─────┬────────────────────────────────────────────────────────────────────────────────────────────────────── │ File: /etc/httpd/conf/extra/httpd-ssl.conf ─────┼────────────────────────────────────────────────────────────────────────────────────────────────────── 1 │ # 2 │ # This is the Apache server configuration file providing SSL support. 3 │ # It contains the configuration directives to instruct the server how to 4 │ # serve pages over an https connection. For detailed information about these 5 │ # directives see 6 │ # 7 │ # Do NOT simply read the instructions in here without understanding 8 │ # what they do. They're here only as hints or reminders. If you are unsure 9 │ # consult the online docs. You have been warned. 10 │ # 11 │ # Required modules: mod_log_config, mod_setenvif, mod_ssl, 12 │ # socache_shmcb_module (for default value of SSLSessionCache) 13 │ 14 │ # 15 │ # Pseudo Random Number Generator (PRNG): 16 │ # Configure one or more sources to seed the PRNG of the SSL library. 17 │ # The seed data should be of good random quality. 18 │ # WARNING! On some platforms /dev/random blocks if not enough entropy 19 │ # is available. This means you then cannot use the /dev/random device 20 │ # because it would lead to very long connection times (as long as 21 │ # it requires to make more entropy available). But usually those 22 │ # platforms additionally provide a /dev/urandom device which doesn't 23 │ # block. So, if available, use this one instead. Read the mod_ssl User 24 │ # Manual for more details. 25 │ # 26 │ #SSLRandomSeed startup file:/dev/random 512 27 │ #SSLRandomSeed startup file:/dev/urandom 512 28 │ #SSLRandomSeed connect file:/dev/random 512 29 │ #SSLRandomSeed connect file:/dev/urandom 512 30 │ # Django : 2026-02-09 31 │ # default: unset 32 │ SSLRandomSeed startup file:/dev/random 512 33 │ SSLRandomSeed connect file:/dev/random 512 34 │ 35 │ # 36 │ # When we also provide SSL we have to listen to the 37 │ # standard HTTP port (see above) and to the HTTPS port 38 │ # 39 │ Listen 443 40 │ 41 │ ## 42 │ ## SSL Global Context 43 │ ## 44 │ ## All SSL configuration in this context applies both to 45 │ ## the main server and all SSL-enabled virtual hosts. 46 │ ## 47 │ 48 │ # SSL Cipher Suite: 49 │ # List the ciphers that the client is permitted to negotiate, 50 │ # and that httpd will negotiate as the client of a proxied server. 51 │ # See the OpenSSL documentation for a complete list of ciphers, and 52 │ # ensure these follow appropriate best practices for this deployment. 53 │ # httpd 2.2.30, 2.4.13 and later force-disable aNULL, eNULL and EXP ciphers, 54 │ # while OpenSSL disabled these by default in 0.9.8zf/1.0.0r/1.0.1m/1.0.2a. 55 │ # Django : 2026-02-09 56 │ # default: SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES 57 │ # SSLProxyCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES 58 │ SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA38 │ 4:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES12 │ 8-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 59 │ SSLProxyCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM- │ SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA- │ AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 60 │ 61 │ # By the end of 2016, only TLSv1.2 ciphers should remain in use. 62 │ # Older ciphers should be disallowed as soon as possible, while the 63 │ # kRSA ciphers do not offer forward secrecy. These changes inhibit 64 │ # older clients (such as IE6 SP2 or IE8 on Windows XP, or other legacy 65 │ # non-browser tooling) from successfully connecting. 66 │ # 67 │ # To restrict mod_ssl to use only TLSv1.2 ciphers, and disable 68 │ # those protocols which do not support forward secrecy, replace 69 │ # the SSLCipherSuite and SSLProxyCipherSuite directives above with 70 │ # the following two directives, as soon as practical. 