Home Explore Help
Sign In
iimt
/
MAth-Cloud-3.0.0
1
0
Fork 0
Files Issues 1 Pull Requests 0 Wiki
Tree: 624c00c033
Branches Tags
MAth-Cloud-3...
/
debian
/
Math-Cloud-server
/
etc
/
apache2
/
sites-available
/
api.conf

api.conf 6.7 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146 
  1. <IfModule mod_ssl.c>
    2. 

  2. 	<VirtualHost _default_:443>
    3. 

  3. 		ServerAdmin webmaster@localhost
    4. 

  4. 		ServerName api.ipsocloud.com
    5. 

  5. 

  6. 		DocumentRoot /var/www/api
    7. 

  7. 

  8. 		# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
    9. 

  9. 		# error, crit, alert, emerg.
    10. 

  10. 		# It is also possible to configure the loglevel for particular
    11. 

  11. 		# modules, e.g.
    12. 

  12. 		#LogLevel info ssl:warn
    13. 

  13. 

  14. 		ErrorLog ${APACHE_LOG_DIR}/error.log
    15. 

  15. 		CustomLog ${APACHE_LOG_DIR}/access.log combined
    16. 

  16. 

  17. 		# For most configuration files from conf-available/, which are
    18. 

  18. 		# enabled or disabled at a global level, it is possible to
    19. 

  19. 		# include a line for only one particular virtual host. For example the
    20. 

  20. 		# following line enables the CGI configuration for this host only
    21. 

  21. 		# after it has been globally disabled with "a2disconf".
    22. 

  22. 		#Include conf-available/serve-cgi-bin.conf
    23. 

  23. 

  24. 		#   SSL Engine Switch:
    25. 

  25. 		#   Enable/Disable SSL for this virtual host.
    26. 

  26. 		SSLEngine on
    27. 

  27. 

  28. 		#   A self-signed (snakeoil) certificate can be created by installing
    29. 

  29. 		#   the ssl-cert package. See
    30. 

  30. 		#   /usr/share/doc/apache2/README.Debian.gz for more info.
    31. 

  31. 		#   If both key and certificate are stored in the same file, only the
    32. 

  32. 		#   SSLCertificateFile directive is needed.
    33. 

  33. 		#SSLCertificateFile	/etc/ssl/certs/apache-selfsigned.crt
    34. 

  34. 		#SSLCertificateKeyFile /etc/ssl/private/apache-selfsigned.key
    35. 

  35. 		#SSLCACertificateFile	/etc/ssl/ipsocloud.ca
    36. 

  36. 

  37. 		#   Server Certificate Chain:
    38. 

  38. 		#   Point SSLCertificateChainFile at a file containing the
    39. 

  39. 		#   concatenation of PEM encoded CA certificates which form the
    40. 

  40. 		#   certificate chain for the server certificate. Alternatively
    41. 

  41. 		#   the referenced file can be the same as SSLCertificateFile
    42. 

  42. 		#   when the CA certificates are directly appended to the server
    43. 

  43. 		#   certificate for convinience.
    44. 

  44. 		#SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt
    45. 

  45. 

  46. 		#   Certificate Authority (CA):
    47. 

  47. 		#   Set the CA certificate verification path where to find CA
    48. 

  48. 		#   certificates for client authentication or alternatively one
    49. 

  49. 		#   huge file containing all of them (file must be PEM encoded)
    50. 

  50. 		#   Note: Inside SSLCACertificatePath you need hash symlinks
    51. 

  51. 		#		 to point to the certificate files. Use the provided
    52. 

  52. 		#		 Makefile to update the hash symlinks after changes.
    53. 

  53. 		#SSLCACertificatePath /etc/ssl/certs/
    54. 

  54. 		#SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt
    55. 

  55. 

  56. 		#   Certificate Revocation Lists (CRL):
    57. 

  57. 		#   Set the CA revocation path where to find CA CRLs for client
    58. 

  58. 		#   authentication or alternatively one huge file containing all
    59. 

  59. 		#   of them (file must be PEM encoded)
    60. 

  60. 		#   Note: Inside SSLCARevocationPath you need hash symlinks
    61. 

  61. 		#		 to point to the certificate files. Use the provided
    62. 

  62. 		#		 Makefile to update the hash symlinks after changes.
    63. 

  63. 		#SSLCARevocationPath /etc/apache2/ssl.crl/
    64. 

  64. 		#SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl
    65. 

  65. 

  66. 		#   Client Authentication (Type):
    67. 

  67. 		#   Client certificate verification type and depth.  Types are
    68. 

  68. 		#   none, optional, require and optional_no_ca.  Depth is a
    69. 

  69. 		#   number which specifies how deeply to verify the certificate
    70. 

  70. 		#   issuer chain before deciding the certificate is not valid.
    71. 

  71. 		#SSLVerifyClient require
    72. 

  72. 		#SSLVerifyDepth  10
    73. 

  73. 

  74. 		#   SSL Engine Options:
    75. 

  75. 		#   Set various options for the SSL engine.
    76. 

  76. 		#   o FakeBasicAuth:
    77. 

