from http to https after installation?

Discussion in 'Installation/Configuration' started by Mahir, Nov 5, 2005.

  1. Rocky

    Rocky New Member

    # LanguagePriority allows you to give precedence to some languages
    # in case of a tie during content negotiation.
    #
    # Just list the languages in decreasing order of preference. We have
    # more or less alphabetized them here. You probably want to change this.
    #
    <IfModule mod_negotiation.c>
    LanguagePriority en da nl et fr de el it ja kr no pl pt pt-br ru ltz ca es sv tw
    </IfModule>

    #
    # AddType allows you to tweak mime.types without actually editing it, or to
    # make certain files to be certain types.
    #
    AddType application/x-tar .tgz

    #
    # AddHandler allows you to map certain file extensions to "handlers",
    # actions unrelated to filetype. These can be either built into the server
    # or added with the Action command (see below)
    #
    # If you want to use server side includes, or CGI outside
    # ScriptAliased directories, uncomment the following lines.
    #
    # To use CGI scripts:
    #
    #AddHandler cgi-script .cgi

    AddType application/x-httpd-php .php .php3 .php4
    #
    # To use server-parsed HTML files
    #
    #AddType text/html .shtml
    #AddHandler server-parsed .shtml

    #
    # Uncomment the following line to enable Apache's send-asis HTTP file
    # feature
    #
    #AddHandler send-as-is asis

    #
    # If you wish to use server-parsed imagemap files, use
    #
    #AddHandler imap-file map

    #
    # To enable type maps, you might want to use
    #
    #AddHandler type-map var

    </IfModule>
    # End of document types.

    #
    # Action lets you define media types that will execute a script whenever
    # a matching file is called. This eliminates the need for repeated URL
    # pathnames for oft-used CGI file processors.
    # Format: Action media/type /cgi-script/location
    # Format: Action handler-name /cgi-script/location
    #

    #
    # MetaDir: specifies the name of the directory in which Apache can find
    # meta information files. These files contain additional HTTP headers
    # to include when sending the document
    #
    #MetaDir .web

    #
    # MetaSuffix: specifies the file name suffix for the file containing the
    # meta information.
    #
    #MetaSuffix .meta

    #
    # Customizable error response (Apache style)
    # these come in three flavors
    #
    # 1) plain text
    #ErrorDocument 500 "The server made a boo boo.
    # n.b. the single leading (") marks it as text, it does not get output
    #
    # 2) local redirects
    #ErrorDocument 404 /missing.html
    # to redirect to local URL /missing.html
    #ErrorDocument 404 /cgi-bin/missing_handler.pl
    # N.B.: You can redirect to a script or a document using server-side-includes.
    #
    # 3) external redirects
    #ErrorDocument 402 http://some.other-server.com/subscription_info.html
    # N.B.: Many of the environment variables associated with the original
    # request will *not* be available to such a script.

    #
    # Customize behaviour based on the browser
    #
    <IfModule mod_setenvif.c>

    #
    # The following directives modify normal HTTP response behavior.
    # The first directive disables keepalive for Netscape 2.x and browsers that
    # spoof it. There are known problems with these browser implementations.
    # The second directive is for Microsoft Internet Explorer 4.0b2
    # which has a broken HTTP/1.1 implementation and does not properly
    # support keepalive when it is used on 301 or 302 (redirect) responses.
    #
    BrowserMatch "Mozilla/2" nokeepalive
    BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0
    #
    # The following directive disables HTTP/1.1 responses to browsers which
    # are in violation of the HTTP/1.0 spec by not being able to grok a
    # basic 1.1 response.
    #
    BrowserMatch "RealPlayer 4\.0" force-response-1.0
    BrowserMatch "Java/1\.0" force-response-1.0
    BrowserMatch "JDK/1\.0" force-response-1.0

    </IfModule>
    # End of browser customization directives

    #
    # Allow server status reports, with the URL of http://servername/server-status
    # Change the ".your-domain.com" to match your domain to enable.
    #
    #<Location /server-status>
    # SetHandler server-status
    # Order deny,allow
    # Deny from all
    # Allow from .your-domain.com
    #</Location>

    #
    # Allow remote server configuration reports, with the URL of
    # http://servername/server-info (requires that mod_info.c be loaded).
    # Change the ".your-domain.com" to match your domain to enable.
    #
    #<Location /server-info>
    # SetHandler server-info
    # Order deny,allow
    # Deny from all
    # Allow from .your-domain.com
    #</Location>

