Dustin C. Hatch
b519f97f6a
I am not sure the point of having both `ssl_request_log` and `ssl_access_log`. The former includes the TLS ciphers used in the connection, which is not particularly interesting information. To save space on the log volume of web servers using Apache, we should just stop creating this log file.
68 lines
3.1 KiB
Django/Jinja
68 lines
3.1 KiB
Django/Jinja
# Use separate log files for the SSL virtual host; note that LogLevel
|
|
# is not inherited from httpd.conf.
|
|
ErrorLog logs/ssl_error_log
|
|
TransferLog logs/ssl_access_log
|
|
LogLevel warn
|
|
|
|
# SSL Engine Switch:
|
|
# Enable/Disable SSL for this virtual host.
|
|
SSLEngine on
|
|
|
|
# SSL Protocol support:
|
|
# List the enable protocol levels with which clients will be able to
|
|
# connect. Disable SSLv2 access by default:
|
|
SSLProtocol {{ apache_ssl_protocol|join(' ') }}
|
|
|
|
# SSL Cipher Suite:
|
|
# List the ciphers that the client is permitted to negotiate.
|
|
# See the mod_ssl documentation for a complete list.
|
|
SSLCipherSuite {{ apache_ssl_ciphersuite|join(':') }}
|
|
SSLHonorCipherOrder on
|
|
|
|
# Speed-optimized SSL Cipher configuration:
|
|
# If speed is your main concern (on busy HTTPS servers e.g.),
|
|
# you might want to force clients to specific, performance
|
|
# optimized ciphers. In this case, prepend those ciphers
|
|
# to the SSLCipherSuite list, and enable SSLHonorCipherOrder.
|
|
# Caveat: by giving precedence to RC4-SHA and AES128-SHA
|
|
# (as in the example below), most connections will no longer
|
|
# have perfect forward secrecy - if the server's key is
|
|
# compromised, captures of past or future traffic must be
|
|
# considered compromised, too.
|
|
#SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5
|
|
#SSLHonorCipherOrder on
|
|
|
|
# SSL Protocol Adjustments:
|
|
# The safe and default but still SSL/TLS standard compliant shutdown
|
|
# approach is that mod_ssl sends the close notify alert but doesn't wait for
|
|
# the close notify alert from client. When you need a different shutdown
|
|
# approach you can use one of the following variables:
|
|
# o ssl-unclean-shutdown:
|
|
# This forces an unclean shutdown when the connection is closed, i.e. no
|
|
# SSL close notify alert is send or allowed to received. This violates
|
|
# the SSL/TLS standard but is needed for some brain-dead browsers. Use
|
|
# this when you receive I/O errors because of the standard approach where
|
|
# mod_ssl sends the close notify alert.
|
|
# o ssl-accurate-shutdown:
|
|
# This forces an accurate shutdown when the connection is closed, i.e. a
|
|
# SSL close notify alert is send and mod_ssl waits for the close notify
|
|
# alert of the client. This is 100% SSL/TLS standard compliant, but in
|
|
# practice often causes hanging connections with brain-dead browsers. Use
|
|
# this only for browsers where you know that their SSL implementation
|
|
# works correctly.
|
|
# Notice: Most problems of broken clients are also related to the HTTP
|
|
# keep-alive facility, so you usually additionally want to disable
|
|
# keep-alive for those clients, too. Use variable "nokeepalive" for this.
|
|
# Similarly, one has to force some clients to use HTTP/1.0 to workaround
|
|
# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
|
|
# "force-response-1.0" for this.
|
|
BrowserMatch "MSIE [2-5]" \
|
|
nokeepalive ssl-unclean-shutdown \
|
|
downgrade-1.0 force-response-1.0
|
|
|
|
# Per-Server Logging:
|
|
# The home of a custom SSL log file. Use this when you want a
|
|
# compact non-error SSL logfile on a virtual host basis.
|
|
#CustomLog logs/ssl_request_log \
|
|
# "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
|