# Auszug aus httpd.conf
# BEISPIEL-Konfiguration eines http + https Servers

# Listen: Allows you to bind Apache to specific IP addresses and/or
# ports, in addition to the default. See also the VirtualHost command

<IfModule mod_ssl.c>
Listen 80
Listen 443


##  SSL Support
##  Note that all SSL options can apply to virtual hosts, which
##  is where we are going to put them now. We disable SSL globally
##  and enable only inside a virtual host only.

#   we disable SSL globally
SSLEngine off

#   configure the path/port for the SSL session cache server [RECOMMENDED].
#   Additionally sets the session cache timeout, in seconds (set to 15 for
#   testing, use a higher value in real life) [RECOMMENDED]
SSLSessionCache    shmcb:/var/cache/mod_ssl/scache
SSLSessionCacheTimeout 300
SSLMutex default

#   Pseudo Random Number Generator (PRNG):
SSLRandomSeed startup file:/dev/urandom 512
SSLRandomSeed connect file:/dev/urandom 512

SSLCryptoDevice builtin

# Enthält Zertifikatskette unserer CA:
# Auch hier erhältlich: http://www.tu-chemnitz.de/urz/ca/ca-cert/ca-chain.crt
SSLCertificateChainFile /etc/pki/tls/certs/ca-chain.crt

SSLVerifyClient none

# kein SSLv2 und schwache ciphers - unsicher
SSLProtocol all -SSLv2
# 2011-11-24 fri: RC4 favorisieren nach BEAST-Angriffen
SSLHonorCipherOrder on
SSLCipherSuite !aNULL:!eNULL:!EXPORT:!ADH:!DSS:!DES:RC4-SHA:RC4-MD5:ALL

</IfModule>

NameVirtualHost *

# Der eigentliche www-Server
# wird nur gebraucht, um DEN konkreten Rechner anzusprechen, 
<VirtualHost *>
ServerName www.tu-chemnitz.de
</VirtualHost>

# Nun SSL = https:
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerName www.abc.tu-chemnitz.de
#   enable SSL for this virtual host
SSLEngine on

# Datei mit dem privaten Schlüsel - sichere UNIX-Rechte!!!
SSLCertificateKeyFile   /etc/pki/tls/private/server.key
# Datei mit dem Zertifikat:
SSLCertificateFile      /etc/pki/tls/certs/server.crt

#   set client verification level: [RECOMMENDED]
#   0|none:           no certificate is required
#   1|optional:       the client may  present a valid certificate
#   2|require:        the client must present a valid certificate
#   3|optional_no_ca: the client may  present a valid certificate
#                     but it is not required to have a valid CA
SSLVerifyClient none

CustomLog "|/usr/sbin/cronolog /var/log/httpd/%Y-%m-%d/ssl_access.log" combined
ErrorLog  "|/usr/sbin/cronolog /var/log/httpd/%Y-%m-%d/ssl_errors.log"

# MSIE is often broken in SSL :-(
SetEnvIf User-Agent ".*MSIE.*" \
        nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
</VirtualHost>
</IfModule>