    #
    # There have been reports of people trying to abuse an old bug from pre-1.1
    # days. This bug involved a CGI script distributed as a part of Apache.
    # By uncommenting these lines you can redirect these attacks to a logging
    # script on phf.apache.org. Or, you can record them yourself, using the script
    # support/phf_abuse_log.cgi.
    #
    #<Location /cgi-bin/phf*>
    # Deny from all
    # ErrorDocument 403 http://phf.apache.org/phf_abuse_log.cgi
    #</Location>

    #
    # Proxy Server directives. Uncomment the following lines to
    # enable the proxy server:
    #
    #<IfModule mod_proxy.c>
    # ProxyRequests On

    # <Directory proxy:*>
    # Order deny,allow
    # Deny from all
    # Allow from .your-domain.com
    # </Directory>

    #
    # Enable/disable the handling of HTTP/1.1 "Via:" headers.
    # ("Full" adds the server version; "Block" removes all outgoing Via: headers)
    # Set to one of: Off | On | Full | Block
    #
    # ProxyVia On

    #
    # To enable the cache as well, edit and uncomment the following lines:
    # (no cacheing without CacheRoot)
    #
    # CacheRoot "/root/ispconfig/httpd/proxy"
    # CacheSize 5
    # CacheGcInterval 4
    # CacheMaxExpire 24
    # CacheLastModifiedFactor 0.1
    # CacheDefaultExpire 1
    # NoCache a-domain.com another-domain.edu joes.garage-sale.com

    #</IfModule>
    # End of proxy directives.

    ### Section 3: Virtual Hosts
    #
    # VirtualHost: If you want to maintain multiple domains/hostnames on your
    # machine you can setup VirtualHost containers for them. Most configurations
    # use only name-based virtual hosts so the server doesn't need to worry about# IP addresses. This is indicated by the asterisks in the directives below.
    #
    # Please see the documentation at <URL:http://www.apache.org/docs/vhosts/>
    # for further details before you try to setup virtual hosts.
    #
    # You may use the command line option '-S' to verify your virtual host
    # configuration.

    #
    # Use name-based virtual hosting.
    #
    #NameVirtualHost *
     
  2. Rocky

    Rocky New Member

    #
    # VirtualHost example:
    # Almost any Apache directive may go into a VirtualHost container.
    # The first VirtualHost section is used for requests without a known
    # server name.
    #
    #<VirtualHost *>
    # ServerAdmin webmaster@dummy-host.example.com
    # DocumentRoot /www/docs/dummy-host.example.com
    # ServerName dummy-host.example.com
    # ErrorLog logs/dummy-host.example.com-error_log
    # CustomLog logs/dummy-host.example.com-access_log common
    #</VirtualHost>

    #<VirtualHost _default_:*>
    #</VirtualHost>

    ##
    ## SSL Global Context
    ##
    ## All SSL configuration in this context applies both to
    ## the main server and all SSL-enabled virtual hosts.
    ##

    #
    # Some MIME-types for downloading Certificates and CRLs
    #
    <IfDefine SSL>
    AddType application/x-x509-ca-cert .crt
    AddType application/x-pkcs7-crl .crl
    </IfDefine>
    <IfModule mod_ssl.c>

    # Pass Phrase Dialog:
    # Configure the pass phrase gathering process.
    # The filtering dialog program (`builtin' is a internal
    # terminal dialog) has to provide the pass phrase on stdout.
    SSLPassPhraseDialog builtin

    # Inter-Process Session Cache:
    # Configure the SSL Session Cache: First the mechanism
    # to use and second the expiring timeout (in seconds).
    SSLSessionCache none
    #SSLSessionCache shmht:/root/ispconfig/httpd/logs/ssl_scache(512000)
    #SSLSessionCache shmcb:/root/ispconfig/httpd/logs/ssl_scache(512000)
    #SSLSessionCache dbm:/root/ispconfig/httpd/logs/ssl_scache
    SSLSessionCacheTimeout 300

    # Semaphore:
    # Configure the path to the mutual exclusion semaphore the
    # SSL engine uses internally for inter-process synchronization.
    #SSLMutex file:/root/ispconfig/httpd/logs/ssl_mutex

    # Pseudo Random Number Generator (PRNG):
    # Configure one or more sources to seed the PRNG of the
    # SSL library. The seed data should be of good random quality.
    # WARNING! On some platforms /dev/random blocks if not enough entropy
    # is available. This means you then cannot use the /dev/random device
    # because it would lead to very long connection times (as long as
    # it requires to make more entropy available). But usually those
    # platforms additionally provide a /dev/urandom device which doesn't
    # block. So, if available, use this one instead. Read the mod_ssl User
    # Manual for more details.
    SSLRandomSeed startup builtin
    SSLRandomSeed connect builtin
    #SSLRandomSeed startup file:/dev/random 512
    #SSLRandomSeed startup file:/dev/urandom 512
    #SSLRandomSeed connect file:/dev/random 512
    #SSLRandomSeed connect file:/dev/urandom 512

