fully-qualified hyperlinks (because you have to change the URL
scheme). Using <module>mod_rewrite</module> however, you can
manipulate relative hyperlinks, to achieve the same effect.</p>
- <example>
- RewriteEngine on<br />
- RewriteRule ^/(.*)_SSL$ https://%{SERVER_NAME}/$1 [R,L]<br />
- RewriteRule ^/(.*)_NOSSL$ http://%{SERVER_NAME}/$1 [R,L]
- </example>
+ <highlight language="config">
+RewriteEngine on
+RewriteRule ^/(.*)_SSL$ https://%{SERVER_NAME}/$1 [R,L]
+RewriteRule ^/(.*)_NOSSL$ http://%{SERVER_NAME}/$1 [R,L]
+ </highlight>
<p>This rewrite ruleset lets you use hyperlinks of the form
<code><a href="document.html_SSL"></code>, to switch to HTTPS
-keyout server.key</strong></code><br />
These can be used as follows in your <code>httpd.conf</code>
file:
- <pre>
- SSLCertificateFile /path/to/this/server.crt
- SSLCertificateKeyFile /path/to/this/server.key
- </pre>
+ <highlight language="config">
+SSLCertificateFile /path/to/this/server.crt
+SSLCertificateKeyFile /path/to/this/server.key
+ </highlight>
</li>
<li>It is important that you are aware that this
<code>server.key</code> does <em>not</em> have any passphrase.
<li>You should now have two files: <code>server.key</code> and
<code>server.crt</code>. These can be used as follows in your
<code>httpd.conf</code> file:
- <pre>
- SSLCertificateFile /path/to/this/server.crt
- SSLCertificateKeyFile /path/to/this/server.key
- </pre>
+ <highlight language="config">
+SSLCertificateFile /path/to/this/server.crt
+SSLCertificateKeyFile /path/to/this/server.key
+ </highlight>
The <code>server.csr</code> file is no longer needed.
</li>
you must make sure to put the non-SSL port number on the NameVirtualHost
directive, e.g.</p>
- <example>
+ <highlight language="config">
NameVirtualHost 192.168.1.1:80
- </example>
+ </highlight>
<p>Other workaround solutions include: </p>
keep-alive connections or send the SSL close notify messages to MSIE clients.
This can be done by using the following directive in your SSL-aware
virtual host section:</p>
- <example>
- SetEnvIf User-Agent "MSIE [2-5]" \<br />
- nokeepalive ssl-unclean-shutdown \<br />
- downgrade-1.0 force-response-1.0
- </example>
+ <highlight language="config">
+SetEnvIf User-Agent "MSIE [2-5]" \
+ nokeepalive ssl-unclean-shutdown \
+ downgrade-1.0 force-response-1.0
+ </highlight>
<p>Further, some MSIE versions have problems with particular ciphers.
Unfortunately, it is not possible to implement a MSIE-specific
workaround for this, because the ciphers are needed as early as the
<p>Your SSL configuration will need to contain, at minimum, the
following directives.</p>
-<example>
- Listen 443<br />
- <VirtualHost *:443><br />
- <indent>
- ServerName www.example.com<br />
- SSLEngine on<br />
- SSLCertificateFile /path/to/www.example.com.cert<br />
- SSLCertificateKeyFile /path/to/www.example.com.key<br />
- </indent>
- </VirtualHost>
-</example>
+<highlight language="config">
+Listen 443
+<VirtualHost *:443>
+ ServerName www.example.com
+ SSLEngine on
+ SSLCertificateFile /path/to/www.example.com.cert
+ SSLCertificateKeyFile /path/to/www.example.com.key
+</VirtualHost>
+</highlight>
</section>
<title>How can I create an SSL server which accepts strong encryption
only?</title>
<p>The following enables only the strongest ciphers:</p>
- <example><title>httpd.conf</title>
- SSLCipherSuite HIGH:!aNULL:!MD5<br />
- </example>
+ <highlight language="config">
+ SSLCipherSuite HIGH:!aNULL:!MD5
+ </highlight>
<p>While with the following configuration you specify a preference
for specific speed-optimized ciphers (which will be selected by
mod_ssl, provided that they are supported by the client):</p>
- <example><title>httpd.conf</title>
- SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:!aNULL:!MD5<br />
- SSLHonorCipherOrder on
- </example>
+ <highlight language="config">
+SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:!aNULL:!MD5
+SSLHonorCipherOrder on
+ </highlight>
</section>
<section id="strongurl">
blocks, to give a per-directory solution, and can automatically force
a renegotiation of the SSL parameters to meet the new configuration.
