# Auszug aus httpd.conf
# BEISPIEL-Konfiguration eines http + https Servers

# Listen: Allows you to bind Apache to specific IP addresses and/or
# ports, in addition to the default. See also the VirtualHost command

<IfModule mod_ssl.c>
    Listen 80
    Listen 443


    ##  SSL Support
    ##  Note that all SSL options can apply to virtual hosts, which
    ##  is where we are going to put them now. We disable SSL globally
    ##  and enable only inside a virtual host only.

    #   we disable SSL globally
    SSLEngine off

    #   configure the path/port for the SSL session cache server [RECOMMENDED].
    #   Additionally sets the session cache timeout, in seconds (set to 15 for
    #   testing, use a higher value in real life) [RECOMMENDED]
    SSLSessionCache    shmcb:/var/cache/mod_ssl/scache
    SSLSessionCacheTimeout 300
    SSLMutex default

    #   Pseudo Random Number Generator (PRNG):
    SSLRandomSeed startup file:/dev/urandom 512
    SSLRandomSeed connect builtin

    SSLCryptoDevice builtin

    # Enthält Zertifikatskette unserer CA:
    # Auch hier erhältlich: https://www.tu-chemnitz.de/urz/security/ca/rsrc/ca-chain2-noroot.crt
    SSLCertificateChainFile /etc/pki/tls/certs/ca-chain2-noroot.crt

    SSLVerifyClient none

    # kein SSLv2/v3, TLSv1.0/1.1 und schwache Ciphers - unsicher
    SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
    SSLHonorCipherOrder On
    SSLCompression off
    # Hinweise von https://wiki.mozilla.org/Security/Server_Side_TLS
    # Intermediate compatibility
    SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
</IfModule>

NameVirtualHost *

# Der eigentliche www-Server
# wird nur gebraucht, um DEN konkreten Rechner anzusprechen
<VirtualHost *>
    ServerName www.abc.tu-chemnitz.de
</VirtualHost>

# Nun SSL = https:
<IfModule mod_ssl.c>
    <VirtualHost _default_:443>
        ServerName www.abc.tu-chemnitz.de
        #   enable SSL for this virtual host
        SSLEngine on
        
        # Datei mit dem privaten Schlüsel - sichere UNIX-Rechte!
        #   z.B. chown root.root /etc/pki/tls/private/server.key
        #        chmod 400 /etc/pki/tls/private/server.key
        SSLCertificateKeyFile   /etc/pki/tls/private/server.key
        # Datei mit dem Zertifikat:
        SSLCertificateFile      /etc/pki/tls/certs/server.crt
        
        #   set client verification level: [RECOMMENDED]
        #   0|none:           no certificate is required
        #   1|optional:       the client may  present a valid certificate
        #   2|require:        the client must present a valid certificate
        #   3|optional_no_ca: the client may  present a valid certificate
        #                     but it is not required to have a valid CA
        SSLVerifyClient none
        CustomLog logs/ssl_access_log combined
        ErrorLog  logs/ssl_error_log
    </VirtualHost>
</IfModule>