71 │ # SSLCipherSuite HIGH:MEDIUM:!SSLv3:!kRSA 72 │ # SSLProxyCipherSuite HIGH:MEDIUM:!SSLv3:!kRSA 73 │ 74 │ # User agents such as web browsers are not configured for the user's 75 │ # own preference of either security or performance, therefore this 76 │ # must be the prerogative of the web server administrator who manages 77 │ # cpu load versus confidentiality, so enforce the server's cipher order. 78 │ SSLHonorCipherOrder on 79 │ 80 │ # SSL Protocol support: 81 │ # List the protocol versions which clients are allowed to connect with. 82 │ # Disable SSLv3 by default (cf. RFC 7525 3.1.1). TLSv1 (1.0) should be 83 │ # disabled as quickly as practical. By the end of 2016, only the TLSv1.2 84 │ # protocol or later should remain in use. 85 │ # Django : 2026-02-09 86 │ # default: SSLProtocol all -SSLv3 87 │ # SSLProxyProtocol all -SSLv3 88 │ SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 89 │ SSLProxyProtocol all -SSLv3 -TLSv1 -TLSv1.1 90 │ 91 │ # Pass Phrase Dialog: 92 │ # Configure the pass phrase gathering process. 93 │ # The filtering dialog program (`builtin' is an internal 94 │ # terminal dialog) has to provide the pass phrase on stdout. 95 │ SSLPassPhraseDialog builtin 96 │ 97 │ # Inter-Process Session Cache: 98 │ # Configure the SSL Session Cache: First the mechanism 99 │ # to use and second the expiring timeout (in seconds). 100 │ #SSLSessionCache "dbm:/run/httpd/ssl_scache" 101 │ SSLSessionCache "shmcb:/run/httpd/ssl_scache(512000)" 102 │ SSLSessionCacheTimeout 300 103 │ 104 │ # OCSP Stapling (requires OpenSSL 0.9.8h or later) 105 │ # 106 │ # This feature is disabled by default and requires at least 107 │ # the two directives SSLUseStapling and SSLStaplingCache. 108 │ # Refer to the documentation on OCSP Stapling in the SSL/TLS 109 │ # How-To for more information. 110 │ # 111 │ # Enable stapling for all SSL-enabled servers: 112 │ # Django : 2026-02-09 113 │ # default: #SSLUseStapling On 114 │ SSLUseStapling On 115 │ 116 │ # Define a relatively small cache for OCSP Stapling using 117 │ # the same mechanism that is used for the SSL session cache 118 │ # above. If stapling is used with more than a few certificates, 119 │ # the size may need to be increased. (AH01929 will be logged.) 120 │ # Django : 2026-02-09 121 │ # default: #SSLStaplingCache "shmcb:/run/httpd/ssl_stapling(32768)" 122 │ SSLStaplingCache "shmcb:/run/httpd/ssl_stapling(131072)" 123 │ 124 │ # Seconds before valid OCSP responses are expired from the cache 125 │ #SSLStaplingStandardCacheTimeout 3600 126 │ 127 │ # Seconds before invalid OCSP responses are expired from the cache 128 │ #SSLStaplingErrorCacheTimeout 600 129 │ 130 │ ## 131 │ ## SSL Virtual Host Context 132 │ ## 133 │ 134 │ # Django : 2026-02-09 135 │ # default: 136 │ # 137 │ # 138 │ # # General setup for the virtual host 139 │ # DocumentRoot "/srv/http" 140 │ # ServerName www.example.com:443 141 │ # ServerAdmin you@example.com 142 │ # ErrorLog "/var/log/httpd/error_log" 143 │ # TransferLog "/var/log/httpd/access_log" 144 │ # 145 │ # # SSL Engine Switch: 146 │ # # Enable/Disable SSL for this virtual host. 147 │ # SSLEngine on 148 │ # 149 │ # # Server Certificate: 150 │ # # Point SSLCertificateFile at a PEM encoded certificate. If 151 │ # # the certificate is encrypted, then you will be prompted for a 152 │ # # pass phrase. Note that a kill -HUP will prompt again. Keep 153 │ # # in mind that if you have both an RSA and a DSA certificate you 154 │ # # can configure both in parallel (to also allow the use of DSA 155 │ # # ciphers, etc.) 156 │ # # Some ECC cipher suites (http://www.ietf.org/rfc/rfc4492.txt) 157 │ # # require an ECC certificate which can also be configured in 158 │ # # parallel. 