Magento installation on CentOS
# @author Jonathon byrd
# first things first, set your iptables for a web server. If you jack these
# up you don't want to have to re-install your os after doing much more.
# @see
# and
# @see
# turn off until you've got it figured out, this way you can reboot and log back in
chkconfig iptables off
/etc/init.d/iptables on
# allow ssh connections before you lock out everybody lol
# keep in mind if you do anything wrong, you can now just reboot
# clear all rules and start with blocking all traffic
iptables -F && iptables -P INPUT ACCEPT && iptables -P OUTPUT ACCEPT && iptables -P FORWARD ACCEPT
### Add your rules form the link above, here
# ssh,smtp,imap,http,https,pop3,imaps,pop3s
iptables -A INPUT -i eth0 -p tcp -m multiport --dports 22,25,143,80,443,110,993,995 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -m multiport --sports 22,25,143,80,110,443,993,995 -m state --state NEW,ESTABLISHED -j ACCEPT
## allow dns
iptables -A OUTPUT -p udp -o eth0 --dport 53 -j ACCEPT && iptables -A INPUT -p udp -i eth0 --sport 53 -j ACCEPT
# handling pings
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT && iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT && iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
# manage ddos attacks
iptables -A INPUT -p tcp --dport 80 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT
## Implement some logging so that we know what's getting dropped
iptables -N LOGGING
iptables -A INPUT -j LOGGING
iptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables Packet Dropped: " --log-level 7
iptables -A LOGGING -j DROP
# once a rule affects traffic then it is no longer managed
# so if the traffic has not been accepted, block it
iptables -A INPUT -j DROP
iptables -I INPUT 1 -i lo -j ACCEPT
iptables -A OUTPUT -j DROP
# allow only internal port forwarding
iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT
iptables -P FORWARD DROP
# create an iptables config file
iptables-save > /root/dsl.fw
vi /etc/rc.local
/sbin/iptables-restore < /root/dsl.fw
/etc/init.d/iptables save
## check to see if this setting is working great.
service iptables restart
## log out/in testing
chkconfig iptables on
# locking down the ssh system next.
# see
useradd YOURNAME
# some good things in this repo
# @see
cd /tmp && rpm -Uph
# make sure we're working with the latest copy of everything
# and install the LAMP stack packages
yum update
yum install -y httpd php53-common php53 gd gd-devel php53-mcrypt php53-xml php53-devel php53-imap php53-soap php53-mbstring php53-mysql php-mhash php-simplexml php-dom php53-gd php-pear php-pecl-imagick php-magickwand httpd-devel gcc curl php53-curl mod_ssl pcre-devel mysql mysql-server php-mysql php-pdo
