Patrick
/
server_config
Следить 1
В избранное 0
Форкнуть 0
Код Задачи 0 Pull Request'ы 0 Релизы 0 Вики Активность
service configuration files that needs to be saved just incase the server got lost someday by the cloud provider.
Вы не можете выбрать более 25 тем Темы должны начинаться с буквы или цифры, могут содержать дефисы(-) и должны содержать не более 35 символов.
11 коммитов
1 ветка
42KB
Дерево: 0ec8ffcdb8
Ветки Теги
${ item.name }
Создать ветку ${ searchTerm }
из '0ec8ffcdb8'
${ noResults }
server_config/lawipac.com/etc/apache2/sites-enabled/lawipac-com-ssl.conf

179 lines
8.0KB
Исходник Blame История 

  1. <IfModule mod_ssl.c>

  2. 	<VirtualHost _default_:443>

  3. 		ServerName lawipac.com

  4. 		ServerAlias www.lawipac.com

  5. 		ServerAdmin sp@lawipac.com

  6. 

  7. 		DocumentRoot /var/www/lawipac.com/

  8. 

  9. #		Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"

  10. 

  11. #	        <Directory />

  12. #        	        Options FollowSymLinks

  13. #                	AllowOverride All

  14. #	        </Directory>

  15.         	<Directory /var/www/lawipac.com/>

  16.                 	Options Indexes FollowSymLinks MultiViews

  17. 	                AllowOverride all

  18.         	        Order allow,deny

  19.                 	allow from all

  20. 	        </Directory>

  21. 

  22. #        	ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/

  23. #	        <Directory "/usr/lib/cgi-bin">

  24. #        	        AllowOverride None

  25. #                	Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch

  26. #	                Order allow,deny

  27. #        	        Allow from all

  28. #	        </Directory>

  29. 

  30. 

  31. #/books as proxy

  32.     		ProxyPass /books http://127.0.0.1:8080/

  33.     		ProxyPassReverse /books http://127.0.0.1:8080/

  34. 

  35.     		ProxyPass /opds http://127.0.0.1:8080/opds

  36.     		ProxyPassReverse /opds http://127.0.0.1:8080/opds

  37. #draw.io as proxy

  38. 		ProxyPass /draw http://192.168.1.3:38080/

  39. 		ProxyPassReverse /draw http://192.168.1.3:38080/

  40. 

  41. 		# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,

  42. 		# error, crit, alert, emerg.

  43. 		# It is also possible to configure the loglevel for particular

  44. 		# modules, e.g.

  45. 		#LogLevel info ssl:warn

  46. 

  47. 		ErrorLog ${APACHE_LOG_DIR}/lawipac.com.error.log

  48. 		CustomLog ${APACHE_LOG_DIR}/lawipac.com.access.log combined

  49. 

  50. 		# For most configuration files from conf-available/, which are

  51. 		# enabled or disabled at a global level, it is possible to

  52. 		# include a line for only one particular virtual host. For example the

  53. 		# following line enables the CGI configuration for this host only

  54. 		# after it has been globally disabled with "a2disconf".

  55. 		#Include conf-available/serve-cgi-bin.conf

  56. 

  57. 		#   SSL Engine Switch:

  58. 		#   Enable/Disable SSL for this virtual host.

  59. 		SSLEngine on

  60. 

  61. 		#   A self-signed (snakeoil) certificate can be created by installing

  62. 		#   the ssl-cert package. See

  63. 		#   /usr/share/doc/apache2/README.Debian.gz for more info.

  64. 		#   If both key and certificate are stored in the same file, only the

  65. 		#   SSLCertificateFile directive is needed.

  66. 		#SSLCertificateFile	/etc/ssl/certs/ssl-cert-snakeoil.pem

  67. 		#SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key

  68. 		#SSLCertificateFile    /etc/apache2/myssl_certs/lawipac.com.crt

  69. 	        #SSLCertificateKeyFile /etc/apache2/myssl_certs/lawipac.com.key

  70. 		Include /etc/letsencrypt/options-ssl-apache.conf

  71. 

  72. 

  73. 		#   Server Certificate Chain:

  74. 		#   Point SSLCertificateChainFile at a file containing the

  75. 		#   concatenation of PEM encoded CA certificates which form the

  76. 		#   certificate chain for the server certificate. Alternatively

  77. 		#   the referenced file can be the same as SSLCertificateFile

  78. 		#   when the CA certificates are directly appended to the server

  79. 		#   certificate for convinience.

  80. 		#SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt

  81. 		#SSLCertificateChainFile /etc/apache2/myssl_certs/startcom_sub.class1.server.ca.pem

  82. 		#SSLCertificateChainFile /etc/apache2/myssl_certs/startcom_1_root_boundle.crt

  83. 

  84. 		#   Certificate Authority (CA):

  85. 		#   Set the CA certificate verification path where to find CA

  86. 		#   certificates for client authentication or alternatively one

  87. 		#   huge file containing all of them (file must be PEM encoded)

  88. 		#   Note: Inside SSLCACertificatePath you need hash symlinks

  89. 		#		 to point to the certificate files. Use the provided

  90. 		#		 Makefile to update the hash symlinks after changes.

