Produced by Araxis Merge on 4/18/2019 5:55:28 PM Eastern Daylight Time. See www.araxis.com for information about Merge. This report uses XHTML and CSS2, and is best viewed with a modern standards-compliant browser. For optimum results when printing this report, use landscape orientation and enable printing of background images and colours in your browser.
# | Location | File | Last Modified |
---|---|---|---|
1 | MCCF_EDI_TAS_TASCore v2.0_Build_10.zip\MCCF_EDI_TAS_DevOps\mccf_devops\templates\ci-server | ssl.conf.j2 | Wed Apr 3 02:27:22 2019 UTC |
2 | MCCF_EDI_TAS_TASCore v2.0_Build_10.zip\MCCF_EDI_TAS_DevOps\mccf_devops\templates\ci-server | ssl.conf.j2 | Wed Apr 17 17:59:05 2019 UTC |
Description | Between Files 1 and 2 |
|
---|---|---|
Text Blocks | Lines | |
Unchanged | 2 | 486 |
Changed | 1 | 4 |
Inserted | 0 | 0 |
Removed | 0 | 0 |
Whitespace | |
---|---|
Character case | Differences in character case are significant |
Line endings | Differences in line endings (CR and LF characters) are ignored |
CR/LF characters | Not shown in the comparison detail |
No regular expressions were active.
1 | # | |
2 | # When we also provi de SSL we have to li sten to th e | |
3 | # the HTTP S port in addition. | |
4 | # | |
5 | Listen 443 https | |
6 | ||
7 | ## | |
8 | ## SSL Gl obal Conte xt | |
9 | ## | |
10 | ## All SS L configur ation in t his contex t applies both to | |
11 | ## the ma in server and all SS L-enabled virtual ho sts. | |
12 | ## | |
13 | ||
14 | # Pass P hrase Dial og: | |
15 | # Config ure the pa ss phrase gathering process. | |
16 | # The fi ltering di alog progr am (`built in' is a i nternal | |
17 | # termin al dialog) has to pr ovide the pass phras e on stdou t. | |
18 | SSLPassPhr aseDialog exec:/usr/ libexec/ht tpd-ssl-pa ss-dialog | |
19 | ||
20 | # Inter- Process Se ssion Cach e: | |
21 | # Config ure the SS L Session Cache: Fir st the mec hanism | |
22 | # to use and secon d the expi ring timeo ut (in sec onds). | |
23 | SSLSession Cache shmcb: /run/httpd /sslcache( 512000) | |
24 | SSLSession CacheTimeo ut 300 | |
25 | ||
26 | # Pseudo Random Nu mber Gener ator (PRNG ): | |
27 | # Config ure one or more sour ces to see d the PRNG of the | |
28 | # SSL li brary. The seed data should be of good r andom qual ity. | |
29 | # WARNIN G! On some platforms /dev/rand om blocks if not eno ugh entrop y | |
30 | # is ava ilable. Th is means y ou then ca nnot use t he /dev/ra ndom devic e | |
31 | # becaus e it would lead to v ery long c onnection times (as long as | |
32 | # it req uires to m ake more e ntropy ava ilable). B ut usually those | |
33 | # platfo rms additi onally pro vide a /de v/urandom device whi ch doesn't | |
34 | # block. So, if av ailable, u se this on e instead. Read the mod_ssl Us er | |
35 | # Manual for more details. | |
36 | SSLRandomS eed startu p file:/de v/urandom 256 | |
37 | SSLRandomS eed connec t builtin | |
38 | #SSLRandom Seed start up file:/d ev/random 512 | |
39 | #SSLRandom Seed conne ct file:/d ev/random 512 | |
40 | #SSLRandom Seed conne ct file:/d ev/urandom 512 | |
41 | ||
42 | # | |
43 | # Use "SSL CryptoDevi ce" to ena ble any su pported ha rdware | |
44 | # accelera tors. Use "openssl e ngine -v" to list su pported | |
45 | # engine n ames. NOT E: If you enable an accelerato r and the | |
46 | # server d oes not st art, consu lt the err or logs an d ensure | |
47 | # your acc elerator i s function ing proper ly. | |