# Turning off a bunch of stuff that's not needed for this server
# and then turning on the few items that we do want.
chkconfig NetworkManager off
chkconfig NetworkManagerDispatcher off
chkconfig anacron off
chkconfig atd off
chkconfig bluetooth off
chkconfig cpuspeed off
chkconfig cups off
chkconfig gpm off
chkconfig hidd off
chkconfig ip6tables off
chkconfig irda off
chkconfig mdmonitor off
chkconfig mdmpd off
chkconfig pcscd off
chkconfig portmap off
chkconfig yum-updatesd off
chkconfig smartd off
chkconfig sshd on
chkconfig httpd on
chkconfig mysqld on
service smartd stop
service NetworkManager stop
service NetworkManagerDispatcher stop
service anacron stop
service atd stop
service bluetooth stop
service cpuspeed stop
service cups stop
service gpm stop
service hidd stop
service ip6tables stop
service irda stop
service mdmonitor stop
service mdmpd stop
service pcscd stop
service portmap stop
service yum-updatesd stop
service httpd start
service mysqld start
# configuring the mysql server
# NOTICE: the my-huge.cnf file sets aside a lot of resources
cp /etc/my.cnf /etc/my.cnf.bkp && cp /usr/share/mysql/my-huge.cnf /etc/my.cnf
mysqladmin -u root password SOMEPASSWORD
# only if you're going to be setting up virtual hosts
# Mod Macro makes VirtualHosts a Breeze
tar -zxvf mod_macro-latest.tar.gz
apxs -c -i -a mod_macro-1.1.11/mod_macro.c
touch /home/vhosts.conf
# my mod macro scripts are also saved here. take a second and post them
# to the /etc/httpd/conf.d directory.
mkdir /home/default && mkdir /home/default/logs && mkdir /home/default/web && mkdir /home/default/web/cgi-bin && mkdir /home/default/web/webroot
touch /home/default/web/webroot/index.html
# Installing phpmyadmin
tar -C /home/default/ -zxvf phpMyAdmin-3.4.5-english.tar.gz
mv /home/default/phpMyAdmin-3.4.5-english /home/default/phpmyadmin
# I use github for everything
yum install git-core
mkdir ~/.ssh && cd ~/.ssh
ssh-keygen -t rsa -C ""
# After adding the key to your github account you can test your connection like this
ssh -T
git config --global "Firstname Lastname"
git config --global ""
git config --global github.user username
git config --global github.token 0123456789yourf0123456789token
# create your users default directory setup
mkdir /etc/skel/ && mkdir /etc/skel/ && mkdir /etc/skel/ && mkdir /etc/skel/ && mkdir /etc/skel/
touch /etc/skel/
# create your users
useradd production
passwd production
usermod -a -G apache production
usermod -a -G ftp production
# A few other packages that I like to use
# Xdebug
pear install pecl/xdebug
# IonCube
cd /tmp && wget
tar -zxvf ioncube_loaders_lin_x86-64.tar.gz
cp ioncube/loader-wizard.php /home/default/web/webroot
mv ioncube /usr/src
# Paste the following line into your php.ini
# zend_extension=/usr/src/ioncube/
vi /etc/php.ini
service httpd restart
rm -f /home/default/web/webroot/loader-wizard.php
pecl install apc
# add the following two lines to this file
# ; Enable APC extension module
vi /etc/php.d/apc.ini
# It's time to install magento
# Find the latest magento files here
wget http://somewhere/magento-
wget http://somewhere/magento-sample-data-1.2.0.tar.bz2
bunzip2 magento-
bunzip2 magento-sample-data-1.2.0.tar.bz2
tar xvf magento-sample-data-1.2.0.tar
tar xvf magento-
mv magento /var/www/html
mv catalog/ /var/www/html/magento/media/
mysqladmin create database magento
mysql magento < magento_sample_data_for_1.2.0.sql
cd /var/www/html/magento
chgrp apache app
chgrp apache downloader
chgrp apache js
chgrp apache lib
chgrp apache media
chgrp apache pkginfo
chgrp apache report
chgrp apache skin
chgrp apache var
# Install the magento-cleanup.php script into your web directory, its safer there
# Add the following line to your crontab
# 1 1 * * * php /home/production/
crontab -e
# generate certificates for the web server:
openssl genrsa -des3 -out $servername.key 2048
openssl rsa -in $servername.key -out $servername.key.insecure
mv $servername.key $ && mv $servername.key.insecure $servername.key
openssl req -new -key $servername.key -out $servername.csr
openssl x509 -req -days 365 -in $servername.csr -signkey $servername.key -out $servername.crt
cp $servername.crt /etc/pki/tls/certs && cp $servername.csr /etc/pki/tls/certs && cp $servername.key /etc/pki/tls/private
