|　TOP　|　　| BACK |

・httpd-ssl.conf の主な設定 　 　# Note: Configurations that use IPv6 but not IPv4-mapped addresses need two 　# Listen directives: "Listen [::]:443" and "Listen 0.0.0.0:443" 　# 　Listen 443 　## 　## SSL Global Context 　## 　## All SSL configuration in this context applies both to 　## the main server and all SSL-enabled virtual hosts. 　## 　# 　# Some MIME-types for downloading Certificates and CRLs 　# 　AddType application/x-x509-ca-cert .crt 　AddType application/x-pkcs7-crl .crl 　# SSL Cipher Suite: 　# List the ciphers that the client is permitted to negotiate, 　# and that httpd will negotiate as the client of a proxied server. 　# See the OpenSSL documentation for a complete list of ciphers, and 　# ensure these follow appropriate best practices for this deployment. 　# httpd 2.2.30, 2.4.13 and later force-disable aNULL, eNULL and EXP ciphers, 　# while OpenSSL disabled these by default in 0.9.8zf/1.0.0r/1.0.1m/1.0.2a. 　SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES 　SSLProxyCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES 　# User agents such as web browsers are not configured for the user's 　# own preference of either security or performance, therefore this 　# must be the prerogative of the web server administrator who manages 　# cpu load versus confidentiality, so enforce the server's cipher order. 　SSLHonorCipherOrder on 　# SSL Protocol support: 　# List the protocol versions which clients are allowed to connect with. 　# Disable SSLv2 and SSLv3 by default (cf. RFC 7525 3.1.1). TLSv1 (1.0) 　# should be disabled as quickly as practical. By the end of 2016, only 　# the TLSv1.2 protocol or later should remain in use. 　SSLProtocol all -SSLv2 -SSLv3 　SSLProxyProtocol all -SSLv2 -SSLv3 　# Pass Phrase Dialog: 　# Configure the pass phrase gathering process. 　# The filtering dialog program (`builtin' is a internal 　# terminal dialog) has to provide the pass phrase on stdout. 　SSLPassPhraseDialog builtin 　# Inter-Process Session Cache: 　# Configure the SSL Session Cache: First the mechanism 　# to use and second the expiring timeout (in seconds). 　#SSLSessionCache "dbm:/usr/local/apache2/logs/ssl_scache" 　SSLSessionCache "shmcb:/usr/local/apache2/logs/ssl_scache(512000)" 　SSLSessionCacheTimeout 300 　# Semaphore: 　# Configure the path to the mutual exclusion semaphore the 　# SSL engine uses internally for inter-process synchronization. 　SSLMutex "file:/usr/local/apache2/logs/ssl_mutex" 　## 　## SSL Virtual Host Context 　## 　<VirtualHost _default_:443> 　# General setup for the virtual host 　DocumentRoot "/usr/local/apache2/htdocs" 　ServerName www.makino.mydns.jp:443 　ServerAdmin makino@makino.mydns.jp 　ErrorLog "/usr/local/apache2/logs/error_log" 　TransferLog "/usr/local/apache2/logs/access_log" 　# SSL Engine Switch: 　# Enable/Disable SSL for this virtual host. 　SSLEngine on 　# Server Certificate: 　# Point SSLCertificateFile at a PEM encoded certificate. If 　# the certificate is encrypted, then you will be prompted for a 　# pass phrase. Note that a kill -HUP will prompt again. Keep 　# in mind that if you have both an RSA and a DSA certificate you 　# can configure both in parallel (to also allow the use of DSA 　# ciphers, etc.) 　# Some ECC cipher suites (http://www.ietf.org/rfc/rfc4492.txt) 　# require an ECC certificate which can also be configured in 　# parallel. 　SSLCertificateFile "/usr/local/apache2/conf/server-coressl.crt" 　#SSLCertificateFile "/usr/local/apache2/conf/server-dsa.crt" 　#SSLCertificateFile "/usr/local/apache2/conf/server-ecc.crt" 　# Server Private Key: 　# If the key is not combined with the certificate, use this 　# directive to point at the key file. Keep in mind that if 　# you've both a RSA and a DSA private key you can configure 　# both in parallel (to also allow the use of DSA ciphers, etc.) 　