    # Logging:
    # The home of the dedicated SSL protocol logfile. Errors are
    # additionally duplicated in the general error log file. Put
    # this somewhere where it cannot be used for symlink attacks on
    # a real server (i.e. somewhere where only root can write).
    # Log levels are (ascending order: higher ones include lower ones):
    # none, error, warn, info, trace, debug.
    SSLLog /root/ispconfig/httpd/logs/ssl_engine_log
    SSLLogLevel info

    </IfModule>

    <IfDefine SSL>

    ##
    ## SSL Virtual Host Context
    ##

    <VirtualHost _default_:81>

    # General setup for the virtual host
    DocumentRoot "/home/admispconfig/ispconfig/web"
    ServerName tech4you.org
    ServerAdmin malli@tech4you.org
    ErrorLog /root/ispconfig/httpd/logs/error_log
    TransferLog /root/ispconfig/httpd/logs/access_log

    # SSL Engine Switch:
    # Enable/Disable SSL for this virtual host.
    SSLEngine on

    # SSL Cipher Suite:
    # List the ciphers that the client is permitted to negotiate.
    # See the mod_ssl documentation for a complete list.
    SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

    # Server Certificate:
    # Point SSLCertificateFile at a PEM encoded certificate. If
    # the certificate is encrypted, then you will be prompted for a
    # pass phrase. Note that a kill -HUP will prompt again. A test
    # certificate can be generated with `make certificate' under
    # built time. Keep in mind that if you've both a RSA and a DSA
    # certificate you can configure both in parallel (to also allow
    # the use of DSA ciphers, etc.)
    SSLCertificateFile /root/ispconfig/httpd/conf/ssl.crt/server.crt
    #SSLCertificateFile /root/ispconfig/httpd/conf/ssl.crt/server-dsa.crt

    # Server Private Key:
    # If the key is not combined with the certificate, use this
    # directive to point at the key file. Keep in mind that if
    # you've both a RSA and a DSA private key you can configure
    # both in parallel (to also allow the use of DSA ciphers, etc.)
    SSLCertificateKeyFile /root/ispconfig/httpd/conf/ssl.key/server.key
    #SSLCertificateKeyFile /root/ispconfig/httpd/conf/ssl.key/server-dsa.key

    # Server Certificate Chain:
    # Point SSLCertificateChainFile at a file containing the
    # concatenation of PEM encoded CA certificates which form the
    # certificate chain for the server certificate. Alternatively
    # the referenced file can be the same as SSLCertificateFile
    # when the CA certificates are directly appended to the server
    # certificate for convinience.
    #SSLCertificateChainFile /root/ispconfig/httpd/conf/ssl.crt/ca.crt

    # Certificate Authority (CA):
    # Set the CA certificate verification path where to find CA
    # certificates for client authentication or alternatively one
    # huge file containing all of them (file must be PEM encoded)
    # Note: Inside SSLCACertificatePath you need hash symlinks
    # to point to the certificate files. Use the provided
    # Makefile to update the hash symlinks after changes.
    #SSLCACertificatePath /root/ispconfig/httpd/conf/ssl.crt
    #SSLCACertificateFile /root/ispconfig/httpd/conf/ssl.crt/ca-bundle.crt

    # Certificate Revocation Lists (CRL):
    # Set the CA revocation path where to find CA CRLs for client
    # authentication or alternatively one huge file containing all
    # of them (file must be PEM encoded)
    # Note: Inside SSLCARevocationPath you need hash symlinks
    # to point to the certificate files. Use the provided
    # Makefile to update the hash symlinks after changes.
    #SSLCARevocationPath /root/ispconfig/httpd/conf/ssl.crl
    #SSLCARevocationFile /root/ispconfig/httpd/conf/ssl.crl/ca-bundle.crl

    # Client Authentication (Type):
    # Client certificate verification type and depth. Types are
    # none, optional, require and optional_no_ca. Depth is a
    # number which specifies how deeply to verify the certificate
    # issuer chain before deciding the certificate is not valid.
    #SSLVerifyClient require
    #SSLVerifyDepth 10