This can be done as follows:</p>
- <example>
- # be liberal in general<br />
- SSLCipherSuite ALL:!aNULL:RC4+RSA:+HIGH:+MEDIUM:+LOW:+EXP:+eNULL<br />
- <br />
- <Location /strong/area><br />
- # but https://hostname/strong/area/ and below<br />
- # requires strong ciphers<br />
- SSLCipherSuite HIGH:!aNULL:!MD5<br />
- </Location>
- </example>
+ <highlight language="config">
+# be liberal in general
+SSLCipherSuite ALL:!aNULL:RC4+RSA:+HIGH:+MEDIUM:+LOW:+EXP:+eNULL
+
+<Location /strong/area>
+# but https://hostname/strong/area/ and below
+# requires strong ciphers
+SSLCipherSuite HIGH:!aNULL:!MD5
+</Location>
+ </highlight>
</section>
</section>
<!-- /ciphersuites -->
need to do is to create client certificates signed by your own CA
certificate (<code>ca.crt</code>) and then verify the clients against this
certificate.</p>
- <example><title>httpd.conf</title>
- # require a client certificate which has to be directly<br />
- # signed by our CA certificate in ca.crt<br />
- SSLVerifyClient require<br />
- SSLVerifyDepth 1<br />
- SSLCACertificateFile conf/ssl.crt/ca.crt
- </example>
+ <highlight language="config">
+# require a client certificate which has to be directly
+# signed by our CA certificate in ca.crt
+SSLVerifyClient require
+SSLVerifyDepth 1
+SSLCACertificateFile conf/ssl.crt/ca.crt
+ </highlight>
</section>
<section id="arbitraryclients">
you can use the per-directory reconfiguration features of
<module>mod_ssl</module>:</p>
- <example><title>httpd.conf</title>
- SSLVerifyClient none<br />
- SSLCACertificateFile conf/ssl.crt/ca.crt<br />
- <br />
- <Location /secure/area><br />
- SSLVerifyClient require<br />
- SSLVerifyDepth 1<br />
- </Location><br />
- </example>
+ <highlight language="config">
+SSLVerifyClient none
+SSLCACertificateFile conf/ssl.crt/ca.crt
+
+<Location /secure/area>
+SSLVerifyClient require
+SSLVerifyDepth 1
+</Location>
+ </highlight>
</section>
<section id="certauthenticate">
you should establish a password database containing <em>all</em>
clients allowed, as follows:</p>
- <example><title>httpd.conf</title><pre>
+ <highlight language="config">
SSLVerifyClient none
<Directory /usr/local/apache2/htdocs/secure/area>
-
-SSLVerifyClient require
-SSLVerifyDepth 5
-SSLCACertificateFile conf/ssl.crt/ca.crt
-SSLCACertificatePath conf/ssl.crt
-SSLOptions +FakeBasicAuth
-SSLRequireSSL
-AuthName "Snake Oil Authentication"
-AuthType Basic
-AuthBasicProvider file
-AuthUserFile /usr/local/apache2/conf/httpd.passwd
-Require valid-user
-</Directory></pre>
- </example>
+ SSLVerifyClient require
+ SSLVerifyDepth 5
+ SSLCACertificateFile conf/ssl.crt/ca.crt
+ SSLCACertificatePath conf/ssl.crt
+ SSLOptions +FakeBasicAuth
+ SSLRequireSSL
+ AuthName "Snake Oil Authentication"
+ AuthType Basic
+ AuthBasicProvider file
+ AuthUserFile /usr/local/apache2/conf/httpd.passwd
+ Require valid-user
+</Directory>
+ </highlight>
<p>The password used in this example is the DES encrypted string "password".