# RedRokk Designed vhosts macro file
# Naming the vhosts here
# | Use VHostLocalSSL $user $host $alias
# Use VHostLocalSSL production
<Macro VHostLocalSSL $user $host $alias>
<VirtualHost *:443>
# Admin email, Server Name (domain name) and any aliases
ServerName $host
ServerAlias $alias
# Index file and Document Root (where the public files are located)
DocumentRoot /home/$user/$host/web/webroot/
# Use separate log files for the SSL virtual host; note that LogLevel
# is not inherited from httpd.conf.
LogLevel warn
ErrorLog /home/$user/$host/logs/ssl_error.log
CustomLog /home/$user/$host/logs/ssl_access.log combined
<Directory /home/$user/$host/web/webroot/>
Options All -Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
# Configuring the cgi-bin overrides
ScriptAlias /cgi-bin/ /home/$user/$host/cgi-bin/
<Location /home/$user/$host/cgi-bin>
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
# SSL Protocol support:
# List the enable protocol levels with which clients will be able to
# connect. Disable SSLv2 access by default:
SSLProtocol all -SSLv2
# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
# See the mod_ssl documentation for a complete list.
# Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate. If
# the certificate is encrypted, then you will be prompted for a
# pass phrase. Note that a kill -HUP will prompt again. A new
# certificate can be generated using the genkey(1) command.
SSLCertificateFile /etc/pki/tls/certs/localhost.localdomain.crt
# Server Private Key:
# If the key is not combined with the certificate, use this
# directive to point at the key file. Keep in mind that if
# you've both a RSA and a DSA private key you can configure
# both in parallel (to also allow the use of DSA ciphers, etc.)
SSLCertificateKeyFile /etc/pki/tls/private/localhost.localdomain.key
# Server Certificate Chain:
# Point SSLCertificateChainFile at a file containing the
# concatenation of PEM encoded CA certificates which form the
# certificate chain for the server certificate. Alternatively
# the referenced file can be the same as SSLCertificateFile
# when the CA certificates are directly appended to the server
# certificate for convinience.
#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
# Certificate Authority (CA):
# Set the CA certificate verification path where to find CA
# certificates for client authentication or alternatively one
# huge file containing all of them (file must be PEM encoded)
#SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
# Client Authentication (Type):
# Client certificate verification type and depth. Types are
# none, optional, require and optional_no_ca. Depth is a
# number which specifies how deeply to verify the certificate
# issuer chain before deciding the certificate is not valid.
#SSLVerifyClient require
#SSLVerifyDepth 10
# Access Control:
# With SSLRequire you can do per-directory access control based
# on arbitrary complex boolean expressions containing server
# variable checks and other lookup directives. The syntax is a
# mixture between C and Perl. See the mod_ssl documentation
# for more details.
#<Location />
#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
# SSL Engine Options:
# Set various options for the SSL engine.
# o FakeBasicAuth:
# Translate the client X.509 into a Basic Authorisation. This means that
# the standard Auth/DBMAuth methods can be used for access control. The
# user name is the `one line' version of the client's X.509 certificate.
# Note that no password is obtained from the user. Every entry in the user
# file needs this password: `xxj31ZMTZzkVA'.
# o ExportCertData:
# This exports two additional environment variables: SSL_CLIENT_CERT and
# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
# server (always existing) and the client (only existing when client
# authentication is used). This can be used to import the certificates
# into CGI scripts.
# o StdEnvVars:
# This exports the standard SSL/TLS related `SSL_*' environment variables.
# Per default this exportation is switched off for performance reasons,
# because the extraction step is an expensive operation and is usually
# useless for serving static content. So one usually enables the
# exportation for CGI and SSI requests only.
# o StrictRequire:
# This denies access when "SSLRequireSSL" or "SSLRequire" applied even
# under a "Satisfy any" situation, i.e. when it applies access is denied
# and no other module can change it.
# o OptRenegotiate:
# This enables optimized SSL connection renegotiation handling when SSL
# directives are used in per-directory context.
#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars +FakeBasicAuth +ExportCertData +StrictRequire