    # Access Control:
    # With SSLRequire you can do per-directory access control based
    # on arbitrary complex boolean expressions containing server
    # variable checks and other lookup directives. The syntax is a
    # mixture between C and Perl. See the mod_ssl documentation
    # for more details.
    #<Location />
    #SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
    # and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
    # and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
    # and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
    # and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
    # or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
    #</Location>

    # SSL Engine Options:
    # Set various options for the SSL engine.
    # o FakeBasicAuth:
    # Translate the client X.509 into a Basic Authorisation. This means that
    # the standard Auth/DBMAuth methods can be used for access control. The
    # user name is the `one line' version of the client's X.509 certificate.
    # Note that no password is obtained from the user. Every entry in the user
    # file needs this password: `xxj31ZMTZzkVA'.
    # o ExportCertData:
    # This exports two additional environment variables: SSL_CLIENT_CERT and
    # SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
    # server (always existing) and the client (only existing when client
    # authentication is used). This can be used to import the certificates
    # into CGI scripts.
    # o StdEnvVars:
    # This exports the standard SSL/TLS related `SSL_*' environment variables.
    # Per default this exportation is switched off for performance reasons,
    # because the extraction step is an expensive operation and is usually
    # useless for serving static content. So one usually enables the
    # exportation for CGI and SSI requests only.
    # o CompatEnvVars:
    # This exports obsolete environment variables for backward compatibility
    # to Apache-SSL 1.x, mod_ssl 2.0.x, Sioux 1.0 and Stronghold 2.x. Use this
    # to provide compatibility to existing CGI scripts.
    # o StrictRequire:
    # This denies access when "SSLRequireSSL" or "SSLRequire" applied even
    # under a "Satisfy any" situation, i.e. when it applies access is denied
    # and no other module can change it.
    # o OptRenegotiate:
    # This enables optimized SSL connection renegotiation handling when SSL
    # directives are used in per-directory context.
    #SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire
    <Files ~ "\.(cgi|shtml|phtml|php3?)$">
    SSLOptions +StdEnvVars
    </Files>
    <Directory "/root/ispconfig/httpd/cgi-bin">
    SSLOptions +StdEnvVars
    </Directory>
     
  3. Rocky

    Rocky New Member

    # SSL Protocol Adjustments:
    # The safe and default but still SSL/TLS standard compliant shutdown
    # approach is that mod_ssl sends the close notify alert but doesn't wait for
    # the close notify alert from client. When you need a different shutdown
    # approach you can use one of the following variables:
    # o ssl-unclean-shutdown:
    # This forces an unclean shutdown when the connection is closed, i.e. no
    # SSL close notify alert is send or allowed to received. This violates
    # the SSL/TLS standard but is needed for some brain-dead browsers. Use
    # this when you receive I/O errors because of the standard approach where
    # mod_ssl sends the close notify alert.
    # o ssl-accurate-shutdown:
    # This forces an accurate shutdown when the connection is closed, i.e. a
    # SSL close notify alert is send and mod_ssl waits for the close notify
    # alert of the client. This is 100% SSL/TLS standard compliant, but in
    # practice often causes hanging connections with brain-dead browsers. Use
    # this only for browsers where you know that their SSL implementation
    # works correctly.
    # Notice: Most problems of broken clients are also related to the HTTP
    # keep-alive facility, so you usually additionally want to disable
    # keep-alive for those clients, too. Use variable "nokeepalive" for this.
    # Similarly, one has to force some clients to use HTTP/1.0 to workaround
    # their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
    # "force-response-1.0" for this.
    SetEnvIf User-Agent ".*MSIE.*" \
    nokeepalive ssl-unclean-shutdown \
    downgrade-1.0 force-response-1.0

    # Per-Server Logging:
    # The home of a custom SSL log file. Use this when you want a
    # compact non-error SSL logfile on a virtual host basis.
    CustomLog /root/ispconfig/httpd/logs/ssl_request_log \
    "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

    </VirtualHost>
    </IfDefine>
     
  4. falko

    falko Super Moderator

  5. Rocky

    Rocky New Member

    Recreating the cert did it. Falko, you are the man... :)
    One more question. How does the virus scan work? If someone sends me an email with a virus, does clamav block the message and send me report or does it just block the message with no report? And if I send someone a message that has a virus, does it block the message and send a report or no report?
     
    Last edited: Dec 7, 2005
  6. falko

    falko Super Moderator

    Only incoming emails are scanned because ClamAV is invoked by procmail.

    If a virus is caught, a notification is sent to the sender and to the recipient (the virus mail is deleted, of course, unless you specify something different in ISPConfig).
     

Share This Page