  77. 		#	 Translate the client X.509 into a Basic Authorisation.  This means that
    78. 

  78. 		#	 the standard Auth/DBMAuth methods can be used for access control.  The
    79. 

  79. 		#	 user name is the `one line' version of the client's X.509 certificate.
    80. 

  80. 		#	 Note that no password is obtained from the user. Every entry in the user
    81. 

  81. 		#	 file needs this password: `xxj31ZMTZzkVA'.
    82. 

  82. 		#   o ExportCertData:
    83. 

  83. 		#	 This exports two additional environment variables: SSL_CLIENT_CERT and
    84. 

  84. 		#	 SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
    85. 

  85. 		#	 server (always existing) and the client (only existing when client
    86. 

  86. 		#	 authentication is used). This can be used to import the certificates
    87. 

  87. 		#	 into CGI scripts.
    88. 

  88. 		#   o StdEnvVars:
    89. 

  89. 		#	 This exports the standard SSL/TLS related `SSL_*' environment variables.
    90. 

  90. 		#	 Per default this exportation is switched off for performance reasons,
    91. 

  91. 		#	 because the extraction step is an expensive operation and is usually
    92. 

  92. 		#	 useless for serving static content. So one usually enables the
    93. 

  93. 		#	 exportation for CGI and SSI requests only.
    94. 

  94. 		#   o OptRenegotiate:
    95. 

  95. 		#	 This enables optimized SSL connection renegotiation handling when SSL
    96. 

  96. 		#	 directives are used in per-directory context.
    97. 

  97. 		#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
    98. 

  98. 		<FilesMatch "\.(cgi|shtml|phtml|php)$">
    99. 

  99. 				SSLOptions +StdEnvVars
    100. 

  100. 		</FilesMatch>
    101. 

  101. 		<Directory /usr/lib/cgi-bin>
    102. 

  102. 				SSLOptions +StdEnvVars
    103. 

  103. 		</Directory>
    104. 

  104. 		<Directory /var/www/api/>
    105. 

  105. 		    Options Indexes FollowSymLinks
    106. 

  106. 		    AllowOverride All
    107. 

  107. 		    SSLOptions +StdEnvVars
    108. 

  108. 		    Require all granted
    109. 

  109. 			Header set Access-Control-Allow-Origin "*"
    110. 

  110. 		</Directory>
    111. 

  111. 

  112. 		#   SSL Protocol Adjustments:
    113. 

  113. 		#   The safe and default but still SSL/TLS standard compliant shutdown
    114. 

  114. 		#   approach is that mod_ssl sends the close notify alert but doesn't wait for
    115. 

  115. 		#   the close notify alert from client. When you need a different shutdown
    116. 

  116. 		#   approach you can use one of the following variables:
    117. 

  117. 		#   o ssl-unclean-shutdown:
    118. 

  118. 		#	 This forces an unclean shutdown when the connection is closed, i.e. no
    119. 

  119. 		#	 SSL close notify alert is send or allowed to received.  This violates
    120. 

  120. 		#	 the SSL/TLS standard but is needed for some brain-dead browsers. Use
    121. 

  121. 		#	 this when you receive I/O errors because of the standard approach where
    122. 

  122. 		#	 mod_ssl sends the close notify alert.
    123. 

  123. 		#   o ssl-accurate-shutdown:
    124. 

  124. 		#	 This forces an accurate shutdown when the connection is closed, i.e. a
    125. 

  125. 		#	 SSL close notify alert is send and mod_ssl waits for the close notify
    126. 

  126. 		#	 alert of the client. This is 100% SSL/TLS standard compliant, but in
    127. 

  127. 		#	 practice often causes hanging connections with brain-dead browsers. Use
    128. 

  128. 		#	 this only for browsers where you know that their SSL implementation
    129. 

  129. 		#	 works correctly.
    130. 

  130. 		#   Notice: Most problems of broken clients are also related to the HTTP
    131. 

  131. 		#   keep-alive facility, so you usually additionally want to disable
    132. 

  132. 		#   keep-alive for those clients, too. Use variable "nokeepalive" for this.
    133. 

  133. 		#   Similarly, one has to force some clients to use HTTP/1.0 to workaround
    134. 

  134. 		#   their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
    135. 

  135. 		#   "force-response-1.0" for this.
    136. 

  136. 		# BrowserMatch "MSIE [2-6]" \
    137. 

  137. 		#		nokeepalive ssl-unclean-shutdown \
    138. 

  138. 		#		downgrade-1.0 force-response-1.0
    139. 

  139. 

  140. 		SSLCertificateFile	/etc/letsencrypt/live/api.ipsocloud.com/fullchain.pem
    141. 

  141. 		SSLCertificateKeyFile	/etc/letsencrypt/live/api.ipsocloud.com/privkey.pem
    142. 

  142. Include /etc/letsencrypt/options-ssl-apache.conf
    143. 

  143. 	</VirtualHost>
    144. 

  144. </IfModule>
    145. 

  145. 

  146. # vim: syntax=apache ts=4 sw=4 sts=4 sr noet
    147.