TheConstructor/00-generic-ssl-proxy.apacheconf

## 00-generic-ssl-proxy.apacheconf
SSLCertificateFile    /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key

<FilesMatch "\.(cgi|shtml|phtml|php)$">
  SSLOptions +StdEnvVars
</FilesMatch>

#   SSL Protocol Adjustments:
#   The safe and default but still SSL/TLS standard compliant shutdown
#   approach is that mod_ssl sends the close notify alert but doesn't wait for
#   the close notify alert from client. When you need a different shutdown
#   approach you can use one of the following variables:
#   o ssl-unclean-shutdown:
#     This forces an unclean shutdown when the connection is closed, i.e. no
#     SSL close notify alert is send or allowed to received.  This violates
#     the SSL/TLS standard but is needed for some brain-dead browsers. Use
#     this when you receive I/O errors because of the standard approach where
#     mod_ssl sends the close notify alert.
#   o ssl-accurate-shutdown:
#     This forces an accurate shutdown when the connection is closed, i.e. a
#     SSL close notify alert is send and mod_ssl waits for the close notify
#     alert of the client. This is 100% SSL/TLS standard compliant, but in
#     practice often causes hanging connections with brain-dead browsers. Use
#     this only for browsers where you know that their SSL implementation
#     works correctly.
#   Notice: Most problems of broken clients are also related to the HTTP
#   keep-alive facility, so you usually additionally want to disable
#   keep-alive for those clients, too. Use variable "nokeepalive" for this.
#   Similarly, one has to force some clients to use HTTP/1.0 to workaround
#   their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
#   "force-response-1.0" for this.
BrowserMatch "MSIE [2-6]" \
	nokeepalive ssl-unclean-shutdown \
	downgrade-1.0 force-response-1.0
# MSIE 7 and newer should be able to use keepalive
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

NameVirtualHost *:443
<VirtualHost *:443>
	ServerName ssl.example.com

	SSLEngine On

	# Jeder der https:// probiert wird ein halbes Jahr bei https://
	# bleiben, wenn sein Browser HSTS unterstützt. Siehe dazu auch
	# https://www.owasp.org/index.php/HTTP_Strict_Transport_Security
	Header set Strict-Transport-Security "max-age=16070400; includeSubDomains"

	ProxyPreserveHost On
	ProxyPass / http://127.0.0.1/
	ProxyPassReverse / http://127.0.0.1/
</VirtualHost>

<VirtualHost *:80>
	ServerName ssl.example.com

	RedirectPermanent / https://example.com/
</VirtualHost>

# So scripts generate https-URLs
SetEnvIf X-Forwarded-Server "^ssl.example.com$" HTTPS=on
	SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
	SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key

	<FilesMatch "\.(cgi\|shtml\|phtml\|php)$">
	SSLOptions +StdEnvVars
	</FilesMatch>

	# SSL Protocol Adjustments:
	# The safe and default but still SSL/TLS standard compliant shutdown
	# approach is that mod_ssl sends the close notify alert but doesn't wait for
	# the close notify alert from client. When you need a different shutdown
	# approach you can use one of the following variables:
	# o ssl-unclean-shutdown:
	# This forces an unclean shutdown when the connection is closed, i.e. no
	# SSL close notify alert is send or allowed to received. This violates
	# the SSL/TLS standard but is needed for some brain-dead browsers. Use
	# this when you receive I/O errors because of the standard approach where
	# mod_ssl sends the close notify alert.
	# o ssl-accurate-shutdown:
	# This forces an accurate shutdown when the connection is closed, i.e. a
	# SSL close notify alert is send and mod_ssl waits for the close notify
	# alert of the client. This is 100% SSL/TLS standard compliant, but in
	# practice often causes hanging connections with brain-dead browsers. Use
	# this only for browsers where you know that their SSL implementation
	# works correctly.
	# Notice: Most problems of broken clients are also related to the HTTP
	# keep-alive facility, so you usually additionally want to disable
	# keep-alive for those clients, too. Use variable "nokeepalive" for this.
	# Similarly, one has to force some clients to use HTTP/1.0 to workaround
	# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
	# "force-response-1.0" for this.
	BrowserMatch "MSIE [2-6]" \
	nokeepalive ssl-unclean-shutdown \
	downgrade-1.0 force-response-1.0
	# MSIE 7 and newer should be able to use keepalive
	BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

	NameVirtualHost *:443
	<VirtualHost *:443>
	ServerName ssl.example.com

	SSLEngine On

	# Jeder der https:// probiert wird ein halbes Jahr bei https://
	# bleiben, wenn sein Browser HSTS unterstützt. Siehe dazu auch
	# https://www.owasp.org/index.php/HTTP_Strict_Transport_Security
	Header set Strict-Transport-Security "max-age=16070400; includeSubDomains"

	ProxyPreserveHost On
	ProxyPass / http://127.0.0.1/
	ProxyPassReverse / http://127.0.0.1/
	</VirtualHost>

	<VirtualHost *:80>
	ServerName ssl.example.com

	RedirectPermanent / https://example.com/
	</VirtualHost>

	# So scripts generate https-URLs
	SetEnvIf X-Forwarded-Server "^ssl.example.com$" HTTPS=on