<Directory "/home/$user/$host/web/cgi-bin">
SSLOptions +StdEnvVars
# SSL Protocol Adjustments:
# The safe and default but still SSL/TLS standard compliant shutdown
# approach is that mod_ssl sends the close notify alert but doesn't wait for
# the close notify alert from client. When you need a different shutdown
# approach you can use one of the following variables:
# o ssl-unclean-shutdown:
# This forces an unclean shutdown when the connection is closed, i.e. no
# SSL close notify alert is send or allowed to received. This violates
# the SSL/TLS standard but is needed for some brain-dead browsers. Use
# this when you receive I/O errors because of the standard approach where
# mod_ssl sends the close notify alert.
# o ssl-accurate-shutdown:
# This forces an accurate shutdown when the connection is closed, i.e. a
# SSL close notify alert is send and mod_ssl waits for the close notify
# alert of the client. This is 100% SSL/TLS standard compliant, but in
# practice often causes hanging connections with brain-dead browsers. Use
# this only for browsers where you know that their SSL implementation
# works correctly.
# Notice: Most problems of broken clients are also related to the HTTP
# keep-alive facility, so you usually additionally want to disable
# keep-alive for those clients, too. Use variable "nokeepalive" for this.
# Similarly, one has to force some clients to use HTTP/1.0 to workaround
# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
# "force-response-1.0" for this.
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
# RedRokk Designed vhosts macro file
# Naming the vhosts here
# | Use VHostSSL $user $host $alias
# Use VHostSSL production
<Macro VHostSSL $user $host $alias>
# SSL Management
<VirtualHost *:443>
# Admin email, Server Name (domain name) and any aliases
ServerName $host
ServerAlias $alias
# Index file and Document Root (where the public files are located)
DocumentRoot /home/$user/$host/web/webroot
# Use separate log files for the SSL virtual host; note that LogLevel
# is not inherited from httpd.conf.
LogLevel warn
ErrorLog /home/$user/$host/logs/ssl_error.log
CustomLog /home/$user/$host/logs/ssl_access.log combined
<Directory /home/$user/$host/web/webroot/>
Options All -Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
<Directory />
Options FollowSymLinks
AllowOverride All
# Configuring the cgi-bin overrides
ScriptAlias /cgi-bin/ /home/$user/$host/cgi-bin/
<Location /home/$user/$host/cgi-bin>
SSLOptions +StdEnvVars
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
# SSL Protocol support:
# List the enable protocol levels with which clients will be able to
# connect. Disable SSLv2 access by default:
SSLProtocol all -SSLv2
# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
# See the mod_ssl documentation for a complete list.
# Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate. If
# the certificate is encrypted, then you will be prompted for a
# pass phrase. Note that a kill -HUP will prompt again. A new
# certificate can be generated using the genkey(1) command.
SSLCertificateFile /etc/pki/tls/certs/$host.crt
# Server Private Key:
# If the key is not combined with the certificate, use this
# directive to point at the key file. Keep in mind that if
# you've both a RSA and a DSA private key you can configure
# both in parallel (to also allow the use of DSA ciphers, etc.)
SSLCertificateKeyFile /etc/pki/tls/private/$host.key
# Server Certificate Chain:
# Point SSLCertificateChainFile at a file containing the
# concatenation of PEM encoded CA certificates which form the
# certificate chain for the server certificate. Alternatively
# the referenced file can be the same as SSLCertificateFile
# when the CA certificates are directly appended to the server
# certificate for convinience.
SSLCertificateChainFile /etc/pki/tls/certs/$host.bundle.crt
# Certificate Authority (CA):
# Set the CA certificate verification path where to find CA
# certificates for client authentication or alternatively one
# huge file containing all of them (file must be PEM encoded)
#SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
# Client Authentication (Type):
# Client certificate verification type and depth. Types are
# none, optional, require and optional_no_ca. Depth is a
# number which specifies how deeply to verify the certificate
# issuer chain before deciding the certificate is not valid.
SSLVerifyClient require
SSLVerifyDepth 10
# Access Control:
# With SSLRequire you can do per-directory access control based
# on arbitrary complex boolean expressions containing server
# variable checks and other lookup directives. The syntax is a
# mixture between C and Perl. See the mod_ssl documentation
# for more details.
#<Location />
#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
# SSL Engine Options:
# Set various options for the SSL engine.
# o FakeBasicAuth:
# Translate the client X.509 into a Basic Authorisation. This means that
# the standard Auth/DBMAuth methods can be used for access control. The
# user name is the `one line' version of the client's X.509 certificate.
# Note that no password is obtained from the user. Every entry in the user
# file needs this password: `xxj31ZMTZzkVA'.
# o ExportCertData:
# This exports two additional environment variables: SSL_CLIENT_CERT and
# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
# server (always existing) and the client (only existing when client
# authentication is used). This can be used to import the certificates
# into CGI scripts.
# o StdEnvVars:
# This exports the standard SSL/TLS related `SSL_*' environment variables.
# Per default this exportation is switched off for performance reasons,
# because the extraction step is an expensive operation and is usually
# useless for serving static content. So one usually enables the
# exportation for CGI and SSI requests only.
# o StrictRequire:
# This denies access when "SSLRequireSSL" or "SSLRequire" applied even
# under a "Satisfy any" situation, i.e. when it applies access is denied
# and no other module can change it.
# o OptRenegotiate:
# This enables optimized SSL connection renegotiation handling when SSL
# directives are used in per-directory context.
#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars +FakeBasicAuth +ExportCertData +StrictRequire
