You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Odhiambo Washington <wa...@wananchi.com> on 2002/01/10 15:11:12 UTC
httpd.conf problem - help diagnose
Hello good people,
Please help me diagnose my httpd.conf - it doesn't obey me when it comes
to virtualhosts. I've looked at it so much I am now very confused. I'm attaching
it. Some hawk-eyed guy may be able to detect my STUPIDITY with this file.
Virtualhosts always end up at the default, why?
Thanks in advance.
-Wash
S y s t e m s A d m i n.
--
Odhiambo Washington <wa...@wananchi.com> "The box said 'Requires
Wananchi Online Ltd. www.wananchi.com Windows 95, NT, or better,'
Tel: 254 2 313985-9 Fax: 254 2 313922 so I installed FreeBSD."
GSM: 254 72 743 223 GSM: 254 733 744 121 This sig is McQ! :-)
++
"I was gratified to be able to answer promptly, and I did. I said I
didn't know."
-- Mark Twain
Re: httpd.conf problem - help diagnose
Posted by Martin Haase-Thomas <mh...@meome-ag.de>.
Hi,
you should insert one line before the first VirtualHost:
NameVirtualHost 999.999.999.999
and in the VirtualHost section:
ServerName your.fq.dn
Martin
Odhiambo Washington wrote:
>Hello good people,
>
>Please help me diagnose my httpd.conf - it doesn't obey me when it comes
>to virtualhosts. I've looked at it so much I am now very confused. I'm attaching
>it. Some hawk-eyed guy may be able to detect my STUPIDITY with this file.
>Virtualhosts always end up at the default, why?
>
>Thanks in advance.
>
>
>
>-Wash
>
>S y s t e m s A d m i n.
>
>
>------------------------------------------------------------------------
>
>##
>## httpd.conf -- Apache HTTP server configuration file
>##
>
>### Section 1: Global Environment
>ServerType standalone
>ServerRoot "/usr/local"
>#LockFile /var/run/httpd.lock
>PidFile /var/run/httpd.pid
>ScoreBoardFile /var/run/httpd.scoreboard
>ResourceConfig /dev/null
>AccessConfig /dev/null
>Timeout 300
>KeepAlive On
>MaxKeepAliveRequests 100
>KeepAliveTimeout 15
>MinSpareServers 5
>MaxSpareServers 10
>StartServers 5
>MaxClients 150
>MaxRequestsPerChild 0
>BindAddress *
>
># Dynamic Shared Object (DSO) Support
>LoadModule mmap_static_module libexec/apache/mod_mmap_static.so
>LoadModule vhost_alias_module libexec/apache/mod_vhost_alias.so
>LoadModule env_module libexec/apache/mod_env.so
>LoadModule define_module libexec/apache/mod_define.so
>LoadModule config_log_module libexec/apache/mod_log_config.so
>LoadModule mime_magic_module libexec/apache/mod_mime_magic.so
>LoadModule mime_module libexec/apache/mod_mime.so
>LoadModule negotiation_module libexec/apache/mod_negotiation.so
>LoadModule status_module libexec/apache/mod_status.so
>LoadModule info_module libexec/apache/mod_info.so
>LoadModule includes_module libexec/apache/mod_include.so
>LoadModule autoindex_module libexec/apache/mod_autoindex.so
>LoadModule dir_module libexec/apache/mod_dir.so
>LoadModule cgi_module libexec/apache/mod_cgi.so
>LoadModule asis_module libexec/apache/mod_asis.so
>LoadModule imap_module libexec/apache/mod_imap.so
>LoadModule action_module libexec/apache/mod_actions.so
>LoadModule speling_module libexec/apache/mod_speling.so
>LoadModule userdir_module libexec/apache/mod_userdir.so
>LoadModule alias_module libexec/apache/mod_alias.so
>LoadModule rewrite_module libexec/apache/mod_rewrite.so
>LoadModule access_module libexec/apache/mod_access.so
>LoadModule auth_module libexec/apache/mod_auth.so
>LoadModule anon_auth_module libexec/apache/mod_auth_anon.so
>LoadModule db_auth_module libexec/apache/mod_auth_db.so
>LoadModule digest_module libexec/apache/mod_digest.so
>LoadModule proxy_module libexec/apache/libproxy.so
>LoadModule cern_meta_module libexec/apache/mod_cern_meta.so
>LoadModule expires_module libexec/apache/mod_expires.so
>LoadModule headers_module libexec/apache/mod_headers.so
>LoadModule usertrack_module libexec/apache/mod_usertrack.so
>LoadModule unique_id_module libexec/apache/mod_unique_id.so
>LoadModule setenvif_module libexec/apache/mod_setenvif.so
><IfDefine SSL>
>LoadModule ssl_module libexec/apache/libssl.so
>LoadModule perl_module libexec/apache/libperl.so
>LoadModule php4_module libexec/apache/libphp4.so
></IfDefine>
>
># Reconstruction of the complete module list from all available modules
># (static and shared ones) to achieve correct module execution order.
