www.bonsaiframework.com
Page tree

Versions Compared

Old Version 182

changes.mady.by.user Tin Pham

Saved on

compared with

New Version 183

changes.mady.by.user Roderick Fong Yee

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
languagexml
linenumberstrue
<IfModule mod_ssl.c>
<VirtualHost *:443>
    ServerAdmin webmaster@localhost

    ServerName www.earth.com
    ServerAlias earth.com

    DocumentRoot /home/www.earth.com/www
    <Directory />
        # This prevents use of .htaccess
        AllowOverride None
    </Directory>

    ErrorLog /var/log/apache2/ssl_www.earth.com.error.log

    # Possible values include: debug, info, notice, warn, error, crit,
    # alert, emerg.
    LogLevel warn

    CustomLog /var/log/apache2/ssl_www.earth.com.access.log combined

    # ---------------------
    # Start Enable SSL
    # -----------------

    # SSL Engine Switch:
    # Enable/Disable SSL for this virtual host.
    SSLEngine on

    # Load the keys signed key
    SSLCertificateFile cd /etc/ssl/certs/www.earth.com_server.signed_cert.crt

    # Load the private key
    SSLCertificateKeyFile /etc/ssl/private/www.earth.com_server.key

    # Load the Certificate chain
    SSLCertificateChainFile /etc/ssl/certs/StartCom_Class_1_Primary_Intermediate_Server_CA.crt

    # Loads all Certificate Authorities in the provided path
    # SSLCACertificatePath /etc/ssl/certs/

    # Alternatively, load the specific Certificate Authority
    # SSLCACertificateFile /etc/ssl/certs/StartCom_Certification_Authority.pem

    # SSL Engine Options
    <FilesMatch "\.(cgi|shtml|phtml|php)$">
        SSLOptions +StdEnvVars
    </FilesMatch>
    <Directory /usr/lib/cgi-bin>
        SSLOptions +StdEnvVars
    </Directory>

    # SSL Protocol Adjustments
    BrowserMatch "MSIE [2-6]" \
        nokeepalive ssl-unclean-shutdown \
        downgrade-1.0 force-response-1.0
    # MSIE 7 and newer should be able to use keepalive
    # "MSIE [17-9]" matches MSIE 7 to 9 and 10 to 19 (and 1, but that should not be a problem)
    BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

    # -----------------
    # End Enable SSL
    # ---------------------

</VirtualHost>
</IfModule>

Line 35 - SSLCertificateChainFile with most modern CAs is absolutely necessary. It is on the onus of the server to provide this and also to keep it up to date.

Line 38 - 39 & 40 - Note the commented out lines, I have recently learned that SSLCACertificatePath is actually not necessary. Though most instructions sites mention this, really the OS will be providing the CA certificateanother way of loading the certificates by path the method we use is more specific but there are pros and cons that could be added in the future.

Note

It is not possible to run multiple SSL-enabled virtual hosts on a server with only one IP address. A separate IP address or port is necessary for each SSL-enabled domain. There are new modules that provide this functionality, but as of May 2011 it is not yet widely supported by browsers.

...