# SSL Protocol Adjustments:
# The safe and default but still SSL/TLS standard compliant shutdown
# approach is that mod_ssl sends the close notify alert but doesn't wait for
# the close notify alert from client. When you need a different shutdown
# approach you can use one of the following variables:
# o ssl-unclean-shutdown:
# This forces an unclean shutdown when the connection is closed, i.e. no
# SSL close notify alert is send or allowed to received. This violates
# the SSL/TLS standard but is needed for some brain-dead browsers. Use
# this when you receive I/O errors because of the standard approach where
# mod_ssl sends the close notify alert.
# o ssl-accurate-shutdown:
# This forces an accurate shutdown when the connection is closed, i.e. a
# SSL close notify alert is send and mod_ssl waits for the close notify
# alert of the client. This is 100% SSL/TLS standard compliant, but in
# practice often causes hanging connections with brain-dead browsers. Use
# this only for browsers where you know that their SSL implementation
# works correctly.
# Notice: Most problems of broken clients are also related to the HTTP
# keep-alive facility, so you usually additionally want to disable
# keep-alive for those clients, too. Use variable "nokeepalive" for this.
# Similarly, one has to force some clients to use HTTP/1.0 to workaround
# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
# "force-response-1.0" for this.
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
# RedRokk Designed vhosts macro file
# Naming the vhosts here
# | Use VHost $user $host $alias
# Use VHost production
<Macro VHost $user $host $alias>
<VirtualHost *:80>
# Admin email, Server Name (domain name) and any aliases
ServerName $host
ServerAlias $alias
# Index file and Document Root (where the public files are located)
DocumentRoot /home/$user/$host/web/webroot/
<Directory /home/$user/$host/web/webroot/>
Options All -Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
<Directory />
Options FollowSymLinks
AllowOverride All
# Custom log file locations
LogLevel warn
ErrorLog /home/$user/$host/logs/error.log
CustomLog /home/$user/$host/logs/access.log combined
# Configuring the cgi-bin overrides
ScriptAlias /cgi-bin/ /home/$user/$host/cgi-bin/
<Location /home/$user/$host/cgi-bin>
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
$basepath = dirname(__file__).'/webroot/';
$xml = simplexml_load_file($basepath.'app/etc/local.xml', NULL, LIBXML_NOCDATA);
$db['host'] = $xml->global->resources->default_setup->connection->host;
$db['name'] = $xml->global->resources->default_setup->connection->dbname;
$db['user'] = $xml->global->resources->default_setup->connection->username;
$db['pass'] = $xml->global->resources->default_setup->connection->password;
$db['pref'] = $xml->global->resources->db->table_prefix;
function clean_log_tables() {
global $db;
$tables = array(
mysql_connect($db['host'], $db['user'], $db['pass']) or die(mysql_error());
mysql_select_db($db['name']) or die(mysql_error());
foreach($tables as $v => $k) {
mysql_query('TRUNCATE `'.$db['pref'].$k.'`') or die(mysql_error());
function clean_var_directory() {
$dirs = array(
foreach($dirs as $v => $k) {
exec("rm -rf $k && mkdir $k && chmod -R 0777 $k");