># [WHENEVER YOU CHANGE THE LOADMODULE SECTION ABOVE UPDATE THIS, TOO]
>ClearModuleList
>AddModule mod_mmap_static.c
>AddModule mod_vhost_alias.c
>AddModule mod_env.c
>AddModule mod_define.c
>AddModule mod_log_config.c
>AddModule mod_mime_magic.c
>AddModule mod_mime.c
>AddModule mod_negotiation.c
>AddModule mod_status.c
>AddModule mod_info.c
>AddModule mod_include.c
>AddModule mod_autoindex.c
>AddModule mod_dir.c
>AddModule mod_cgi.c
>AddModule mod_asis.c
>AddModule mod_imap.c
>AddModule mod_actions.c
>AddModule mod_speling.c
>AddModule mod_userdir.c
>AddModule mod_alias.c
>AddModule mod_rewrite.c
>AddModule mod_access.c
>AddModule mod_auth.c
>AddModule mod_auth_anon.c
>AddModule mod_auth_db.c
>AddModule mod_digest.c
>AddModule mod_proxy.c
>AddModule mod_cern_meta.c
>AddModule mod_expires.c
>AddModule mod_headers.c
>AddModule mod_usertrack.c
>AddModule mod_unique_id.c
>AddModule mod_so.c
>AddModule mod_setenvif.c
><IfDefine SSL>
>AddModule mod_ssl.c
>AddModule mod_perl.c
>AddModule mod_php4.c
></IfDefine>
>ExtendedStatus On
>
>### Section 2: 'Main' server configuration
>Port 80
>
><IfDefine SSL>
>Listen 80
>Listen 443
></IfDefine>
>
>User www
>Group www
>
>ServerAdmin admin@wananchi.com
>ServerName ns2.wananchi.com
>#
>DocumentRoot "/usr/local/www/htdocs"
>#
># First, we configure the "default" to be a very restrictive set of
># permissions.
>#
>#<Directory />
># Options FollowSymLinks
># AllowOverride None
>#</Directory>
>
>#
><Directory "/usr/local/www/htdocs">
> Options Indexes FollowSymLinks MultiViews
> AllowOverride None
> Order allow,deny
> Allow from all
></Directory>
>
>#
># UserDir:
>#
><IfModule mod_userdir.c>
> UserDir public_html
></IfModule>
>
><Directory /home/*/public_html>
> AllowOverride FileInfo AuthConfig Limit
> Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
> <Limit GET POST OPTIONS PROPFIND>
> Order allow,deny
> Allow from all
> </Limit>
> <LimitExcept GET POST OPTIONS PROPFIND>
> Order deny,allow
> Deny from all
> </LimitExcept>
></Directory>
>
>#
># DirectoryIndex
>#
><IfModule mod_dir.c>
> <IfModule mod_php3.c>
> <IfModule mod_php4.c>
> DirectoryIndex index.php index.php3 index.html index.phtml
> </IfModule>
> <IfModule !mod_php4.c>
> DirectoryIndex index.php3 index.html
> </IfModule>
> </IfModule>
> <IfModule !mod_php3.c>
> <IfModule mod_php4.c>
> DirectoryIndex index.php index.html index.phtml
> </IfModule>
> <IfModule !mod_php4.c>
> DirectoryIndex index.html
> </IfModule>
> </IfModule>
></IfModule>
>
>AccessFileName .htaccess
>
>#
><Files ~ "^\.ht">
> Order allow,deny
> Deny from all
> Satisfy All
></Files>
>
>#CacheNegotiatedDocs
>
>UseCanonicalName On
>#
><IfModule mod_mime.c>
> TypesConfig /usr/local/etc/apache/mime.types
></IfModule>
>#
>DefaultType text/plain
>
>#
><IfModule mod_mime_magic.c>
> MIMEMagicFile /usr/local/etc/apache/magic
></IfModule>
>
>#
>HostnameLookups Off
>#
>ErrorLog /var/log/httpd-error.log
>LogLevel warn
>
>#
># The following directives define some format nicknames for use with
># a CustomLog directive (see below).
