From: Daniel Gruno Date: Thu, 26 Apr 2012 14:40:34 +0000 (+0000) Subject: Syntax and formatting fixings X-Git-Tag: 2.5.0-alpha~7014 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=14e7630d1848fdc08199a23270b51108890349c0;p=apache Syntax and formatting fixings git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1330881 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/docs/manual/ssl/ssl_faq.xml b/docs/manual/ssl/ssl_faq.xml index bd35c3dc4f..a7e36f8833 100644 --- a/docs/manual/ssl/ssl_faq.xml +++ b/docs/manual/ssl/ssl_faq.xml @@ -172,11 +172,11 @@ relative hyperlinks? fully-qualified hyperlinks (because you have to change the URL scheme). Using mod_rewrite however, you can manipulate relative hyperlinks, to achieve the same effect.

- - RewriteEngine on
- RewriteRule ^/(.*)_SSL$ https://%{SERVER_NAME}/$1 [R,L]
- RewriteRule ^/(.*)_NOSSL$ http://%{SERVER_NAME}/$1 [R,L] - + +RewriteEngine on +RewriteRule ^/(.*)_SSL$ https://%{SERVER_NAME}/$1 [R,L] +RewriteRule ^/(.*)_NOSSL$ http://%{SERVER_NAME}/$1 [R,L] +

This rewrite ruleset lets you use hyperlinks of the form <a href="document.html_SSL">, to switch to HTTPS @@ -253,10 +253,10 @@ Certificate for testing purposes? -keyout server.key
These can be used as follows in your httpd.conf file: - 

-             SSLCertificateFile    /path/to/this/server.crt
-             SSLCertificateKeyFile /path/to/this/server.key
-
+ +SSLCertificateFile /path/to/this/server.crt +SSLCertificateKeyFile /path/to/this/server.key +
  • It is important that you are aware that this server.key does not have any passphrase. @@ -333,10 +333,10 @@ Certificate for testing purposes?
  • You should now have two files: server.key and server.crt. These can be used as follows in your httpd.conf file: - 
    -       SSLCertificateFile    /path/to/this/server.crt
-       SSLCertificateKeyFile /path/to/this/server.key
-
    + +SSLCertificateFile /path/to/this/server.crt +SSLCertificateKeyFile /path/to/this/server.key + The server.csr file is no longer needed.
    • @@ -650,9 +650,9 @@ Virtual Hosting to identify different SSL virtual hosts? you must make sure to put the non-SSL port number on the NameVirtualHost directive, e.g.

    - + NameVirtualHost 192.168.1.1:80 - +

    Other workaround solutions include:

    @@ -702,11 +702,11 @@ Explorer (MSIE)? keep-alive connections or send the SSL close notify messages to MSIE clients. This can be done by using the following directive in your SSL-aware virtual host section:

    - - SetEnvIf User-Agent "MSIE [2-5]" \
    - nokeepalive ssl-unclean-shutdown \
    - downgrade-1.0 force-response-1.0 -     + +SetEnvIf User-Agent "MSIE [2-5]" \ + nokeepalive ssl-unclean-shutdown \ + downgrade-1.0 force-response-1.0 +

    Further, some MSIE versions have problems with particular ciphers. Unfortunately, it is not possible to implement a MSIE-specific workaround for this, because the ciphers are needed as early as the diff --git a/docs/manual/ssl/ssl_howto.xml b/docs/manual/ssl/ssl_howto.xml index ebca08faa2..bada94668f 100644 --- a/docs/manual/ssl/ssl_howto.xml +++ b/docs/manual/ssl/ssl_howto.xml @@ -39,17 +39,15 @@ before progressing to the advanced techniques.

    Your SSL configuration will need to contain, at minimum, the following directives.

