are also related to the HTTP
219
#   keep-alive facility, so you usually additionally want to disable
220
#   keep-alive for those clients, too. Use variable "nokeepalive" for this.
221
#   Similarly, one has to force some clients to use HTTP/1.0 to workaround
222
#   their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
223
#   "force-response-1.0" for this.
224
SetEnvIf User-Agent ".*MSIE.*" \
225
         nokeepalive ssl-unclean-shutdown \
226
         downgrade-1.0 force-response-1.0
227

    
228
#   Per-Server Logging:
229
#   The home of a custom SSL log file. Use this when you want a
230
#   compact non-error SSL logfile on a virtual host basis.
231
CustomLog logs/ssl_request_log2 \
232
          "%t %h  %{SSL_CLIENT_S_DN}x %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
233

    
234
#CustomLog logs/commonssl "%h %l %{SSL_CLIENT_S_DN_Email}x %t "%r" %>s %b "%{Referer}i" "%{User-agent}i"" 
235
#CustomLog logs/commonvhostssl "%v %h %l %{SSL_CLIENT_S_DN_Email}x %t "%r" %>s %b "%{Referer}i" "%{User-agent}i"" 
236
    ServerAdmin dbox@fnal.gov
237
    ServerName sngpvm02.fnal.gov
238
    ProxyPreserveHost On
239

    
240
    DocumentRoot /scratch/dbox/work_area
241

    
242
    # this prevents the follow URL path from being proxied
243
    ProxyPass /scratch !
244

    
245
    # setup the proxy
246
    <Proxy *>
247
        Order allow,deny
248
        Allow from all
249
    </Proxy>
250
    ProxyPass / http://131.225.67.72:8090/
251
    ProxyPassReverse / http://131.225.67.72:8090/
252

    
253
</VirtualHost>                                  
254