159 │ # SSLCertificateFile "/etc/httpd/conf/server.crt" 160 │ # #SSLCertificateFile "/etc/httpd/conf/server-dsa.crt" 161 │ # #SSLCertificateFile "/etc/httpd/conf/server-ecc.crt" 162 │ # 163 │ # # Server Private Key: 164 │ # # If the key is not combined with the certificate, use this 165 │ # # directive to point at the key file. Keep in mind that if 166 │ # # you've both a RSA and a DSA private key you can configure 167 │ # # both in parallel (to also allow the use of DSA ciphers, etc.) 168 │ # # ECC keys, when in use, can also be configured in parallel 169 │ # SSLCertificateKeyFile "/etc/httpd/conf/server.key" 170 │ # #SSLCertificateKeyFile "/etc/httpd/conf/server-dsa.key" 171 │ # #SSLCertificateKeyFile "/etc/httpd/conf/server-ecc.key" 172 │ # 173 │ # # Server Certificate Chain: 174 │ # # Point SSLCertificateChainFile at a file containing the 175 │ # # concatenation of PEM encoded CA certificates which form the 176 │ # # certificate chain for the server certificate. Alternatively 177 │ # # the referenced file can be the same as SSLCertificateFile 178 │ # # when the CA certificates are directly appended to the server 179 │ # # certificate for convenience. 180 │ # #SSLCertificateChainFile "/etc/httpd/conf/server-ca.crt" 181 │ # 182 │ # # Certificate Authority (CA): 183 │ # # Set the CA certificate verification path where to find CA 184 │ # # certificates for client authentication or alternatively one 185 │ # # huge file containing all of them (file must be PEM encoded) 186 │ # # Note: Inside SSLCACertificatePath you need hash symlinks 187 │ # # to point to the certificate files. Use the provided 188 │ # # Makefile to update the hash symlinks after changes. 189 │ # #SSLCACertificatePath "/etc/httpd/conf/ssl.crt" 190 │ # #SSLCACertificateFile "/etc/httpd/conf/ssl.crt/ca-bundle.crt" 191 │ # 192 │ # # Certificate Revocation Lists (CRL): 193 │ # # Set the CA revocation path where to find CA CRLs for client 194 │ # # authentication or alternatively one huge file containing all 195 │ # # of them (file must be PEM encoded). 196 │ # # The CRL checking mode needs to be configured explicitly 197 │ # # through SSLCARevocationCheck (defaults to "none" otherwise). 198 │ # # Note: Inside SSLCARevocationPath you need hash symlinks 199 │ # # to point to the certificate files. Use the provided 200 │ # # Makefile to update the hash symlinks after changes. 201 │ # #SSLCARevocationPath "/etc/httpd/conf/ssl.crl" 202 │ # #SSLCARevocationFile "/etc/httpd/conf/ssl.crl/ca-bundle.crl" 203 │ # #SSLCARevocationCheck chain 204 │ # 205 │ # # Client Authentication (Type): 206 │ # # Client certificate verification type and depth. Types are 207 │ # # none, optional, require and optional_no_ca. Depth is a 208 │ # # number which specifies how deeply to verify the certificate 209 │ # # issuer chain before deciding the certificate is not valid. 210 │ # #SSLVerifyClient require 211 │ # #SSLVerifyDepth 10 212 │ # 213 │ # # TLS-SRP mutual authentication: 214 │ # # Enable TLS-SRP and set the path to the OpenSSL SRP verifier 215 │ # # file (containing login information for SRP user accounts). 216 │ # # Requires OpenSSL 1.0.1 or newer. See the mod_ssl FAQ for 217 │ # # detailed instructions on creating this file. Example: 218 │ # # "openssl srp -srpvfile /etc/httpd/conf/passwd.srpv -add username" 219 │ # #SSLSRPVerifierFile "/etc/httpd/conf/passwd.srpv" 220 │ # 221 │ # # Access Control: 222 │ # # SSLRequire you can do per-directory access control based 223 │ # # on arbitrary complex boolean expressions containing server 224 │ # # variable checks and other lookup directives. The syntax is a 225 │ # # mixture between C and Perl. See the mod_ssl documentation 226 │ # # for more details. 227 │ # # 228 │ # #SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \ 229 │ # # and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \ 230 │ # # and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \ 231 │ # # and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \ 232 │ # # and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \ 233 │ # # or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/ 234 │ # # 235 │ # 236 │ # # SSL Engine Options: 237 │ # # Set various options for the SSL engine. 