>#
>LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
>CustomLog "| cronolog /var/log/apache/%Y/%m/%d/access.log" combined
>LogFormat "%h %l %u %t \"%r\" %>s %b" common
>LogFormat "%{Referer}i -> %U" referer
>LogFormat "%{User-agent}i" agent
>
>#
># Set to one of: On | Off | EMail
>#
>ServerSignature On
>#
><IfModule mod_alias.c>
>
> Alias /icons/ "/usr/local/www/icons/"
>
> <Directory "/usr/local/www/icons">
> Options Indexes MultiViews
> AllowOverride None
> Order allow,deny
> Allow from all
> </Directory>
>#
> Alias /manual/ "/usr/local/share/doc/apache/"
>
> <Directory "/usr/local/share/doc/apache">
> Options Indexes FollowSymlinks MultiViews
> AllowOverride None
> Order allow,deny
> Allow from all
> </Directory>
>#
>
> ScriptAlias /cgi-bin/ "/usr/local/www/htdocs/cgi-bin/"
>
> <Directory "/usr/local/www/htdocs/cgi-bin">
> AllowOverride None
> Options None
> Order allow,deny
> Allow from all
> </Directory>
>
>Alias /horde/ "/usr/local/www/htdocs/horde/"
># This one is to close a security hole where local.inc is displayed
>
> ScriptAlias /horde/phplib/ "/usr/local/www/htdocs/horde/phplib/"
>
> # Let's also not allow the Web server to serve config files
>
> <Directory "/usr/local/www/htdocs/horde/config">
> order deny,allow
> deny from all
> </Directory>
> <Directory "/usr/local/www/htdocs/horde/lib">
> order deny,allow
> deny from all
> </Directory>
> <Directory "/usr/local/www/htdocs/horde/locale">
> order deny,allow
> deny from all
> </Directory>
> <Directory "/usr/local/www/htdocs/horde/templates">
> order deny,allow
> deny from all
> </Directory>
> <Directory "/usr/local/www/htdocs/horde/imp/config">
> order deny,allow
> deny from all
> </Directory>
> <Directory "/usr/local/www/htdocs/horde/imp/lib">
> order deny,allow
> deny from all
> </Directory>
> <Directory "/usr/local/www/htdocs/horde/imp/locale">
> order deny,allow
> deny from all
> </Directory>
> <Directory "/usr/local/www/htdocs/horde/imp/templates">
> order deny,allow
> deny from all
> </Directory>
>
>
></IfModule>
># End of aliases.
>#
><IfModule mod_autoindex.c>
> IndexOptions FancyIndexing
> #
> AddIconByEncoding (CMP,/icons/compressed.gif) x-compress x-gzip
>
> AddIconByType (TXT,/icons/text.gif) text/*
> AddIconByType (IMG,/icons/image2.gif) image/*
> AddIconByType (SND,/icons/sound2.gif) audio/*
> AddIconByType (VID,/icons/movie.gif) video/*
>
> AddIcon /icons/binary.gif .bin .exe
> AddIcon /icons/binhex.gif .hqx
> AddIcon /icons/tar.gif .tar
> AddIcon /icons/world2.gif .wrl .wrl.gz .vrml .vrm .iv
> AddIcon /icons/compressed.gif .Z .z .tgz .gz .zip
> AddIcon /icons/a.gif .ps .ai .eps
> AddIcon /icons/layout.gif .html .shtml .htm .pdf
> AddIcon /icons/text.gif .txt
> AddIcon /icons/c.gif .c
> AddIcon /icons/p.gif .pl .py
> AddIcon /icons/f.gif .for
> AddIcon /icons/dvi.gif .dvi
> AddIcon /icons/uuencoded.gif .uu
> AddIcon /icons/script.gif .conf .sh .shar .csh .ksh .tcl
> AddIcon /icons/tex.gif .tex
> AddIcon /icons/bomb.gif core
>
> AddIcon /icons/back.gif ..