# ECC keys, when in use, can also be configured in parallel 　SSLCertificateKeyFile "/usr/local/apache2/conf/server-coressl.key" 　#SSLCertificateKeyFile "/usr/local/apache2/conf/server-dsa.key" 　#SSLCertificateKeyFile "/usr/local/apache2/conf/server-ecc.key" 　# Server Certificate Chain: 　# Point SSLCertificateChainFile at a file containing the 　# concatenation of PEM encoded CA certificates which form the 　# certificate chain for the server certificate. Alternatively 　# the referenced file can be the same as SSLCertificateFile 　# when the CA certificates are directly appended to the server 　# certificate for convenience. 　SSLCertificateChainFile "/usr/local/apache2/conf/server_Int-coressl.crt" 　# SSL Engine Options: 　# Set various options for the SSL engine. 　# o FakeBasicAuth: 　# Translate the client X.509 into a Basic Authorisation. This means that 　# the standard Auth/DBMAuth methods can be used for access control. The 　# user name is the `one line' version of the client's X.509 certificate. 　# Note that no password is obtained from the user. Every entry in the user 　# file needs this password: `xxj31ZMTZzkVA'. 　# o ExportCertData: 　# This exports two additional environment variables: SSL_CLIENT_CERT and 　# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the 　# server (always existing) and the client (only existing when client 　# authentication is used). This can be used to import the certificates 　# into CGI scripts. 　# o StdEnvVars: 　# This exports the standard SSL/TLS related `SSL_*' environment variables. 　# Per default this exportation is switched off for performance reasons, 　# because the extraction step is an expensive operation and is usually 　# useless for serving static content. So one usually enables the 　# exportation for CGI and SSI requests only. 　# o StrictRequire: 　# This denies access when "SSLRequireSSL" or "SSLRequire" applied even 　# under a "Satisfy any" situation, i.e. when it applies access is denied 　# and no other module can change it. 　# o OptRenegotiate: 　# This enables optimized SSL connection renegotiation handling when SSL 　# directives are used in per-directory context. 　#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire 　<FilesMatch "\.(cgi|shtml|phtml|php)$"> 　SSLOptions +StdEnvVars 　</FilesMatch> 　<Directory "/usr/local/apache2/cgi-bin"> 　SSLOptions +StdEnvVars 　</Directory> 　# SSL Protocol Adjustments: 　# The safe and default but still SSL/TLS standard compliant shutdown 　# approach is that mod_ssl sends the close notify alert but doesn't wait for 　# the close notify alert from client. When you need a different shutdown 　# approach you can use one of the following variables: 　# o ssl-unclean-shutdown: 　# This forces an unclean shutdown when the connection is closed, i.e. no 　# SSL close notify alert is sent or allowed to be received. This violates 　# the SSL/TLS standard but is needed for some brain-dead browsers. Use 　# this when you receive I/O errors because of the standard approach where 　# mod_ssl sends the close notify alert. 　# o ssl-accurate-shutdown: 　# This forces an accurate shutdown when the connection is closed, i.e. a 　# SSL close notify alert is send and mod_ssl waits for the close notify 　# alert of the client. This is 100% SSL/TLS standard compliant, but in 　# practice often causes hanging connections with brain-dead browsers. Use 　# this only for browsers where you know that their SSL implementation 　# works correctly. 　# Notice: Most problems of broken clients are also related to the HTTP 　# keep-alive facility, so you usually additionally want to disable 　# keep-alive for those clients, too. Use variable "nokeepalive" for this. 　# Similarly, one has to force some clients to use HTTP/1.0 to workaround 　# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and 　# "force-response-1.0" for this. 　BrowserMatch "MSIE [2-5]" \ 　nokeepalive ssl-unclean-shutdown \ 　downgrade-1.0 force-response-1.0 　# Per-Server Logging: 　# The home of a custom SSL log file. Use this when you want a 　# compact non-error SSL logfile on a virtual host basis. 　CustomLog "/usr/local/apache2/logs/ssl_request_log" \ 　"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"