    - - Listen 443
    - <VirtualHost *:443>
    - - ServerName www.example.com
    - SSLEngine on
    - SSLCertificateFile /path/to/www.example.com.cert
    - SSLCertificateKeyFile /path/to/www.example.com.key
    -     - </VirtualHost> -     + +Listen 443 +<VirtualHost *:443> + ServerName www.example.com + SSLEngine on + SSLCertificateFile /path/to/www.example.com.cert + SSLCertificateKeyFile /path/to/www.example.com.key +</VirtualHost> + @@ -65,18 +63,18 @@ requires a strong cipher for access to a particular URL? How can I create an SSL server which accepts strong encryption only?

    The following enables only the strongest ciphers:

    - httpd.conf - SSLCipherSuite HIGH:!aNULL:!MD5
    -     + + SSLCipherSuite HIGH:!aNULL:!MD5 +

    While with the following configuration you specify a preference for specific speed-optimized ciphers (which will be selected by mod_ssl, provided that they are supported by the client):

    - httpd.conf - SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:!aNULL:!MD5
    - SSLHonorCipherOrder on -     + +SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:!aNULL:!MD5 +SSLHonorCipherOrder on +
    @@ -90,16 +88,16 @@ URL? blocks, to give a per-directory solution, and can automatically force a renegotiation of the SSL parameters to meet the new configuration. This can be done as follows:

    - - # be liberal in general
    - SSLCipherSuite ALL:!aNULL:RC4+RSA:+HIGH:+MEDIUM:+LOW:+EXP:+eNULL
    -
    - <Location /strong/area>
    - # but https://hostname/strong/area/ and below
    - # requires strong ciphers
    - SSLCipherSuite HIGH:!aNULL:!MD5
    - </Location> -     + +# be liberal in general +SSLCipherSuite ALL:!aNULL:RC4+RSA:+HIGH:+MEDIUM:+LOW:+EXP:+eNULL + +<Location /strong/area> +# but https://hostname/strong/area/ and below +# requires strong ciphers +SSLCipherSuite HIGH:!aNULL:!MD5 +</Location> +
    @@ -125,13 +123,13 @@ Intranet website, for clients coming from the Internet? need to do is to create client certificates signed by your own CA certificate (ca.crt) and then verify the clients against this certificate.

    - httpd.conf - # require a client certificate which has to be directly
    - # signed by our CA certificate in ca.crt
    - SSLVerifyClient require
    - SSLVerifyDepth 1
    - SSLCACertificateFile conf/ssl.crt/ca.crt -     + +# require a client certificate which has to be directly +# signed by our CA certificate in ca.crt +SSLVerifyClient require +SSLVerifyDepth 1 +SSLCACertificateFile conf/ssl.crt/ca.crt +
    @@ -142,15 +140,15 @@ Intranet website, for clients coming from the Internet? you can use the per-directory reconfiguration features of mod_ssl:

    - httpd.conf - SSLVerifyClient none
    - SSLCACertificateFile conf/ssl.crt/ca.crt
    -
    - <Location /secure/area>
    - SSLVerifyClient require
    - SSLVerifyDepth 1
    - </Location>
    -     + +SSLVerifyClient none +SSLCACertificateFile conf/ssl.crt/ca.crt + +<Location /secure/area> +SSLVerifyClient require +SSLVerifyDepth 1 +</Location> +
    @@ -169,23 +167,22 @@ Intranet website, for clients coming from the Internet? you should establish a password database containing all clients allowed, as follows:

    - httpd.conf
    +    
 SSLVerifyClient      none
 <Directory /usr/local/apache2/htdocs/secure/area>
-
-SSLVerifyClient      require
-SSLVerifyDepth       5
-SSLCACertificateFile conf/ssl.crt/ca.crt
-SSLCACertificatePath conf/ssl.crt
-SSLOptions           +FakeBasicAuth
-SSLRequireSSL
-AuthName             "Snake Oil Authentication"
-AuthType             Basic
-AuthBasicProvider    file
-AuthUserFile         /usr/local/apache2/conf/httpd.passwd
-Require              valid-user
-</Directory>
    -     + SSLVerifyClient require + SSLVerifyDepth 5 + SSLCACertificateFile conf/ssl.crt/ca.crt + SSLCACertificatePath conf/ssl.crt + SSLOptions +FakeBasicAuth + SSLRequireSSL + AuthName "Snake Oil Authentication" + AuthType Basic + AuthBasicProvider file + AuthUserFile /usr/local/apache2/conf/httpd.passwd + Require valid-user +</Directory> +

