# This is an example configuration file for Apache-SSL.
# Copyright (C) 1995,6,7,8,9 Ben Laurie

# By popular demand, this file now illustrates the way to create two websites,
# one secured (on port 8887), the other not (on port 8888).

# You may need one of thse
User dabo
Group ittc

LogLevel debug

# If built with --enable-shared=max...
#LoadModule auth_module /home/ben/apache-ssl/apache_1.3.4-ssl/src/modules/standard/mod_auth.so
#LoadModule config_log_module /home/ben/apache-ssl/apache_1.3.4-ssl/src/modules/standard/mod_log_config.so
#LoadModule cgi_module /home/ben/apache-ssl/apache_1.3.4-ssl/src/modules/standard/mod_cgi.so
#LoadModule alias_module /home/ben/apache-ssl/apache_1.3.4-ssl/src/modules/standard/mod_alias.so

# Disable CA list sending for testing...
SSLNoCAList

# Load some randomness.
# This is loaded at startup, reading at most 1024 bytes from /dev/urandom.
# You may prefer to use /dev/random, but be aware that some OSes (e.g. Linux)
# insist on returning all 1024 bytes, thus blocking the server until the
# randomness is available.
# The randomness will be _shared_ between all server instances. You can have
# as many of these as you want.
SSLRandomFile /dev/urandom 1024
# And this one will be loaded before SSL is negotiated for each connection.
# Again, you can have as many of these as you want, and they will all be used
# at each connection.
SSLRandomFilePerConnection /dev/urandom 1024


# SSL Servers MUST be standalone, currently.
ServerType standalone

# The default port for SSL is 443...
Port 8887
Listen 8887
Listen 8888

# My test document root
#DocumentRoot /home/ben/www/docs
DocumentRoot /u/dabo/ITTC/runtime/apache/htdocs

<Directory /u/dabo/ITTC/runtime/apache/htdocs/manual>
# This directive forbids access except when SSL is in use. Very handy for
# defending against configuration errors that expose stuff that should be
# protected
SSLRequireSSL
# Conversely, you can forbid SSL with...
# SSLDenySSL

# Use these here if renegotiation is permitted
#SSLVerifyClient 2
#SSLVerifyDepth 2

#AuthType Basic
#AuthName Experimental
#AuthGroupFile /dev/null
#AuthUserFile /home/ben/www/users
#require valid-user
</Directory>

# Watch what's going on
TransferLog logs/transfer_log

# Note that all SSL options can apply to virtual hosts.

# Disable SSL. Useful in combination with virtual hosts. Note that SSLEnable is
# now also supported.
#SSLDisable
SSLEnable

# Set the path for the global cache server executable.
# If this facility gives you trouble, you can disable it by setting
# CACHE_SESSIONS to FALSE in apache_ssl.c
SSLCacheServerPath ../../apache_1.3.6/src/modules/ssl/gcache

# Set the global cache server port number, or path. If it is a path, a Unix
# domain socket is used. If a number, a TCP socket.
SSLCacheServerPort logs/gcache_port
#SSLCacheServerPort 1234

# Directory for the cache server to run in (in case of crashes). Optional.
SSLCacheServerRunDir /tmp

# Set the session cache timeout, in seconds (set to 15 for testing, use a
# higher value in real life)
SSLSessionCacheTimeout 15

# Set the CA certificate verification path (must be PEM encoded).
# (in addition to getenv("SSL_CERT_DIR"), I think).
SSLCACertificatePath /u/dabo/ITTC/runtime/apache/SSLconf/

# Set the CA certificate verification file (must be PEM encoded).
# (in addition to getenv("SSL_CERT_FILE"), I think).
#SSLCACertificateFile /some/where/somefile
#SSLCACertificateFile /home/ben/apache-ssl/apache_1.3.4-ssl/SSLconf/conf/httpsd.pem

# Point SSLCertificateFile at a PEM encoded certificate.
# If the certificate is encrypted, then you will be prompted for a pass phrase.
# Note that a kill -1 will prompt again.
# A test certificate can be generated with "make certificate".
SSLCertificateFile /u/dabo/ITTC/runtime/apache/SSLconf/webkey.cert
#SSLCertificateFile /u/dabo/ITTC/runtime/apache/SSLconf/rsa1024.pem
#SSLCertificateFile /home/ben/apache-ssl/apache_1.3.4-ssl/SSLconf/conf/httpsd.pem


