Project

General

Profile

1 4926 daigle
<IfModule mod_ssl.c>
2 4990 tao
NameVirtualHost *:443
3 4926 daigle
<VirtualHost *:443>
4 8265 leinfelder
        DocumentRoot /var/lib/tomcat6/webapps/metacat
5 4926 daigle
6 8265 leinfelder
        ScriptAlias /metacat/cgi-bin/ /var/lib/tomcat6/webapps/metacat/cgi-bin/
7
        <Directory "/var/lib/tomcat6/webapps/metacat/cgi-bin/">
8 4926 daigle
                AllowOverride All
9
                Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
10
                Order allow,deny
11
                Allow from all
12
        </Directory>
13
14 9521 cjones
        <IfModule mod_rewrite.c>
15
                RewriteEngine on
16
                RewriteCond %{HTTP:Authorization} ^(.*)
17
                RewriteRule .* - [e=HTTP_AUTHORIZATION:%1]
18
        </IfModule>
19
20 4926 daigle
        <IfModule mod_jk.c>
21 8265 leinfelder
                JkMount /metacat ajp13
22
                JkMount /metacat/* ajp13
23
                JkMount /metacat/metacat ajp13
24 4926 daigle
                JkMount /*.jsp ajp13
25 8265 leinfelder
                JkUnMount /metacat/cgi-bin/* ajp13
26 7052 pippin
27
                JkOptions +ForwardURICompatUnparsed
28 4926 daigle
        </IfModule>
29 7052 pippin
30
        AllowEncodedSlashes On
31
        AcceptPathInfo      On
32 6812 leinfelder
33 4926 daigle
        #   SSL Engine Switch:
34
        #   Enable/Disable SSL for this virtual host.
35
        SSLEngine on
36 7357 leinfelder
        SSLOptions +StrictRequire +StdEnvVars +ExportCertData
37 6812 leinfelder
38 4926 daigle
        #   A self-signed (snakeoil) certificate can be created by installing
39
        #   the ssl-cert package. See
40
        #   /usr/share/doc/apache2.2-common/README.Debian.gz for more info.
41
        #   If both key and certificate are stored in the same file, only the
42
        #   SSLCertificateFile directive is needed.
43
        SSLCertificateFile /etc/ssl/certs/<your_cert_name>.crt
44
        SSLCertificateKeyFile /etc/ssl/private/<your_cert_name>.key
45 8289 leinfelder
        SSLCertificateChainFile /etc/ssl/certs/<CA chain file>.crt
46 6812 leinfelder
47
        #   Certificate Authority (CA):
48
        #   Set the CA certificate verification path where to find CA
49
        #   certificates for client authentication or alternatively one
50
        #   huge file containing all of them (file must be PEM encoded)
51
        #   Note: Inside SSLCACertificatePath you need hash symlinks
52
        #         to point to the certificate files. Use the provided
53
        #         Makefile to update the hash symlinks after changes.
54 8707 leinfelder
        # Use the correct DataONE chain for validating client certificates
55
        # see: https://repository.dataone.org/software/tools/trunk/ca
56 6812 leinfelder
        SSLCACertificatePath /etc/ssl/certs/
57 8707 leinfelder
        #SSLCACertificateFile /etc/ssl/certs/DataONECAChain.crt
58
        SSLVerifyClient optional
59
        SSLVerifyDepth  10
60 6812 leinfelder
61
        #   Client Authentication (Type):
62
        #   Client certificate verification type and depth.  Types are
63
        #   none, optional, require and optional_no_ca.  Depth is a
64
        #   number which specifies how deeply to verify the certificate
65
        #   issuer chain before deciding the certificate is not valid.
66 8265 leinfelder
        <Location /metacat/servlet/replication>
67 6812 leinfelder
                SSLVerifyClient require
68
                SSLVerifyDepth  10
69
        </Location>
70 4926 daigle
71 9270 leinfelder
		# disable SSL v2 and v3
72
		# intermediate configuration from https://mozilla.github.io/server-side-tls/ssl-config-generator/
73
		SSLProtocol             all -SSLv2 -SSLv3
74
		SSLCipherSuite          ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
75
		SSLHonorCipherOrder     on
76
77 4926 daigle
</VirtualHost>
78
</IfModule>