See the <directive module="mod_ssl">SSLOptions</directive> docs for more
>SSLRequire</directive>, as follows:</p>
- <example><title>httpd.conf</title><pre>
+ <highlight language="config">
SSLVerifyClient none
<Directory /usr/local/apache2/htdocs/secure/area>
-
SSLVerifyClient require
SSLVerifyDepth 5
SSLCACertificateFile conf/ssl.crt/ca.crt
SSLRequireSSL
SSLRequire %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"}
-</Directory></pre>
- </example>
+</Directory>
+ </highlight>
</section>
<section id="intranet">
This configuration should remain outside of your HTTPS virtual host, so
that it applies to both HTTPS and HTTP.</p>
- <example><title>httpd.conf</title><pre>
+ <highlight language="config">
SSLCACertificateFile conf/ssl.crt/company-ca.crt
<Directory /usr/local/apache2/htdocs>
-# Outside the subarea only Intranet access is granted
-Order deny,allow
-Deny from all
-Allow from 192.168.1.0/24
+ # Outside the subarea only Intranet access is granted
+ Order deny,allow
+ Deny from all
+ Allow from 192.168.1.0/24
</Directory>
<Directory /usr/local/apache2/htdocs/subarea>
-# Inside the subarea any Intranet access is allowed
-# but from the Internet only HTTPS + Strong-Cipher + Password
-# or the alternative HTTPS + Strong-Cipher + Client-Certificate
-
-# If HTTPS is used, make sure a strong cipher is used.
-# Additionally allow client certs as alternative to basic auth.
-SSLVerifyClient optional
-SSLVerifyDepth 1
-SSLOptions +FakeBasicAuth +StrictRequire
-SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128
-
-# Force clients from the Internet to use HTTPS
-RewriteEngine on
-RewriteCond %{REMOTE_ADDR} !^192\.168\.1\.[0-9]+$
-RewriteCond %{HTTPS} !=on
-RewriteRule . - [F]
-
-# Allow Network Access and/or Basic Auth
-Satisfy any
-
-# Network Access Control
-Order deny,allow
-Deny from all
-Allow 192.168.1.0/24
-
-# HTTP Basic Authentication
-AuthType basic
-AuthName "Protected Intranet Area"
-AuthBasicProvider file
-AuthUserFile conf/protected.passwd
-Require valid-user
-</Directory></pre>
- </example>
+ # Inside the subarea any Intranet access is allowed
+ # but from the Internet only HTTPS + Strong-Cipher + Password
+ # or the alternative HTTPS + Strong-Cipher + Client-Certificate
+
+ # If HTTPS is used, make sure a strong cipher is used.
+ # Additionally allow client certs as alternative to basic auth.
+ SSLVerifyClient optional
+ SSLVerifyDepth 1
+ SSLOptions +FakeBasicAuth +StrictRequire
+ SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128
+
+ # Force clients from the Internet to use HTTPS
+ RewriteEngine on
+ RewriteCond %{REMOTE_ADDR} !^192\.168\.1\.[0-9]+$
+ RewriteCond %{HTTPS} !=on
+ RewriteRule . - [F]
+
+ # Allow Network Access and/or Basic Auth
+ Satisfy any
+
+ # Network Access Control
+ Order deny,allow
+ Deny from all
+ Allow 192.168.1.0/24
+
+ # HTTP Basic Authentication
+ AuthType basic
+ AuthName "Protected Intranet Area"
+ AuthBasicProvider file
+ AuthUserFile conf/protected.passwd
+ Require valid-user
+</Directory>
+ </highlight>
</section>
</section>
<!-- /access control -->
projects / apache / commitdiff