# If the key is not combined with the certificate, use this directive to
# point at the key file. If this starts with a '/' it specifies an absolute
# path, otherwise it is relative to the default certificate area. That is, it
# means "<default>/private/<keyfile>".
SSLCertificateKeyFile /u/dabo/ITTC/runtime/client0/keys/webkey.rsk
#SSLCertificateKeyFile /u/dabo/ITTC/runtime/apache/SSLconf/rsa1024.pem

# Set SSLVerifyClient to:
# 0 if no certicate is required
# 1 if the client may present a valid certificate
# 2 if the client must present a valid certificate
# 3 if the client may present a valid certificate but it is not required to
#   have a valid CA
SSLVerifyClient 3
# How deeply to verify before deciding they don't have a valid certificate
SSLVerifyDepth 10

# If you have enabled client cert exports (in buff.h) you need to use
# SSLExportClientCertificates to enable them. Note that the server still has to
# mess about with certs even if this is disabled (and exports are enabled)
# because the cert chain is received before we can know whether it is needed or
# not.
<Location /scripts>
#SSLExportClientCertificates
</Location>

# Translate the client X509 into a Basic authorisation. This means that the
# standard Auth/DBMAuth methods can be used for access control. The user name
# is the "one line" version of the client's X509 certificate. Note that no
# password is obtained from the user. Every entry in the user file needs this
# password: xxj31ZMTZzkVA. See the code for further explanation.
SSLFakeBasicAuth

# List the ciphers that the client is permitted to negotiate. See the source
# for a definitive list. For example:
#SSLRequiredCiphers RC4-MD5:RC4-SHA:IDEA-CBC-MD5:DES-CBC3-SHA

# These two can be used per-directory to require or ban ciphers. Note that (at
# least in the current version) Apache-SSL will not attempt to renegotiate if a
# cipher is banned (or not required).
# You should probably at least ban the null encryption ciphers.
#SSLRequireCipher
SSLBanCipher NULL-MD5:NULL-SHA

# A home for miscellaneous rubbish generated by SSL. Much of it is duplicated
# in the error log file. Put this somewhere where it cannot be used for symlink
# attacks on a real server (i.e. somewhere where only root can write).
# Don't use this anymore! Now everything is logged in the error log.
#SSLLogFile /tmp/ssl.log

# Custom logging
CustomLog	logs/ssl_log "%t %{version}c %{cipher}c %{clientcert}c"

<VirtualHost ittc:8888>
SSLDisable
#SSLEnable
</VirtualHost>

# If you want, you can disable SSL globally, and enable it in a virtual host...
#<VirtualHost ittc:8887>
#SSLEnable
# and the rest of the SSL stuf...
#</VirtualHost>

# Experiment with authorization...
#<Directory /u/ben/www/1/docs>
#AuthType Basic
#AuthName Experimental
#AuthGroupFile /dev/null
#AuthUserFile /u/ben/www/1/users
#<Limit PUT GET>
#allow from all
#require valid-user
#</Limit>
#</Directory>

ScriptAlias	/scripts	/home/ben/www/scripts

<IfModule apache_ssl_keynote.c>
# KeyNote configuration (only if enabled, of course)

# Simple example: admit anyone
#SSLKeyNoteTrustedAssertion keynote/admit-all

# Or: admit no-one
#SSLKeyNoteTrustedAssertion keynote/admit-none

# Or: admit only Ben's Thawte certificate
#SSLKeyNoteTrustedAssertion keynote/admit-ben-thawte

# Or: admit Ben's Thawte certificate to part of the site
#SSLKeyNoteTrustedAssertion keynote/admit-ben-thawte-restricted

# Or: admit _any_ Thawte Freemail cert to any part of the site
SSLKeyNoteTrustedAssertion keynote/admit-thawte
SSLKeyNoteTrustedIssuerTemplate keynote/cert-issuer-simple
</IfModule>