48 | # | |
49 | SSLCryptoD evice buil tin | |
50 | #SSLCrypto Device ubs ec | |
51 | ||
52 | ## | |
53 | ## SSL Vir tual Host Context | |
54 | ## | |
55 | ||
56 | <VirtualHo st _defaul t_:443> | |
57 | #VIRTUALHO ST_DEFAULT _START | |
58 | ||
59 | # General setup for the virtua l host, in herited fr om global configurat ion | |
60 | DocumentRo ot "/var/w ww/html" | |
61 | #ServerNam e www.exam ple.com:44 3 | |
62 | ||
63 | # Use sepa rate log f iles for t he SSL vir tual host; note that LogLevel | |
64 | # is not i nherited f rom httpd. conf. | |
65 | ErrorLog l ogs/ssl_er ror_log | |
66 | TransferLo g logs/ssl _access_lo g | |
67 | LogLevel w arn | |
68 | ||
69 | # SSL En gine Switc h: | |
70 | # Enable /Disable S SL for thi s virtual host. | |
71 | SSLEngine on | |
72 | ||
73 | # SSL Pr otocol sup port: | |
74 | # List the enable pr otocol lev els with w hich clien ts will be able to | |
75 | # connect. Disable SSLv2 acce ss by defa ult: | |
76 | SSLProtoco l all -SSL v2 | |
77 | ||
78 | # SSL Ci pher Suite : | |
79 | # List t he ciphers that the client is permitted to negotia te. | |
80 | # See th e mod_ssl documentat ion for a complete l ist. | |
81 | SSLCipherS uite {{ SS LCipherSui te }} | |
82 | ||
83 | # Speed- optimized SSL Cipher configura tion: | |
84 | # If spe ed is your main conc ern (on bu sy HTTPS s ervers e.g .), | |
85 | # you mi ght want t o force cl ients to s pecific, p erformance | |
86 | # optimi zed cipher s. In this case, pre pend those ciphers | |
87 | # to the SSLCipher Suite list , and enab le SSLHono rCipherOrd er. | |
88 | # Caveat : by givin g preceden ce to RC4- SHA and AE S128-SHA | |
89 | # (as in the examp le below), most conn ections wi ll no long er | |
90 | # have p erfect for ward secre cy - if th e server's key is | |
91 | # compro mised, cap tures of p ast or fut ure traffi c must be | |
92 | # consid ered compr omised, to o. | |
93 | #SSLCipher Suite RC4- SHA:AES128 -SHA:HIGH: MEDIUM:!aN ULL:!MD5 | |
94 | #SSLHonorC ipherOrder on | |
95 | ||
96 | # Server Certifica te: | |
97 | # Point SS LCertifica teFile at a PEM enco ded certif icate. If | |
98 | # the cert ificate is encrypted , then you will be p rompted fo r a | |
99 | # pass phr ase. Note that a ki ll -HUP wi ll prompt again. A new | |
100 | # certific ate can be generated using the genkey(1) command. | |
101 | SSLCertifi cateFile { { SSLCerti ficateFile }} | |
102 | ||
103 | # Server Private K ey: | |
104 | # If the key is no t combined with the certificat e, use thi s | |
105 | # direct ive to poi nt at the key file. Keep in m ind that i f | |
106 | # you've both a RS A and a DS A private key you ca n configur e | |
107 | # both i n parallel (to also allow the use of DSA ciphers, etc.) | |
108 | SSLCertifi cateKeyFil e {{ SSLCe rtificateK eyFile }} | |
109 | ||
110 | # Server Certifica te Chain: | |
111 | # Point SSLCertifi cateChainF ile at a f ile contai ning the | |
112 | # concat enation of PEM encod ed CA cert ificates w hich form the | |
113 | # certif icate chai n for the server cer tificate. Alternativ ely | |
114 | # the re ferenced f ile can be the same as SSLCert ificateFil e | |
115 | # when t he CA cert ificates a re directl y appended to the se rver | |
116 | # certif icate for convinienc e. | |
117 | SSLCertifi cateChainF ile {{ SSL Certificat eChainFile }} | |
118 | ||
119 | # Certif icate Auth ority (CA) : | |
120 | # Set th e CA certi ficate ver ification path where to find C A | |
