nils
/
ispmail-buster-ansible
mirror of http://git.workaround.org/ispmail/ispmail-buster-ansible.git
1
0
Fork 0
Code Issues 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
118 Commits
1 Branch
380 KiB
 
 
 
 
 
 
Tree: e6418745b0
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'e6418745b0'
${ noResults }
ispmail-buster-ansible/ansible/roles/ispmail-webmail-apache-horde/templates/apache/webmail.conf-443.j2

139 lines
6.4 KiB
Raw Blame History 

  1. <IfModule mod_ssl.c>

  2. 	<VirtualHost _default_:443>

  3. 		ServerAdmin {{ ispmail_postmaster_address }}

  4. 		ServerName {{ ispmail_webmail_hostname }}

  5. 

  6. 		# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,

  7. 		# error, crit, alert, emerg.

  8. 		# It is also possible to configure the loglevel for particular

  9. 		# modules, e.g.

  10. 		#LogLevel info ssl:warn

  11. 

  12. 		RedirectMatch permanent ^/$ https://{{ ispmail_webmail_hostname}}/horde/

  13. 

  14. 		ErrorLog ${APACHE_LOG_DIR}/webmail.error.log

  15. 		CustomLog ${APACHE_LOG_DIR}/webmail.access.log combined

  16. 

  17. 		# For most configuration files from conf-available/, which are

  18. 		# enabled or disabled at a global level, it is possible to

  19. 		# include a line for only one particular virtual host. For example the

  20. 		# following line enables the CGI configuration for this host only

  21. 		# after it has been globally disabled with "a2disconf".

  22. 		#Include conf-available/serve-cgi-bin.conf

  23. 

  24. 		#   SSL Engine Switch:

  25. 		#   Enable/Disable SSL for this virtual host.

  26. 		SSLEngine on

  27. 

  28. 		#   A self-signed (snakeoil) certificate can be created by installing

  29. 		#   the ssl-cert package. See

  30. 		#   /usr/share/doc/apache2/README.Debian.gz for more info.

  31. 		#   If both key and certificate are stored in the same file, only the

  32. 		#   SSLCertificateFile directive is needed.

  33. 		SSLCertificateFile	/etc/ssl/certs/mailserver.pem

  34. 		SSLCertificateKeyFile /etc/ssl/private/mailserver.pem

  35. 

  36. 		#   Server Certificate Chain:

  37. 		#   Point SSLCertificateChainFile at a file containing the

  38. 		#   concatenation of PEM encoded CA certificates which form the

  39. 		#   certificate chain for the server certificate. Alternatively

  40. 		#   the referenced file can be the same as SSLCertificateFile

  41. 		#   when the CA certificates are directly appended to the server

  42. 		#   certificate for convinience.

  43. 		#SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt

  44. 

  45. 		#   Certificate Authority (CA):

  46. 		#   Set the CA certificate verification path where to find CA

  47. 		#   certificates for client authentication or alternatively one

  48. 		#   huge file containing all of them (file must be PEM encoded)

  49. 		#   Note: Inside SSLCACertificatePath you need hash symlinks

  50. 		#		 to point to the certificate files. Use the provided

  51. 		#		 Makefile to update the hash symlinks after changes.

  52. 		#SSLCACertificatePath /etc/ssl/certs/

  53. 		#SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt

  54. 

  55. 		#   Certificate Revocation Lists (CRL):

  56. 		#   Set the CA revocation path where to find CA CRLs for client

  57. 		#   authentication or alternatively one huge file containing all

  58. 		#   of them (file must be PEM encoded)

  59. 		#   Note: Inside SSLCARevocationPath you need hash symlinks

  60. 		#		 to point to the certificate files. Use the provided

  61. 		#		 Makefile to update the hash symlinks after changes.

  62. 		#SSLCARevocationPath /etc/apache2/ssl.crl/

  63. 		#SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl

  64. 

  65. 		#   Client Authentication (Type):

  66. 		#   Client certificate verification type and depth.  Types are

  67. 		#   none, optional, require and optional_no_ca.  Depth is a

  68. 		#   number which specifies how deeply to verify the certificate

  69. 		#   issuer chain before deciding the certificate is not valid.

  70. 		#SSLVerifyClient require

  71. 		#SSLVerifyDepth  10

  72. 

  73. 		#   SSL Engine Options:

  74. 		#   Set various options for the SSL engine.

  75. 		#   o FakeBasicAuth:

  76. 		#	 Translate the client X.509 into a Basic Authorisation.  This means that

  77. 		#	 the standard Auth/DBMAuth methods can be used for access control.  The

  78. 		#	 user name is the `one line' version of the client's X.509 certificate.

  79. 		#	 Note that no password is obtained from the user. Every entry in the user

  80. 		#	 file needs this password: `xxj31ZMTZzkVA'.

  81. 		#   o ExportCertData:

  82. 		#	 This exports two additional environment variables: SSL_CLIENT_CERT and

  83. 		#	 SSL_SERVER_CERT. These contain the PEM-encoded certificates of the

  84. 		#	 server (always existing) and the client (only existing when client

  85. 		#	 authentication is used). This can be used to import the certificates

  86. 		#	 into CGI scripts.

  87. 		#   o StdEnvVars:

  88. 		#	 This exports the standard SSL/TLS related `SSL_*' environment variables.

  89. 		#	 Per default this exportation is switched off for performance reasons,

  90. 		#	 because the extraction step is an expensive operation and is usually

  91. 		#	 useless for serving static content. So one usually enables the

  92. 		#	 exportation for CGI and SSI requests only.

  93. 		#   o OptRenegotiate:

  94. 		#	 This enables optimized SSL connection renegotiation handling when SSL

  95. 		#	 directives are used in per-directory context.

  96. 		#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire

  97. 		<FilesMatch "\.(cgi|shtml|phtml|php)$">

  98. 				SSLOptions +StdEnvVars

  99. 		</FilesMatch>

  100. 		<Directory /usr/lib/cgi-bin>

  101. 				SSLOptions +StdEnvVars

  102. 		</Directory>

  103. 

  104. 		#   SSL Protocol Adjustments:

  105. 		#   The safe and default but still SSL/TLS standard compliant shutdown

  106. 		#   approach is that mod_ssl sends the close notify alert but doesn't wait for

  107. 		#   the close notify alert from client. When you need a different shutdown

  108. 		#   approach you can use one of the following variables:

  109. 		#   o ssl-unclean-shutdown:

  110. 		#	 This forces an unclean shutdown when the connection is closed, i.e. no

  111. 		#	 SSL close notify alert is send or allowed to received.  This violates

  112. 		#	 the SSL/TLS standard but is needed for some brain-dead browsers. Use

  113. 		#	 this when you receive I/O errors because of the standard approach where

  114. 		#	 mod_ssl sends the close notify alert.

  115. 		#   o ssl-accurate-shutdown:

  116. 		#	 This forces an accurate shutdown when the connection is closed, i.e. a

  117. 		#	 SSL close notify alert is send and mod_ssl waits for the close notify

  118. 		#	 alert of the client. This is 100% SSL/TLS standard compliant, but in

  119. 		#	 practice often causes hanging connections with brain-dead browsers. Use

  120. 		#	 this only for browsers where you know that their SSL implementation

  121. 		#	 works correctly.

  122. 		#   Notice: Most problems of broken clients are also related to the HTTP

  123. 		#   keep-alive facility, so you usually additionally want to disable

  124. 		#   keep-alive for those clients, too. Use variable "nokeepalive" for this.

  125. 		#   Similarly, one has to force some clients to use HTTP/1.0 to workaround

  126. 		#   their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and

  127. 		#   "force-response-1.0" for this.

  128. 		BrowserMatch "MSIE [2-6]" \

  129. 				nokeepalive ssl-unclean-shutdown \

  130. 				downgrade-1.0 force-response-1.0

  131. 		# MSIE 7 and newer should be able to use keepalive

  132. 		BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

  133. 

  134. 	</VirtualHost>

  135. </IfModule>

  136. 

  137. # vim: syntax=apache ts=4 sw=4 sts=4 sr noet