> AddIcon /icons/hand.right.gif README
> AddIcon /icons/folder.gif ^^DIRECTORY^^
> AddIcon /icons/blank.gif ^^BLANKICON^^
>
> #
> DefaultIcon /icons/unknown.gif
>
> #
> # AddDescription allows you to place a short description after a file in
> # server-generated indexes. These are only displayed for FancyIndexed
> # directories.
> # Format: AddDescription "description" filename
> #
> #AddDescription "GZIP compressed document" .gz
> #AddDescription "tar archive" .tar
> #AddDescription "GZIP compressed tar archive" .tgz
> #
> ReadmeName README
> HeaderName HEADER
></IfModule>
># End of indexing directives.
>
>#
># Document types.
>#
><IfModule mod_mime.c>
>
> AddEncoding x-compress Z
> AddEncoding x-gzip gz tgz
>
> #
> AddLanguage da .dk
> AddLanguage nl .nl
> AddLanguage en .en
> AddLanguage et .ee
> AddLanguage fr .fr
> AddLanguage de .de
> AddLanguage el .el
> AddLanguage he .he
> AddCharset ISO-8859-8 .iso8859-8
> AddLanguage it .it
> AddLanguage ja .ja
> AddCharset ISO-2022-JP .jis
> AddLanguage kr .kr
> AddCharset ISO-2022-KR .iso-kr
> AddLanguage nn .nn
> AddLanguage no .no
> AddLanguage pl .po
> AddCharset ISO-8859-2 .iso-pl
> AddLanguage pt .pt
> AddLanguage pt-br .pt-br
> AddLanguage ltz .lu
> AddLanguage ca .ca
> AddLanguage es .es
> AddLanguage sv .se
> AddLanguage cz .cz
> AddLanguage ru .ru
> AddLanguage zh-tw .tw
> AddLanguage tw .tw
> AddCharset Big5 .Big5 .big5
> AddCharset WINDOWS-1251 .cp-1251
> AddCharset CP866 .cp866
> AddCharset ISO-8859-5 .iso-ru
> AddCharset KOI8-R .koi8-r
> AddCharset UCS-2 .ucs2
> AddCharset UCS-4 .ucs4
> AddCharset UTF-8 .utf8
>
> <IfModule mod_negotiation.c>
> LanguagePriority en da nl et fr de el it ja kr no pl pt pt-br ru ltz ca es sv tw
> </IfModule>
>
> #
> #
> <IfModule mod_php3.c>
> AddType application/x-httpd-php3 .php3
> AddType application/x-httpd-php3-source .php3s
> </IfModule>
> #
> # And for PHP 4.x, use:
> #
> <IfModule mod_php4.c>
> AddType application/x-httpd-php .php
> AddType application/x-httpd-php-source .phps
> </IfModule>
>
> AddType application/x-tar .tgz
>
></IfModule>
>
># Customize behaviour based on the browser
>#
><IfModule mod_setenvif.c>
> BrowserMatch "Mozilla/2" nokeepalive
> BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0
> BrowserMatch "RealPlayer 4\.0" force-response-1.0
> BrowserMatch "Java/1\.0" force-response-1.0
> BrowserMatch "JDK/1\.0" force-response-1.0
></IfModule>
># End of browser customization directives
>
>#<Location /server-status>
># SetHandler server-status
># Order deny,allow
># Deny from all
># Allow from .wananchi.com
>#</Location>
>#
><Location /server-info>
> SetHandler server-info
> Order deny,allow
> Deny from all
> Allow from .wananchi.com all
></Location>
>
>#
><Location /cgi-bin/phf*>
> Deny from all
> ErrorDocument 403 http://phf.apache.org/phf_abuse_log.cgi
></Location>
>
>### Section 3: Virtual Hosts
>
>NameVirtualHost *:80
>
>
>#
># VirtualHost example:
># Almost any Apache directive may go into a VirtualHost container.
># The first VirtualHost section is used for requests without a known
># server name.