121 | # certif icates for client au thenticati on or alte rnatively one | |
122 | # huge f ile contai ning all o f them (fi le must be PEM encod ed) | |
123 | #SSLCACert ificateFil e /etc/pki /tls/certs /ca-bundle .crt | |
124 | ||
125 | # Client Authentic ation (Typ e): | |
126 | # Client certifica te verific ation type and depth . Types a re | |
127 | # none, optional, require an d optional _no_ca. D epth is a | |
128 | # number which spe cifies how deeply to verify th e certific ate | |
129 | # issuer chain bef ore decidi ng the cer tificate i s not vali d. | |
130 | #SSLVerify Client req uire | |
131 | #SSLVerify Depth 10 | |
132 | ||
133 | # Access Control: | |
134 | # With S SLRequire you can do per-direc tory acces s control based | |
135 | # on arb itrary com plex boole an express ions conta ining serv er | |
136 | # variab le checks and other lookup dir ectives. The syntax is a | |
137 | # mixtur e between C and Perl . See the mod_ssl d ocumentati on | |
138 | # for mo re details . | |
139 | #<Location /> | |
140 | #SSLRequir e ( %{S SL_CIPHER} !~ m/^(EX P|NULL)/ \ | |
141 | # and %{S SL_CLIENT_ S_DN_O} eq "Snake Oi l, Ltd." \ | |
142 | # and %{S SL_CLIENT_ S_DN_OU} i n {"Staff" , "CA", "D ev"} \ | |
143 | # and %{T IME_WDAY} >= 1 and % {TIME_WDAY } <= 5 \ | |
144 | # and %{T IME_HOUR} >= 8 and % {TIME_HOUR } <= 20 ) \ | |
145 | # or %{REM OTE_ADDR} =~ m/^192\ .76\.162\. [0-9]+$/ | |
146 | #</Locatio n> | |
147 | ||
148 | # SSL En gine Optio ns: | |
149 | # Set va rious opti ons for th e SSL engi ne. | |
150 | # o Fake BasicAuth: | |
151 | # Tran slate the client X.5 09 into a Basic Auth orisation. This mea ns that | |
152 | # the standard A uth/DBMAut h methods can be use d for acce ss control . The | |
153 | # user name is t he `one li ne' versio n of the c lient's X. 509 certif icate. | |
154 | # Note that no p assword is obtained from the u ser. Every entry in the user | |
155 | # file needs thi s password : `xxj31ZM TZzkVA'. | |
156 | # o Expo rtCertData : | |
157 | # This exports t wo additio nal enviro nment vari ables: SSL _CLIENT_CE RT and | |
158 | # SSL_ SERVER_CER T. These c ontain the PEM-encod ed certifi cates of t he | |
159 | # serv er (always existing) and the c lient (onl y existing when clie nt | |
160 | # auth entication is used). This can be used to import th e certific ates | |
161 | # into CGI scrip ts. | |
162 | # o StdE nvVars: | |
163 | # This exports t he standar d SSL/TLS related `S SL_*' envi ronment va riables. | |
164 | # Per default th is exporta tion is sw itched off for perfo rmance rea sons, | |
165 | # beca use the ex traction s tep is an expensive operation and is usu ally | |
166 | # usel ess for se rving stat ic content . So one u sually ena bles the | |
167 | # expo rtation fo r CGI and SSI reques ts only. | |
168 | # o Stri ctRequire: | |
169 | # This denies ac cess when "SSLRequir eSSL" or " SSLRequire " applied even | |
170 | # unde r a "Satis fy any" si tuation, i .e. when i t applies access is denied | |
171 | # and no other m odule can change it. | |
172 | # o OptR enegotiate : | |
173 | # This enables o ptimized S SL connect ion renego tiation ha ndling whe n SSL | |
174 | # dire ctives are used in p er-directo ry context . | |
175 | #SSLOption s +FakeBas icAuth +Ex portCertDa ta +Strict Require | |
176 | <Files ~ " \.(cgi|sht ml|phtml|p hp3?)$"> | |
177 | SSLOpt ions +StdE nvVars | |