238 │ # # o FakeBasicAuth: 239 │ # # Translate the client X.509 into a Basic Authorisation. This means that 240 │ # # the standard Auth/DBMAuth methods can be used for access control. The 241 │ # # user name is the `one line' version of the client's X.509 certificate. 242 │ # # Note that no password is obtained from the user. Every entry in the user 243 │ # # file needs this password: `xxj31ZMTZzkVA'. 244 │ # # o ExportCertData: 245 │ # # This exports two additional environment variables: SSL_CLIENT_CERT and 246 │ # # SSL_SERVER_CERT. These contain the PEM-encoded certificates of the 247 │ # # server (always existing) and the client (only existing when client 248 │ # # authentication is used). This can be used to import the certificates 249 │ # # into CGI scripts. 250 │ # # o StdEnvVars: 251 │ # # This exports the standard SSL/TLS related `SSL_*' environment variables. 252 │ # # Per default this exportation is switched off for performance reasons, 253 │ # # because the extraction step is an expensive operation and is usually 254 │ # # useless for serving static content. So one usually enables the 255 │ # # exportation for CGI and SSI requests only. 256 │ # # o StrictRequire: 257 │ # # This denies access when "SSLRequireSSL" or "SSLRequire" applied even 258 │ # # under a "Satisfy any" situation, i.e. when it applies access is denied 259 │ # # and no other module can change it. 260 │ # # o OptRenegotiate: 261 │ # # This enables optimized SSL connection renegotiation handling when SSL 262 │ # # directives are used in per-directory context. 263 │ # #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire 264 │ # 265 │ # SSLOptions +StdEnvVars 266 │ # 267 │ # 268 │ # SSLOptions +StdEnvVars 269 │ # 270 │ # 271 │ # # SSL Protocol Adjustments: 272 │ # # The safe and default but still SSL/TLS standard compliant shutdown 273 │ # # approach is that mod_ssl sends the close notify alert but doesn't wait for 274 │ # # the close notify alert from client. When you need a different shutdown 275 │ # # approach you can use one of the following variables: 276 │ # # o ssl-unclean-shutdown: 277 │ # # This forces an unclean shutdown when the connection is closed, i.e. no 278 │ # # SSL close notify alert is sent or allowed to be received. This violates 279 │ # # the SSL/TLS standard but is needed for some brain-dead browsers. Use 280 │ # # this when you receive I/O errors because of the standard approach where 281 │ # # mod_ssl sends the close notify alert. 282 │ # # o ssl-accurate-shutdown: 283 │ # # This forces an accurate shutdown when the connection is closed, i.e. a 284 │ # # SSL close notify alert is send and mod_ssl waits for the close notify 285 │ # # alert of the client. This is 100% SSL/TLS standard compliant, but in 286 │ # # practice often causes hanging connections with brain-dead browsers. Use 287 │ # # this only for browsers where you know that their SSL implementation 288 │ # # works correctly. 289 │ # # Notice: Most problems of broken clients are also related to the HTTP 290 │ # # keep-alive facility, so you usually additionally want to disable 291 │ # # keep-alive for those clients, too. Use variable "nokeepalive" for this. 292 │ # # Similarly, one has to force some clients to use HTTP/1.0 to workaround 293 │ # # their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and 294 │ # # "force-response-1.0" for this. 295 │ # BrowserMatch "MSIE [2-5]" \ 296 │ # nokeepalive ssl-unclean-shutdown \ 297 │ # downgrade-1.0 force-response-1.0 298 │ # 299 │ # # Per-Server Logging: 300 │ # # The home of a custom SSL log file. Use this when you want a 301 │ # # compact non-error SSL logfile on a virtual host basis. 302 │ # CustomLog "/var/log/httpd/ssl_request_log" \ 303 │ # "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" 304 │ # 305 │ # ─────┴──────────────────────────────────────────────────────────────────────────────────────────────────────