end0tknr's kipple - 新web写経開発

http://d.hatena.ne.jp/end0tknr/ から移転しました

apache 2.4 の ssl設定 (conf/extra/httpd-ssl.conf)のオレオレ サンプル

以下の内容で、ssl化するはずですし、起動時のパスフレーズも聞かれないはず。

自分用メモ

Listen 443 https


#SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog
SSLPassPhraseDialog builtin


SSLSessionCache         shmcb:/run/httpd/sslcache(512000)
SSLSessionCacheTimeout  300


#SSLRandomSeed startup file:/dev/urandom  256
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
#SSLRandomSeed startup file:/dev/random  512
#SSLRandomSeed connect file:/dev/random  512
#SSLRandomSeed connect file:/dev/urandom 512


SSLCryptoDevice builtin
#SSLCryptoDevice ubsec

<VirtualHost _default_:443>

#DocumentRoot "/var/www/html"
ServerName www.sexy-example.com:443

ErrorLog /data/sexyexample/logs/ssl_error_log
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\""
TransferLog /data/sexyexample/logs/ssl_access_log
LogLevel warn

SSLEngine on

SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2

#SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!SEED:!IDEA
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5

#SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateFile /etc/httpd/cert/sexyexample_crt.pem

#SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
SSLCertificateKeyFile /etc/httpd/cert/sexyexample_key.pem

#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
SSLCertificateChainFile /etc/httpd/cert/sexyexample.cer


BrowserMatch "MSIE [2-5]" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0

CustomLog /var/log/sexyexample/httpd/logs/ssl_request_log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>