178 | </Files> | |
179 | <Directory "/var/www /cgi-bin"> | |
180 | SSLOpt ions +StdE nvVars | |
181 | </Director y> | |
182 | ||
183 | # SSL Pr otocol Adj ustments: | |
184 | # The sa fe and def ault but s till SSL/T LS standar d complian t shutdown | |
185 | # approa ch is that mod_ssl s ends the c lose notif y alert bu t doesn't wait for | |
186 | # the cl ose notify alert fro m client. When you n eed a diff erent shut down | |
187 | # approa ch you can use one o f the foll owing vari ables: | |
188 | # o ssl- unclean-sh utdown: | |
189 | # This forces an unclean s hutdown wh en the con nection is closed, i .e. no | |
190 | # SSL close noti fy alert i s send or allowed to received. This vio lates | |
191 | # the SSL/TLS st andard but is needed for some brain-dead browsers. Use | |
192 | # this when you receive I/ O errors b ecause of the standa rd approac h where | |
193 | # mod_ ssl sends the close notify ale rt. | |
194 | # o ssl- accurate-s hutdown: | |
195 | # This forces an accurate shutdown w hen the co nnection i s closed, i.e. a | |
196 | # SSL close noti fy alert i s send and mod_ssl w aits for t he close n otify | |
197 | # aler t of the c lient. Thi s is 100% SSL/TLS st andard com pliant, bu t in | |
198 | # prac tice often causes ha nging conn ections wi th brain-d ead browse rs. Use | |
199 | # this only for browsers w here you k now that t heir SSL i mplementat ion | |
200 | # work s correctl y. | |
201 | # Notice : Most pro blems of b roken clie nts are al so related to the HT TP | |
202 | # keep-a live facil ity, so yo u usually additional ly want to disable | |
203 | # keep-a live for t hose clien ts, too. U se variabl e "nokeepa live" for this. | |
204 | # Simila rly, one h as to forc e some cli ents to us e HTTP/1.0 to workar ound | |
205 | # their broken HTT P/1.1 impl ementation . Use vari ables "dow ngrade-1.0 " and | |
206 | # "force -response- 1.0" for t his. | |
207 | BrowserMat ch "MSIE [ 2-5]" \ | |
208 | n okeepalive ssl-uncle an-shutdow n \ | |
209 | d owngrade-1 .0 force-r esponse-1. 0 | |
210 | ||
211 | # Per-Se rver Loggi ng: | |
212 | # The ho me of a cu stom SSL l og file. U se this wh en you wan t a | |
213 | # compac t non-erro r SSL logf ile on a v irtual hos t basis. | |
214 | CustomLog logs/ssl_r equest_log \ | |
215 | "%t %h %{S SL_PROTOCO L}x %{SSL_ CIPHER}x \ "%r\" %b" | |
216 | ||
217 | #VIRTUALHO ST_DEFAULT _SSL_CERTI FICATE_PAR AMETERS | |
218 | ||
219 | #VIRTUALHO ST_DEFAULT _DOCUMENTR OOT_NEW | |
220 | ||
221 | #VIRTUALHO ST_DEFAULT _PROXY_STA RT | |
222 | ProxyPrese rveHost On | |
223 | AllowEncod edSlashes On | |
224 | SSLProxyEn gine On | |
225 | ||
226 | #VIRTUALHO ST_DEFAULT _PROXY_GEN ERIC | |
227 | # BEGIN GE NERIC PROX Y PARAMETE RS | |
228 | <Proxy "*" > | |
229 | Or der allow, deny | |
230 | Al low from a ll | |
231 | </Proxy> | |
232 | # END GENE RIC PROXY PARAMETERS | |
233 | ||
234 | # BEGIN NE XUS SRVR P ROXY PARAM ETERS | |
235 | <location /nexus> | |
236 | ProxyPass "http:// DNS . URL : PORT /nexus" re try=1 | |
237 | ProxyPassR everse "ht tp:// DNS . URL : PORT /nexus" | |
238 | </location > | |
239 | # END NEXU S SRVR PRO XY PARAMET ERS | |
240 | ||
241 | #VIRTUALHO ST_DEFAULT _PROXY_END | |
242 | ||
243 | #VIRTUALHO ST_DEFAULT _END | |
244 | </VirtualH ost> | |
245 |
Araxis Merge (but not the data content of this report) is Copyright © 1993-2016 Araxis Ltd (www.araxis.com). All rights reserved.