  91. 		#SSLCACertificatePath /etc/ssl/certs/

  92. 		#SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt

  93. 

  94. 		#   Certificate Revocation Lists (CRL):

  95. 		#   Set the CA revocation path where to find CA CRLs for client

  96. 		#   authentication or alternatively one huge file containing all

  97. 		#   of them (file must be PEM encoded)

  98. 		#   Note: Inside SSLCARevocationPath you need hash symlinks

  99. 		#		 to point to the certificate files. Use the provided

  100. 		#		 Makefile to update the hash symlinks after changes.

  101. 		#SSLCARevocationPath /etc/apache2/ssl.crl/

  102. 		#SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl

  103. 

  104. 		#   Client Authentication (Type):

  105. 		#   Client certificate verification type and depth.  Types are

  106. 		#   none, optional, require and optional_no_ca.  Depth is a

  107. 		#   number which specifies how deeply to verify the certificate

  108. 		#   issuer chain before deciding the certificate is not valid.

  109. 		#SSLVerifyClient require

  110. 		#SSLVerifyDepth  10

  111. 

  112. 		#   SSL Engine Options:

  113. 		#   Set various options for the SSL engine.

  114. 		#   o FakeBasicAuth:

  115. 		#	 Translate the client X.509 into a Basic Authorisation.  This means that

  116. 		#	 the standard Auth/DBMAuth methods can be used for access control.  The

  117. 		#	 user name is the `one line' version of the client's X.509 certificate.

  118. 		#	 Note that no password is obtained from the user. Every entry in the user

  119. 		#	 file needs this password: `xxj31ZMTZzkVA'.

  120. 		#   o ExportCertData:

  121. 		#	 This exports two additional environment variables: SSL_CLIENT_CERT and

  122. 		#	 SSL_SERVER_CERT. These contain the PEM-encoded certificates of the

  123. 		#	 server (always existing) and the client (only existing when client

  124. 		#	 authentication is used). This can be used to import the certificates

  125. 		#	 into CGI scripts.

  126. 		#   o StdEnvVars:

  127. 		#	 This exports the standard SSL/TLS related `SSL_*' environment variables.

  128. 		#	 Per default this exportation is switched off for performance reasons,

  129. 		#	 because the extraction step is an expensive operation and is usually

  130. 		#	 useless for serving static content. So one usually enables the

  131. 		#	 exportation for CGI and SSI requests only.

  132. 		#   o OptRenegotiate:

  133. 		#	 This enables optimized SSL connection renegotiation handling when SSL

  134. 		#	 directives are used in per-directory context.

  135. 		#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire

  136. 		<FilesMatch "\.(cgi|shtml|phtml|php)$">

  137. 				SSLOptions +StdEnvVars

  138. 		</FilesMatch>

  139. 		<Directory /usr/lib/cgi-bin>

  140. 				SSLOptions +StdEnvVars

  141. 		</Directory>

  142. 

  143. 		#   SSL Protocol Adjustments:

  144. 		#   The safe and default but still SSL/TLS standard compliant shutdown

  145. 		#   approach is that mod_ssl sends the close notify alert but doesn't wait for

  146. 		#   the close notify alert from client. When you need a different shutdown

  147. 		#   approach you can use one of the following variables:

  148. 		#   o ssl-unclean-shutdown:

  149. 		#	 This forces an unclean shutdown when the connection is closed, i.e. no

  150. 		#	 SSL close notify alert is send or allowed to received.  This violates

  151. 		#	 the SSL/TLS standard but is needed for some brain-dead browsers. Use

  152. 		#	 this when you receive I/O errors because of the standard approach where

  153. 		#	 mod_ssl sends the close notify alert.

  154. 		#   o ssl-accurate-shutdown:

  155. 		#	 This forces an accurate shutdown when the connection is closed, i.e. a

  156. 		#	 SSL close notify alert is send and mod_ssl waits for the close notify

  157. 		#	 alert of the client. This is 100% SSL/TLS standard compliant, but in

  158. 		#	 practice often causes hanging connections with brain-dead browsers. Use

  159. 		#	 this only for browsers where you know that their SSL implementation

  160. 		#	 works correctly.

  161. 		#   Notice: Most problems of broken clients are also related to the HTTP

  162. 		#   keep-alive facility, so you usually additionally want to disable

  163. 		#   keep-alive for those clients, too. Use variable "nokeepalive" for this.

  164. 		#   Similarly, one has to force some clients to use HTTP/1.0 to workaround

  165. 		#   their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and

  166. 		#   "force-response-1.0" for this.

  167. 		BrowserMatch "MSIE [2-6]" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0

  168. 		# MSIE 7 and newer should be able to use keepalive

  169. 		BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

  170. 

  171. 		Include /etc/letsencrypt/options-ssl-apache.conf

  172. 		SSLCertificateFile /etc/letsencrypt/live/lawipac.com/fullchain.pem

  173. SSLCertificateKeyFile /etc/letsencrypt/live/lawipac.com/privkey.pem

  174. Include /etc/letsencrypt/options-ssl-apache.conf

  175. 	</VirtualHost>

  176. </IfModule>

  177. 

  178. # vim: syntax=apache ts=4 sw=4 sts=4 sr noet