>#
>#<VirtualHost *>
># ServerAdmin webmaster@dummy-host.example.com
># DocumentRoot /www/docs/dummy-host.example.com
># ServerName dummy-host.example.com
># ErrorLog logs/dummy-host.example.com-error_log
># CustomLog logs/dummy-host.example.com-access_log common
>#</VirtualHost>
>
>
><VirtualHost *:80>
> ServerName ns2.wananchi.com
> ServerAdmin admin@wananchi.com
> DocumentRoot /usr/local/www/htdocs
> ScriptAlias /cgi-bin/ "/usr/local/www/htdocs/cgi-bin/"
> ErrorLog /var/log/virtual/httpd-error.log
> CustomLog "| cronolog /var/log/apache/%Y/%m/%d/webmail-access.log" combined
> TransferLog /var/log/virtual/freebsd-access_log
> <Directory /usr/local/www/htdocs/horde/cgi-bin/>
> Options Indexes Includes MultiViews
> AllowOverride None
> Options ExecCGI
> Order allow,deny
> Allow from all
> </Directory>
></VirtualHost>
>
><VirtualHost *:80>
>#<VirtualHost mail.wananchi.com:80>
> ServerName mail.wananchi.com
> ServerAdmin admin@wananchi.com
> DocumentRoot /usr/local/www/htdocs/horde/imp
> ErrorLog /var/log/virtual/httpd-error.log
> CustomLog "| cronolog /var/log/apache/%Y/%m/%d/webmail-access.log" combined
> ScriptAlias /cgi-bin/ "/usr/local/www/htdocs/horde/cgi-bin/"
> <Directory /usr/local/www/htdocs/horde/cgi-bin/>
> Options Indexes Includes MultiViews
> AllowOverride None
> Options ExecCGI
> Order allow,deny
> Allow from all
> </Directory>
></VirtualHost>
>
>#
><VirtualHost freebsd.co.ke:80>
> DocumentRoot /usr/local/www/htdocs/virtual/freebsd.co.ke/imp
> ServerAlias www.freebsd.co.ke
> ServerName freebsd.co.ke
> ServerAdmin wash@wananchi.com
> ErrorLog /var/log/virtual/freebsd-error_log
> CustomLog "| cronolog /var/log/apache/%Y/%m/%d/freebsd-access.log" combined
> TransferLog /var/log/virtual/freebsd-access_log
> ScriptAlias /cgi-bin/ /usr/local/www/htdocs/virtual/freebsd.co.ke/cgi-bin/
> <Directory /usr/local/www/htdocs/virtual/freebsd.co.ke/cgi-bin/>
> Options Indexes Includes MultiViews
> AllowOverride None
> Options ExecCGI
> Order allow,deny
> Allow from all
> </Directory>
> ErrorDocument 404 /missing.html
> SetEnvIf User-Agent ".*MSIE.*" \
> nokeepalive ssl-unclean-shutdown \
> downgrade-1.0 force-response-1.0
></VirtualHost>
>
>#
>
>##
>## SSL Global Context
>##
>## All SSL configuration in this context applies both to
>## the main server and all SSL-enabled virtual hosts.
>##
>
>#
># Some MIME-types for downloading Certificates and CRLs
>#
><IfDefine SSL>
>AddType application/x-x509-ca-cert .crt
>AddType application/x-pkcs7-crl .crl
></IfDefine>
>
><IfModule mod_ssl.c>
>
># Pass Phrase Dialog:
># Configure the pass phrase gathering process.
># The filtering dialog program (`builtin' is a internal
># terminal dialog) has to provide the pass phrase on stdout.
>SSLPassPhraseDialog builtin
>
># Inter-Process Session Cache:
># Configure the SSL Session Cache: First the mechanism
># to use and second the expiring timeout (in seconds).
>#SSLSessionCache none
>#SSLSessionCache shmht:/var/run/ssl_scache(512000)
>#SSLSessionCache shmcb:/var/run/ssl_scache(512000)
>SSLSessionCache dbm:/var/run/ssl_scache
>SSLSessionCacheTimeout 300
>
># Semaphore:
># Configure the path to the mutual exclusion semaphore the
># SSL engine uses internally for inter-process synchronization.
>SSLMutex file:/var/run/ssl_mutex
>
># Pseudo Random Number Generator (PRNG):
># Configure one or more sources to seed the PRNG of the
># SSL library. The seed data should be of good random quality.
># WARNING! On some platforms /dev/random blocks if not enough entropy
># is available. This means you then cannot use the /dev/random device
># because it would lead to very long connection times (as long as
># it requires to make more entropy available). But usually those
># platforms additionally provide a /dev/urandom device which doesn't
># block. So, if available, use this one instead. Read the mod_ssl User
># Manual for more details.
