| 1 |
4926
|
daigle
|
<IfModule mod_ssl.c>
|
| 2 |
4990
|
tao
|
NameVirtualHost *:443
|
| 3 |
4926
|
daigle
|
<VirtualHost *:443>
|
| 4 |
8265
|
leinfelder
|
DocumentRoot /var/lib/tomcat6/webapps/metacat
|
| 5 |
4926
|
daigle
|
|
| 6 |
8265
|
leinfelder
|
ScriptAlias /metacat/cgi-bin/ /var/lib/tomcat6/webapps/metacat/cgi-bin/
|
| 7 |
|
|
<Directory "/var/lib/tomcat6/webapps/metacat/cgi-bin/">
|
| 8 |
4926
|
daigle
|
AllowOverride All
|
| 9 |
|
|
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
|
| 10 |
|
|
Order allow,deny
|
| 11 |
|
|
Allow from all
|
| 12 |
|
|
</Directory>
|
| 13 |
|
|
|
| 14 |
9521
|
cjones
|
<IfModule mod_rewrite.c>
|
| 15 |
|
|
RewriteEngine on
|
| 16 |
|
|
RewriteCond %{HTTP:Authorization} ^(.*)
|
| 17 |
|
|
RewriteRule .* - [e=HTTP_AUTHORIZATION:%1]
|
| 18 |
|
|
</IfModule>
|
| 19 |
|
|
|
| 20 |
4926
|
daigle
|
<IfModule mod_jk.c>
|
| 21 |
8265
|
leinfelder
|
JkMount /metacat ajp13
|
| 22 |
|
|
JkMount /metacat/* ajp13
|
| 23 |
|
|
JkMount /metacat/metacat ajp13
|
| 24 |
4926
|
daigle
|
JkMount /*.jsp ajp13
|
| 25 |
8265
|
leinfelder
|
JkUnMount /metacat/cgi-bin/* ajp13
|
| 26 |
7052
|
pippin
|
|
| 27 |
|
|
JkOptions +ForwardURICompatUnparsed
|
| 28 |
4926
|
daigle
|
</IfModule>
|
| 29 |
7052
|
pippin
|
|
| 30 |
|
|
AllowEncodedSlashes On
|
| 31 |
|
|
AcceptPathInfo On
|
| 32 |
6812
|
leinfelder
|
|
| 33 |
4926
|
daigle
|
# SSL Engine Switch:
|
| 34 |
|
|
# Enable/Disable SSL for this virtual host.
|
| 35 |
|
|
SSLEngine on
|
| 36 |
7357
|
leinfelder
|
SSLOptions +StrictRequire +StdEnvVars +ExportCertData
|
| 37 |
6812
|
leinfelder
|
|
| 38 |
4926
|
daigle
|
# A self-signed (snakeoil) certificate can be created by installing
|
| 39 |
|
|
# the ssl-cert package. See
|
| 40 |
|
|
# /usr/share/doc/apache2.2-common/README.Debian.gz for more info.
|
| 41 |
|
|
# If both key and certificate are stored in the same file, only the
|
| 42 |
|
|
# SSLCertificateFile directive is needed.
|
| 43 |
|
|
SSLCertificateFile /etc/ssl/certs/<your_cert_name>.crt
|
| 44 |
|
|
SSLCertificateKeyFile /etc/ssl/private/<your_cert_name>.key
|
| 45 |
8289
|
leinfelder
|
SSLCertificateChainFile /etc/ssl/certs/<CA chain file>.crt
|
| 46 |
6812
|
leinfelder
|
|
| 47 |
|
|
# Certificate Authority (CA):
|
| 48 |
|
|
# Set the CA certificate verification path where to find CA
|
| 49 |
|
|
# certificates for client authentication or alternatively one
|
| 50 |
|
|
# huge file containing all of them (file must be PEM encoded)
|
| 51 |
|
|
# Note: Inside SSLCACertificatePath you need hash symlinks
|
| 52 |
|
|
# to point to the certificate files. Use the provided
|
| 53 |
|
|
# Makefile to update the hash symlinks after changes.
|
| 54 |
8707
|
leinfelder
|
# Use the correct DataONE chain for validating client certificates
|
| 55 |
|
|
# see: https://repository.dataone.org/software/tools/trunk/ca
|
| 56 |
6812
|
leinfelder
|
SSLCACertificatePath /etc/ssl/certs/
|
| 57 |
8707
|
leinfelder
|
#SSLCACertificateFile /etc/ssl/certs/DataONECAChain.crt
|
| 58 |
|
|
SSLVerifyClient optional
|
| 59 |
|
|
SSLVerifyDepth 10
|
| 60 |
6812
|
leinfelder
|
|
| 61 |
|
|
# Client Authentication (Type):
|
| 62 |
|
|
# Client certificate verification type and depth. Types are
|
| 63 |
|
|
# none, optional, require and optional_no_ca. Depth is a
|
| 64 |
|
|
# number which specifies how deeply to verify the certificate
|
| 65 |
|
|
# issuer chain before deciding the certificate is not valid.
|
| 66 |
8265
|
leinfelder
|
<Location /metacat/servlet/replication>
|
| 67 |
6812
|
leinfelder
|
SSLVerifyClient require
|
| 68 |
|
|
SSLVerifyDepth 10
|
| 69 |
|
|
</Location>
|
| 70 |
4926
|
daigle
|
|
| 71 |
9270
|
leinfelder
|
# disable SSL v2 and v3
|
| 72 |
|
|
# intermediate configuration from https://mozilla.github.io/server-side-tls/ssl-config-generator/
|
| 73 |
|
|
SSLProtocol all -SSLv2 -SSLv3
|
| 74 |
|
|
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
|
| 75 |
|
|
SSLHonorCipherOrder on
|
| 76 |
|
|
|
| 77 |
4926
|
daigle
|
</VirtualHost>
|
| 78 |
|
|
</IfModule>
|