Last active
December 20, 2015 10:39
-
-
Save TheConstructor/6117255 to your computer and use it in GitHub Desktop.
How to get all v-hosts on an apache-server HTTPS.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem | |
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key | |
<FilesMatch "\.(cgi|shtml|phtml|php)$"> | |
SSLOptions +StdEnvVars | |
</FilesMatch> | |
# SSL Protocol Adjustments: | |
# The safe and default but still SSL/TLS standard compliant shutdown | |
# approach is that mod_ssl sends the close notify alert but doesn't wait for | |
# the close notify alert from client. When you need a different shutdown | |
# approach you can use one of the following variables: | |
# o ssl-unclean-shutdown: | |
# This forces an unclean shutdown when the connection is closed, i.e. no | |
# SSL close notify alert is send or allowed to received. This violates | |
# the SSL/TLS standard but is needed for some brain-dead browsers. Use | |
# this when you receive I/O errors because of the standard approach where | |
# mod_ssl sends the close notify alert. | |
# o ssl-accurate-shutdown: | |
# This forces an accurate shutdown when the connection is closed, i.e. a | |
# SSL close notify alert is send and mod_ssl waits for the close notify | |
# alert of the client. This is 100% SSL/TLS standard compliant, but in | |
# practice often causes hanging connections with brain-dead browsers. Use | |
# this only for browsers where you know that their SSL implementation | |
# works correctly. | |
# Notice: Most problems of broken clients are also related to the HTTP | |
# keep-alive facility, so you usually additionally want to disable | |
# keep-alive for those clients, too. Use variable "nokeepalive" for this. | |
# Similarly, one has to force some clients to use HTTP/1.0 to workaround | |
# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and | |
# "force-response-1.0" for this. | |
BrowserMatch "MSIE [2-6]" \ | |
nokeepalive ssl-unclean-shutdown \ | |
downgrade-1.0 force-response-1.0 | |
# MSIE 7 and newer should be able to use keepalive | |
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown | |
NameVirtualHost *:443 | |
<VirtualHost *:443> | |
ServerName ssl.example.com | |
SSLEngine On | |
# Jeder der https:// probiert wird ein halbes Jahr bei https:// | |
# bleiben, wenn sein Browser HSTS unterstützt. Siehe dazu auch | |
# https://www.owasp.org/index.php/HTTP_Strict_Transport_Security | |
Header set Strict-Transport-Security "max-age=16070400; includeSubDomains" | |
ProxyPreserveHost On | |
ProxyPass / http://127.0.0.1/ | |
ProxyPassReverse / http://127.0.0.1/ | |
</VirtualHost> | |
<VirtualHost *:80> | |
ServerName ssl.example.com | |
RedirectPermanent / https://example.com/ | |
</VirtualHost> | |
# So scripts generate https-URLs | |
SetEnvIf X-Forwarded-Server "^ssl.example.com$" HTTPS=on |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment