nils
/
ispmail-buster-ansible
огледало от http://git.workaround.org/ispmail/ispmail-buster-ansible.git
1
0
Разклонения 0
Код Задачи 0 Версии 0 Уики Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
24 Ревизии
1 Клон
380 KiB
 
 
 
 
 
 
ИН на ревизия: 3bdb67c1e2
Клонове Маркери
${ item.name }
Create branch ${ searchTerm }
от '3bdb67c1e2'
${ noResults }
ispmail-buster-ansible/roles/ispmail-webmail/templates/webmail.conf.j2

141 lines
6.4 KiB
Директен файл Blame История 

  1. <IfModule mod_ssl.c>

  2. 	<VirtualHost _default_:443>

  3. 		ServerAdmin webmaster@localhost

  4. 		ServerName {{ ispmail_webmail_hostname }}

  5. 

  6. 		#DocumentRoot /var/www/html

  7. 		Include /etc/roundcube/apache.conf

  8. 		Alias /roundcube /var/lib/roundcube

  9. 

  10. 		# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,

  11. 		# error, crit, alert, emerg.

  12. 		# It is also possible to configure the loglevel for particular

  13. 		# modules, e.g.

  14. 		#LogLevel info ssl:warn

  15. 

  16. 		ErrorLog ${APACHE_LOG_DIR}/webmail.error.log

  17. 		CustomLog ${APACHE_LOG_DIR}/webmail.access.log combined

  18. 

  19. 		# For most configuration files from conf-available/, which are

  20. 		# enabled or disabled at a global level, it is possible to

  21. 		# include a line for only one particular virtual host. For example the

  22. 		# following line enables the CGI configuration for this host only

  23. 		# after it has been globally disabled with "a2disconf".

  24. 		#Include conf-available/serve-cgi-bin.conf

  25. 

  26. 		#   SSL Engine Switch:

  27. 		#   Enable/Disable SSL for this virtual host.

  28. 		SSLEngine on

  29. 

  30. 		#   A self-signed (snakeoil) certificate can be created by installing

  31. 		#   the ssl-cert package. See

  32. 		#   /usr/share/doc/apache2/README.Debian.gz for more info.

  33. 		#   If both key and certificate are stored in the same file, only the

  34. 		#   SSLCertificateFile directive is needed.

  35. 		SSLCertificateFile	/etc/ssl/certs/mailserver.pem

  36. 		SSLCertificateKeyFile /etc/ssl/private/mailserver.pem

  37. 

  38. 		#   Server Certificate Chain:

  39. 		#   Point SSLCertificateChainFile at a file containing the

  40. 		#   concatenation of PEM encoded CA certificates which form the

  41. 		#   certificate chain for the server certificate. Alternatively

  42. 		#   the referenced file can be the same as SSLCertificateFile

  43. 		#   when the CA certificates are directly appended to the server

  44. 		#   certificate for convinience.

  45. 		#SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt

  46. 

  47. 		#   Certificate Authority (CA):

  48. 		#   Set the CA certificate verification path where to find CA

  49. 		#   certificates for client authentication or alternatively one

  50. 		#   huge file containing all of them (file must be PEM encoded)

  51. 		#   Note: Inside SSLCACertificatePath you need hash symlinks

  52. 		#		 to point to the certificate files. Use the provided

  53. 		#		 Makefile to update the hash symlinks after changes.

  54. 		#SSLCACertificatePath /etc/ssl/certs/

  55. 		#SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt

  56. 

  57. 		#   Certificate Revocation Lists (CRL):

  58. 		#   Set the CA revocation path where to find CA CRLs for client

  59. 		#   authentication or alternatively one huge file containing all

  60. 		#   of them (file must be PEM encoded)

  61. 		#   Note: Inside SSLCARevocationPath you need hash symlinks

  62. 		#		 to point to the certificate files. Use the provided

  63. 		#		 Makefile to update the hash symlinks after changes.

  64. 		#SSLCARevocationPath /etc/apache2/ssl.crl/

  65. 		#SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl

  66. 

  67. 		#   Client Authentication (Type):

  68. 		#   Client certificate verification type and depth.  Types are

  69. 		#   none, optional, require and optional_no_ca.  Depth is a

  70. 		#   number which specifies how deeply to verify the certificate

  71. 		#   issuer chain before deciding the certificate is not valid.

  72. 		#SSLVerifyClient require

  73. 		#SSLVerifyDepth  10

  74. 

  75. 		#   SSL Engine Options:

  76. 		#   Set various options for the SSL engine.

  77. 		#   o FakeBasicAuth:

  78. 		#	 Translate the client X.509 into a Basic Authorisation.  This means that

  79. 		#	 the standard Auth/DBMAuth methods can be used for access control.  The

  80. 		#	 user name is the `one line' version of the client's X.509 certificate.

  81. 		#	 Note that no password is obtained from the user. Every entry in the user

  82. 		#	 file needs this password: `xxj31ZMTZzkVA'.

  83. 		#   o ExportCertData:

  84. 		#	 This exports two additional environment variables: SSL_CLIENT_CERT and

  85. 		#	 SSL_SERVER_CERT. These contain the PEM-encoded certificates of the

  86. 		#	 server (always existing) and the client (only existing when client

  87. 		#	 authentication is used). This can be used to import the certificates

  88. 		#	 into CGI scripts.

  89. 		#   o StdEnvVars:

  90. 		#	 This exports the standard SSL/TLS related `SSL_*' environment variables.

  91. 		#	 Per default this exportation is switched off for performance reasons,

  92. 		#	 because the extraction step is an expensive operation and is usually

  93. 		#	 useless for serving static content. So one usually enables the

  94. 		#	 exportation for CGI and SSI requests only.

  95. 		#   o OptRenegotiate:

  96. 		#	 This enables optimized SSL connection renegotiation handling when SSL

  97. 		#	 directives are used in per-directory context.

  98. 		#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire

  99. 		<FilesMatch "\.(cgi|shtml|phtml|php)$">

  100. 				SSLOptions +StdEnvVars

  101. 		</FilesMatch>

  102. 		<Directory /usr/lib/cgi-bin>

  103. 				SSLOptions +StdEnvVars

  104. 		</Directory>

  105. 

  106. 		#   SSL Protocol Adjustments:

  107. 		#   The safe and default but still SSL/TLS standard compliant shutdown

  108. 		#   approach is that mod_ssl sends the close notify alert but doesn't wait for

  109. 		#   the close notify alert from client. When you need a different shutdown

  110. 		#   approach you can use one of the following variables:

  111. 		#   o ssl-unclean-shutdown:

  112. 		#	 This forces an unclean shutdown when the connection is closed, i.e. no

  113. 		#	 SSL close notify alert is send or allowed to received.  This violates

  114. 		#	 the SSL/TLS standard but is needed for some brain-dead browsers. Use

  115. 		#	 this when you receive I/O errors because of the standard approach where

  116. 		#	 mod_ssl sends the close notify alert.

  117. 		#   o ssl-accurate-shutdown:

  118. 		#	 This forces an accurate shutdown when the connection is closed, i.e. a

  119. 		#	 SSL close notify alert is send and mod_ssl waits for the close notify

  120. 		#	 alert of the client. This is 100% SSL/TLS standard compliant, but in

  121. 		#	 practice often causes hanging connections with brain-dead browsers. Use

  122. 		#	 this only for browsers where you know that their SSL implementation

  123. 		#	 works correctly.

  124. 		#   Notice: Most problems of broken clients are also related to the HTTP

  125. 		#   keep-alive facility, so you usually additionally want to disable

  126. 		#   keep-alive for those clients, too. Use variable "nokeepalive" for this.

  127. 		#   Similarly, one has to force some clients to use HTTP/1.0 to workaround

  128. 		#   their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and

  129. 		#   "force-response-1.0" for this.

  130. 		BrowserMatch "MSIE [2-6]" \

  131. 				nokeepalive ssl-unclean-shutdown \

  132. 				downgrade-1.0 force-response-1.0

  133. 		# MSIE 7 and newer should be able to use keepalive

  134. 		BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

  135. 

  136. 	</VirtualHost>

  137. </IfModule>

  138. 

  139. # vim: syntax=apache ts=4 sw=4 sts=4 sr noet