# 5Twenty Studios Designed vhosts file
# domain:
# public: /home/default/web/webroot
NameVirtualHost *:80
<VirtualHost _default_:80>
# Admin email, Server Name (domain name) and any aliases
ServerName ${SERVER_ADDR}
# Index file and Document Root (where the public files are located)
DocumentRoot /home/default/web/webroot
<Directory /home/default/web/webroot/>
Options -Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
<Directory />
Options FollowSymLinks
AllowOverride All
# Custom log file locations
LogLevel warn
ErrorLog /home/default/logs/error.log
CustomLog /home/default/logs/access.log combined
# Configuring the cgi-bin overrides
ScriptAlias /cgi-bin/ /home/default/web/cgi-bin/
<Location /home/default/web/cgi-bin>
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
# SSL Management
NameVirtualHost *:443
<VirtualHost _default_:443>
# Admin email, Server Name (domain name) and any aliases
ServerName ${SERVER_ADDR}
# Index file and Document Root (where the public files are located)
DocumentRoot /home/default/web/webroot
<Directory /home/default/web/webroot/>
Options -Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
<Directory />
Options FollowSymLinks
AllowOverride All
# Custom log file locations
LogLevel warn
ErrorLog /home/default/logs/ssl_error.log
CustomLog /home/default/logs/ssl_access.log combined
# Configuring the cgi-bin overrides
ScriptAlias /cgi-bin/ /home/default/web/cgi-bin/
<Location /home/default/web/cgi-bin>
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
# SSL Protocol support:
# List the enable protocol levels with which clients will be able to
# connect. Disable SSLv2 access by default:
SSLProtocol all -SSLv2
# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
# See the mod_ssl documentation for a complete list.
# Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate. If
# the certificate is encrypted, then you will be prompted for a
# pass phrase. Note that a kill -HUP will prompt again. A new
# certificate can be generated using the genkey(1) command.
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
# Server Private Key:
# If the key is not combined with the certificate, use this
# directive to point at the key file. Keep in mind that if
# you've both a RSA and a DSA private key you can configure
# both in parallel (to also allow the use of DSA ciphers, etc.)
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
# Server Certificate Chain:
# Point SSLCertificateChainFile at a file containing the
# concatenation of PEM encoded CA certificates which form the
# certificate chain for the server certificate. Alternatively
# the referenced file can be the same as SSLCertificateFile
# when the CA certificates are directly appended to the server
# certificate for convinience.
#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
# Certificate Authority (CA):
# Set the CA certificate verification path where to find CA
# certificates for client authentication or alternatively one
# huge file containing all of them (file must be PEM encoded)
#SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
# Client Authentication (Type):
# Client certificate verification type and depth. Types are
# none, optional, require and optional_no_ca. Depth is a
# number which specifies how deeply to verify the certificate
# issuer chain before deciding the certificate is not valid.
#SSLVerifyClient require
#SSLVerifyDepth 10
# Access Control:
# With SSLRequire you can do per-directory access control based
# on arbitrary complex boolean expressions containing server
# variable checks and other lookup directives. The syntax is a
# mixture between C and Perl. See the mod_ssl documentation
# for more details.
#<Location />
#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
# SSL Engine Options:
# Set various options for the SSL engine.
# o FakeBasicAuth:
# Translate the client X.509 into a Basic Authorisation. This means that
# the standard Auth/DBMAuth methods can be used for access control. The
# user name is the `one line' version of the client's X.509 certificate.
# Note that no password is obtained from the user. Every entry in the user
# file needs this password: `xxj31ZMTZzkVA'.
# o ExportCertData:
# This exports two additional environment variables: SSL_CLIENT_CERT and
# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
# server (always existing) and the client (only existing when client
# authentication is used). This can be used to import the certificates
# into CGI scripts.
# o StdEnvVars:
# This exports the standard SSL/TLS related `SSL_*' environment variables.
# Per default this exportation is switched off for performance reasons,
# because the extraction step is an expensive operation and is usually
# useless for serving static content. So one usually enables the
# exportation for CGI and SSI requests only.
# o StrictRequire:
# This denies access when "SSLRequireSSL" or "SSLRequire" applied even
# under a "Satisfy any" situation, i.e. when it applies access is denied
# and no other module can change it.
# o OptRenegotiate:
# This enables optimized SSL connection renegotiation handling when SSL
# directives are used in per-directory context.
#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars +FakeBasicAuth +ExportCertData +StrictRequire