>SSLRandomSeed startup builtin
>SSLRandomSeed connect builtin
>#SSLRandomSeed startup file:/dev/random 512
>#SSLRandomSeed startup file:/dev/urandom 512
>#SSLRandomSeed connect file:/dev/random 512
>#SSLRandomSeed connect file:/dev/urandom 512
>
># Logging:
># The home of the dedicated SSL protocol logfile. Errors are
># additionally duplicated in the general error log file. Put
># this somewhere where it cannot be used for symlink attacks on
># a real server (i.e. somewhere where only root can write).
># Log levels are (ascending order: higher ones include lower ones):
># none, error, warn, info, trace, debug.
>SSLLog /var/log/ssl_engine_log
>SSLLogLevel info
>
></IfModule>
>
><IfDefine SSL>
>
>##
>## SSL Virtual Host Context
>##
>
><IfDefine SSL>
><VirtualHost _default_:443>
>
># General setup for the virtual host
> DocumentRoot "/usr/local/www/htdocs/horde/imp"
> ServerName mail.wananchi.com
> ServerAdmin admin@wananchi.com
> ErrorLog /var/log/httpd-error.log
> TransferLog /var/log/httpd-access.log
> ScriptAlias /cgi-bin/ "/usr/local/www/htdocs/horde/cgi-bin/"
> <Directory /usr/local/www/htdocs/horde/cgi-bin/>
> Options Indexes Includes MultiViews
> AllowOverride None
> Options ExecCGI
> Order allow,deny
> Allow from all
> </Directory>
># SSL Engine Switch:
># Enable/Disable SSL for this virtual host.
>SSLEngine on
>
># SSL Cipher Suite:
># List the ciphers that the client is permitted to negotiate.
># See the mod_ssl documentation for a complete list.
>SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
>
># Server Certificate:
># Point SSLCertificateFile at a PEM encoded certificate. If
># the certificate is encrypted, then you will be prompted for a
># pass phrase. Note that a kill -HUP will prompt again. A test
># certificate can be generated with `make certificate' under
># built time. Keep in mind that if you've both a RSA and a DSA
># certificate you can configure both in parallel (to also allow
># the use of DSA ciphers, etc.)
>##SSLCertificateFile /usr/local/etc/apache/ssl.crt/server.crt
>#SSLCertificateFile /usr/local/etc/apache/ssl.crt/server-dsa.crt
>SSLCertificateFile /usr/local/etc/apache/certs/new.cert.cert
>
># Server Private Key:
># If the key is not combined with the certificate, use this
># directive to point at the key file. Keep in mind that if
># you've both a RSA and a DSA private key you can configure
># both in parallel (to also allow the use of DSA ciphers, etc.)
>##SSLCertificateKeyFile /usr/local/etc/apache/ssl.key/server.key
>#SSLCertificateKeyFile /usr/local/etc/apache/ssl.key/server-dsa.key
>SSLCertificateKeyFile /usr/local/etc/apache/certs/new.cert.key
>
># Server Certificate Chain:
># Point SSLCertificateChainFile at a file containing the
># concatenation of PEM encoded CA certificates which form the
># certificate chain for the server certificate. Alternatively
># the referenced file can be the same as SSLCertificateFile
># when the CA certificates are directly appended to the server
># certificate for convinience.
>#SSLCertificateChainFile /usr/local/etc/apache/ssl.crt/ca.crt
>
># Certificate Authority (CA):
># Set the CA certificate verification path where to find CA
># certificates for client authentication or alternatively one
># huge file containing all of them (file must be PEM encoded)
># Note: Inside SSLCACertificatePath you need hash symlinks
># to point to the certificate files. Use the provided
># Makefile to update the hash symlinks after changes.
>#SSLCACertificatePath /usr/local/etc/apache/ssl.crt
>#SSLCACertificateFile /usr/local/etc/apache/ssl.crt/ca-bundle.crt
>
># Certificate Revocation Lists (CRL):
># Set the CA revocation path where to find CA CRLs for client
># authentication or alternatively one huge file containing all
># of them (file must be PEM encoded)
># Note: Inside SSLCARevocationPath you need hash symlinks
># to point to the certificate files. Use the provided
># Makefile to update the hash symlinks after changes.
