...
Code Block | ||||
---|---|---|---|---|
| ||||
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin webmaster@localhost
ServerName www.earth.com
ServerAlias earth.com
DocumentRoot /home/www.earth.com/www
<Directory />
# This prevents use of .htaccess
AllowOverride None
</Directory>
ErrorLog /var/log/apache2/ssl_www.earth.com.error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog /var/log/apache2/ssl_www.earth.com.access.log combined
# ---------------------
# Start Enable SSL
# -----------------
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
# Load the keys signed key
SSLCertificateFile cd /etc/ssl/certs/www.earth.com_server.signed_cert.crt
# Load the private key
SSLCertificateKeyFile /etc/ssl/private/www.earth.com_server.key
# Load the Certificate chain
SSLCertificateChainFile /etc/ssl/certs/StartCom_Class_1_Primary_Intermediate_Server_CA.crt
# Loads all Certificate Authorities in the provided path
# SSLCACertificatePath /etc/ssl/certs/
# Alternatively, load the specific Certificate Authority
# SSLCACertificateFile /etc/ssl/certs/StartCom_Certification_Authority.pem
# SSL Engine Options
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
# SSL Protocol Adjustments
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
# MSIE 7 and newer should be able to use keepalive
# "MSIE [17-9]" matches MSIE 7 to 9 and 10 to 19 (and 1, but that should not be a problem)
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
# -----------------
# End Enable SSL
# ---------------------
</VirtualHost>
</IfModule>
|
Line 35 - SSLCertificateChainFile with most modern CAs is absolutely necessary. It is on the onus of the server to provide this and also to keep it up to date.
Line 38 - 39 & 40 - Note the commented out lines, I have recently learned that SSLCACertificatePath is actually not necessary. Though most instructions sites mention this, really the OS will be providing the CA certificateanother way of loading the certificates by path the method we use is more specific but there are pros and cons that could be added in the future.
Note |
---|
It is not possible to run multiple SSL-enabled virtual hosts on a server with only one IP address. A separate IP address or port is necessary for each SSL-enabled domain. There are new modules that provide this functionality, but as of May 2011 it is not yet widely supported by browsers. |
...