NameVirtualHost *:443 DocumentRoot /var/lib/tomcat6/webapps/metacat ScriptAlias /metacat/cgi-bin/ /var/lib/tomcat6/webapps/metacat/cgi-bin/ AllowOverride All Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch Order allow,deny Allow from all JkMount /metacat ajp13 JkMount /metacat/* ajp13 JkMount /metacat/metacat ajp13 JkMount /*.jsp ajp13 JkUnMount /metacat/cgi-bin/* ajp13 JkOptions +ForwardURICompatUnparsed AllowEncodedSlashes On AcceptPathInfo On # SSL Engine Switch: # Enable/Disable SSL for this virtual host. SSLEngine on SSLOptions +StrictRequire +StdEnvVars +ExportCertData # A self-signed (snakeoil) certificate can be created by installing # the ssl-cert package. See # /usr/share/doc/apache2.2-common/README.Debian.gz for more info. # If both key and certificate are stored in the same file, only the # SSLCertificateFile directive is needed. SSLCertificateFile /etc/ssl/certs/.crt SSLCertificateKeyFile /etc/ssl/private/.key SSLCertificateChainFile /etc/ssl/certs/.crt # Certificate Authority (CA): # Set the CA certificate verification path where to find CA # certificates for client authentication or alternatively one # huge file containing all of them (file must be PEM encoded) # Note: Inside SSLCACertificatePath you need hash symlinks # to point to the certificate files. Use the provided # Makefile to update the hash symlinks after changes. # Use the correct DataONE chain for validating client certificates # see: https://repository.dataone.org/software/tools/trunk/ca SSLCACertificatePath /etc/ssl/certs/ #SSLCACertificateFile /etc/ssl/certs/DataONECAChain.crt SSLVerifyClient optional SSLVerifyDepth 10 # Client Authentication (Type): # Client certificate verification type and depth. Types are # none, optional, require and optional_no_ca. Depth is a # number which specifies how deeply to verify the certificate # issuer chain before deciding the certificate is not valid. SSLVerifyClient require SSLVerifyDepth 10 # disable SSL v2 and v3 # intermediate configuration from https://mozilla.github.io/server-side-tls/ssl-config-generator/ SSLProtocol all -SSLv2 -SSLv3 SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA SSLHonorCipherOrder on