>#SSLCARevocationPath /usr/local/etc/apache/ssl.crl
>#SSLCARevocationFile /usr/local/etc/apache/ssl.crl/ca-bundle.crl
>
># Client Authentication (Type):
># Client certificate verification type and depth. Types are
># none, optional, require and optional_no_ca. Depth is a
># number which specifies how deeply to verify the certificate
># issuer chain before deciding the certificate is not valid.
>#SSLVerifyClient require
>#SSLVerifyDepth 10
>
># Access Control:
># With SSLRequire you can do per-directory access control based
># on arbitrary complex boolean expressions containing server
># variable checks and other lookup directives. The syntax is a
># mixture between C and Perl. See the mod_ssl documentation
># for more details.
>#<Location />
>#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
># and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
># and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
># and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
># and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
># or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
>#</Location>
>
># SSL Engine Options:
># Set various options for the SSL engine.
># o FakeBasicAuth:
># Translate the client X.509 into a Basic Authorisation. This means that
># the standard Auth/DBMAuth methods can be used for access control. The
># user name is the `one line' version of the client's X.509 certificate.
># Note that no password is obtained from the user. Every entry in the user
># file needs this password: `xxj31ZMTZzkVA'.
># o ExportCertData:
># This exports two additional environment variables: SSL_CLIENT_CERT and
># SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
># server (always existing) and the client (only existing when client
># authentication is used). This can be used to import the certificates
># into CGI scripts.
># o StdEnvVars:
># This exports the standard SSL/TLS related `SSL_*' environment variables.
># Per default this exportation is switched off for performance reasons,
># because the extraction step is an expensive operation and is usually
># useless for serving static content. So one usually enables the
># exportation for CGI and SSI requests only.
># o CompatEnvVars:
># This exports obsolete environment variables for backward compatibility
># to Apache-SSL 1.x, mod_ssl 2.0.x, Sioux 1.0 and Stronghold 2.x. Use this
># to provide compatibility to existing CGI scripts.
># o StrictRequire:
># This denies access when "SSLRequireSSL" or "SSLRequire" applied even
># under a "Satisfy any" situation, i.e. when it applies access is denied
># and no other module can change it.
># o OptRenegotiate:
># This enables optimized SSL connection renegotiation handling when SSL
># directives are used in per-directory context.
>#SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire
><Files ~ "\.(cgi|shtml|phtml|php3?)$">
> SSLOptions +StdEnvVars
></Files>
><Directory "/usr/local/www/htdocs/horde/cgi-bin">
> SSLOptions +StdEnvVars
></Directory>
>
># SSL Protocol Adjustments:
># The safe and default but still SSL/TLS standard compliant shutdown
># approach is that mod_ssl sends the close notify alert but doesn't wait for
># the close notify alert from client. When you need a different shutdown
># approach you can use one of the following variables:
># o ssl-unclean-shutdown:
># This forces an unclean shutdown when the connection is closed, i.e. no
># SSL close notify alert is send or allowed to received. This violates
># the SSL/TLS standard but is needed for some brain-dead browsers. Use
># this when you receive I/O errors because of the standard approach where
># mod_ssl sends the close notify alert.
># o ssl-accurate-shutdown:
># This forces an accurate shutdown when the connection is closed, i.e. a
># SSL close notify alert is send and mod_ssl waits for the close notify
># alert of the client. This is 100% SSL/TLS standard compliant, but in
># practice often causes hanging connections with brain-dead browsers. Use
># this only for browsers where you know that their SSL implementation
># works correctly.
># Notice: Most problems of broken clients are also related to the HTTP
># keep-alive facility, so you usually additionally want to disable
># keep-alive for those clients, too. Use variable "nokeepalive" for this.
># Similarly, one has to force some clients to use HTTP/1.0 to workaround
># their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
># "force-response-1.0" for this.
>SetEnvIf User-Agent ".*MSIE.*" \
> nokeepalive ssl-unclean-shutdown \
> downgrade-1.0 force-response-1.0
>
># Per-Server Logging:
># The home of a custom SSL log file. Use this when you want a
># compact non-error SSL logfile on a virtual host basis.
>CustomLog /var/log/ssl_request_log \
> "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
>
></VirtualHost>
></IfDefine>
></IfDefine>
>
>
>------------------------------------------------------------------------
>
>---------------------------------------------------------------------
>The official User-To-User support forum of the Apache HTTP Server Project.
>See <URL:http://httpd.apache.org/userslist.html> for more info.
>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>For additional commands, e-mail: users-help@httpd.apache.org
>