# Auszug aus httpd.conf
# BEISPIEL-Konfiguration eines http + https Servers
# Listen: Allows you to bind Apache to specific IP addresses and/or
# ports, in addition to the default. See also the VirtualHost command
Listen 80
Listen 443
## SSL Support
## Note that all SSL options can apply to virtual hosts, which
## is where we are going to put them now. We disable SSL globally
## and enable only inside a virtual host only.
# we disable SSL globally
SSLEngine off
# configure the path/port for the SSL session cache server [RECOMMENDED].
# Additionally sets the session cache timeout, in seconds (set to 15 for
# testing, use a higher value in real life) [RECOMMENDED]
SSLSessionCache shmcb:/var/cache/mod_ssl/scache
SSLSessionCacheTimeout 300
SSLMutex default
# Pseudo Random Number Generator (PRNG):
SSLRandomSeed startup file:/dev/urandom 512
SSLRandomSeed connect builtin
SSLCryptoDevice builtin
# Enthält Zertifikatskette unserer CA:
# Auch hier erhältlich: https://www.tu-chemnitz.de/urz/security/ca/rsrc/ca-chain2-noroot.crt
SSLCertificateChainFile /etc/pki/tls/certs/ca-chain2-noroot.crt
SSLVerifyClient none
# kein SSLv2/v3, TLSv1.0/1.1 und schwache Ciphers - unsicher
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder On
SSLCompression off
# Hinweise von https://wiki.mozilla.org/Security/Server_Side_TLS
# Intermediate compatibility
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
NameVirtualHost *
# Der eigentliche www-Server
# wird nur gebraucht, um DEN konkreten Rechner anzusprechen
ServerName www.abc.tu-chemnitz.de
# Nun SSL = https:
ServerName www.abc.tu-chemnitz.de
# enable SSL for this virtual host
SSLEngine on
# Datei mit dem privaten Schlüsel - sichere UNIX-Rechte!
# z.B. chown root.root /etc/pki/tls/private/server.key
# chmod 400 /etc/pki/tls/private/server.key
SSLCertificateKeyFile /etc/pki/tls/private/server.key
# Datei mit dem Zertifikat:
SSLCertificateFile /etc/pki/tls/certs/server.crt
# set client verification level: [RECOMMENDED]
# 0|none: no certificate is required
# 1|optional: the client may present a valid certificate
# 2|require: the client must present a valid certificate
# 3|optional_no_ca: the client may present a valid certificate
# but it is not required to have a valid CA
SSLVerifyClient none
CustomLog logs/ssl_access_log combined
ErrorLog logs/ssl_error_log