<Directory "/home/default/cgi-bin">
SSLOptions +StdEnvVars
# SSL Protocol Adjustments:
# The safe and default but still SSL/TLS standard compliant shutdown
# approach is that mod_ssl sends the close notify alert but doesn't wait for
# the close notify alert from client. When you need a different shutdown
# approach you can use one of the following variables:
# o ssl-unclean-shutdown:
# This forces an unclean shutdown when the connection is closed, i.e. no
# SSL close notify alert is send or allowed to received. This violates
# the SSL/TLS standard but is needed for some brain-dead browsers. Use
# this when you receive I/O errors because of the standard approach where
# mod_ssl sends the close notify alert.
# o ssl-accurate-shutdown:
# This forces an accurate shutdown when the connection is closed, i.e. a
# SSL close notify alert is send and mod_ssl waits for the close notify
# alert of the client. This is 100% SSL/TLS standard compliant, but in
# practice often causes hanging connections with brain-dead browsers. Use
# this only for browsers where you know that their SSL implementation
# works correctly.
# Notice: Most problems of broken clients are also related to the HTTP
# keep-alive facility, so you usually additionally want to disable
# keep-alive for those clients, too. Use variable "nokeepalive" for this.
# Similarly, one has to force some clients to use HTTP/1.0 to workaround
# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
# "force-response-1.0" for this.
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
<VirtualHost *:443>
# Admin email, Server Name (domain name) and any aliases
# Index file and Document Root (where the public files are located)
DocumentRoot /home/default/phpmyadmin/
# Use separate log files for the SSL virtual host; note that LogLevel
# is not inherited from httpd.conf.
LogLevel warn
ErrorLog /home/default/logs/pma.ssl_error.log
CustomLog /home/default/logs/pma.ssl_access.log combined
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
# SSL Protocol support:
# List the enable protocol levels with which clients will be able to
# connect. Disable SSLv2 access by default:
SSLProtocol all -SSLv2
# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
# See the mod_ssl documentation for a complete list.
# Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate. If
# the certificate is encrypted, then you will be prompted for a
# pass phrase. Note that a kill -HUP will prompt again. A new
# certificate can be generated using the genkey(1) command.
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
# Server Private Key:
# If the key is not combined with the certificate, use this
# directive to point at the key file. Keep in mind that if
# you've both a RSA and a DSA private key you can configure
# both in parallel (to also allow the use of DSA ciphers, etc.)
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
# Server Certificate Chain:
# Point SSLCertificateChainFile at a file containing the
# concatenation of PEM encoded CA certificates which form the
# certificate chain for the server certificate. Alternatively
# the referenced file can be the same as SSLCertificateFile
# when the CA certificates are directly appended to the server
# certificate for convinience.
#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
# Certificate Authority (CA):
# Set the CA certificate verification path where to find CA
# certificates for client authentication or alternatively one
# huge file containing all of them (file must be PEM encoded)
#SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
# Client Authentication (Type):
# Client certificate verification type and depth. Types are
# none, optional, require and optional_no_ca. Depth is a
# number which specifies how deeply to verify the certificate
# issuer chain before deciding the certificate is not valid.
#SSLVerifyClient require
#SSLVerifyDepth 10
# Access Control:
# With SSLRequire you can do per-directory access control based
# on arbitrary complex boolean expressions containing server
# variable checks and other lookup directives. The syntax is a
# mixture between C and Perl. See the mod_ssl documentation
# for more details.
#<Location />
#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
# SSL Engine Options:
# Set various options for the SSL engine.
# o FakeBasicAuth:
# Translate the client X.509 into a Basic Authorisation. This means that
# the standard Auth/DBMAuth methods can be used for access control. The
# user name is the `one line' version of the client's X.509 certificate.
# Note that no password is obtained from the user. Every entry in the user
# file needs this password: `xxj31ZMTZzkVA'.
# o ExportCertData:
# This exports two additional environment variables: SSL_CLIENT_CERT and
# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
# server (always existing) and the client (only existing when client
# authentication is used). This can be used to import the certificates
# into CGI scripts.
# o StdEnvVars:
# This exports the standard SSL/TLS related `SSL_*' environment variables.
# Per default this exportation is switched off for performance reasons,
# because the extraction step is an expensive operation and is usually
# useless for serving static content. So one usually enables the
# exportation for CGI and SSI requests only.
# o StrictRequire:
# This denies access when "SSLRequireSSL" or "SSLRequire" applied even
# under a "Satisfy any" situation, i.e. when it applies access is denied
# and no other module can change it.
# o OptRenegotiate:
# This enables optimized SSL connection renegotiation handling when SSL
# directives are used in per-directory context.
#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars +FakeBasicAuth +ExportCertData +StrictRequire
<Directory "/home/default/cgi-bin">
SSLOptions +StdEnvVars
# SSL Protocol Adjustments:
# The safe and default but still SSL/TLS standard compliant shutdown
# approach is that mod_ssl sends the close notify alert but doesn't wait for
# the close notify alert from client. When you need a different shutdown
# approach you can use one of the following variables:
# o ssl-unclean-shutdown:
# This forces an unclean shutdown when the connection is closed, i.e. no
# SSL close notify alert is send or allowed to received. This violates
# the SSL/TLS standard but is needed for some brain-dead browsers. Use
# this when you receive I/O errors because of the standard approach where
# mod_ssl sends the close notify alert.
# o ssl-accurate-shutdown:
# This forces an accurate shutdown when the connection is closed, i.e. a
# SSL close notify alert is send and mod_ssl waits for the close notify
# alert of the client. This is 100% SSL/TLS standard compliant, but in
# practice often causes hanging connections with brain-dead browsers. Use
# this only for browsers where you know that their SSL implementation
# works correctly.
# Notice: Most problems of broken clients are also related to the HTTP
# keep-alive facility, so you usually additionally want to disable
# keep-alive for those clients, too. Use variable "nokeepalive" for this.
# Similarly, one has to force some clients to use HTTP/1.0 to workaround
# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
# "force-response-1.0" for this.
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
# Load Virtual Host Files
# Normally this is where I declare all of my mod macro calls
# The rest of your Virtual Hosts should be declared after your defaults here
Include /home/vhosts.conf