    The password used in this example is the DES encrypted string "password". See the SSLOptions docs for more @@ -202,10 +199,9 @@ Require valid-user >SSLRequire, as follows:

    - httpd.conf
    +    
 SSLVerifyClient      none
 <Directory /usr/local/apache2/htdocs/secure/area>
-
   SSLVerifyClient      require
   SSLVerifyDepth       5
   SSLCACertificateFile conf/ssl.crt/ca.crt
@@ -214,8 +210,8 @@ SSLVerifyClient      none
   SSLRequireSSL
   SSLRequire       %{SSL_CLIENT_S_DN_O}  eq "Snake Oil, Ltd." \
                and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"}
-</Directory>
    -     +</Directory> +
    @@ -230,50 +226,50 @@ plain HTTP access for clients on the Intranet. This configuration should remain outside of your HTTPS virtual host, so that it applies to both HTTPS and HTTP.

    - httpd.conf
    +    
 SSLCACertificateFile conf/ssl.crt/company-ca.crt
 
 <Directory /usr/local/apache2/htdocs>
-#   Outside the subarea only Intranet access is granted
-Order                deny,allow
-Deny                 from all
-Allow                from 192.168.1.0/24
+    #   Outside the subarea only Intranet access is granted
+    Order                deny,allow
+    Deny                 from all
+    Allow                from 192.168.1.0/24
 </Directory>
 
 <Directory /usr/local/apache2/htdocs/subarea>
-#   Inside the subarea any Intranet access is allowed
-#   but from the Internet only HTTPS + Strong-Cipher + Password
-#   or the alternative HTTPS + Strong-Cipher + Client-Certificate
-
-#   If HTTPS is used, make sure a strong cipher is used.
-#   Additionally allow client certs as alternative to basic auth.
-SSLVerifyClient      optional
-SSLVerifyDepth       1
-SSLOptions           +FakeBasicAuth +StrictRequire
-SSLRequire           %{SSL_CIPHER_USEKEYSIZE} >= 128
-
-#   Force clients from the Internet to use HTTPS
-RewriteEngine        on
-RewriteCond          %{REMOTE_ADDR} !^192\.168\.1\.[0-9]+$
-RewriteCond          %{HTTPS} !=on
-RewriteRule          . - [F]
-
-#   Allow Network Access and/or Basic Auth
-Satisfy              any
-
-#   Network Access Control
-Order                deny,allow
-Deny                 from all
-Allow                192.168.1.0/24
-
-#   HTTP Basic Authentication
-AuthType             basic
-AuthName             "Protected Intranet Area"
-AuthBasicProvider    file
-AuthUserFile         conf/protected.passwd
-Require              valid-user
-</Directory>
    -     + # Inside the subarea any Intranet access is allowed + # but from the Internet only HTTPS + Strong-Cipher + Password + # or the alternative HTTPS + Strong-Cipher + Client-Certificate + + # If HTTPS is used, make sure a strong cipher is used. + # Additionally allow client certs as alternative to basic auth. + SSLVerifyClient optional + SSLVerifyDepth 1 + SSLOptions +FakeBasicAuth +StrictRequire + SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128 + + # Force clients from the Internet to use HTTPS + RewriteEngine on + RewriteCond %{REMOTE_ADDR} !^192\.168\.1\.[0-9]+$ + RewriteCond %{HTTPS} !=on + RewriteRule . - [F] + + # Allow Network Access and/or Basic Auth + Satisfy any + + # Network Access Control + Order deny,allow + Deny from all + Allow 192.168.1.0/24 + + # HTTP Basic Authentication + AuthType basic + AuthName "Protected Intranet Area" + AuthBasicProvider file + AuthUserFile conf/protected.passwd + Require valid-user +</Directory> +