blob: 4b4a8ecce98f8fa0fde3f9f200db983244e2307a (
plain)
- <IfDefine !_TLSHOST>
- <IfDefine _HOST>
- Define _TLSHOST ${_HOST}
- </IfDefine>
- </IfDefine>
- <IfDefine !_TLS_KEY>
- <IfDefine _TLSHOST>
- Define _TLS_CERT_CHAIN /var/lib/dehydrated/certs/${_TLSHOST}/fullchain.pem
- Define _TLS_KEY /var/lib/dehydrated/certs/${_TLSHOST}/privkey.pem
- </IfDefine>
- </IfDefine>
- <If "%{HTTPS} == 'off'">
- RedirectMatch permanent ^(?!/.well-known/)(.*) https://${_HOST}/$1
- </If>
- SSLEngine on
- <IfDefine _TLS_KEY>
- SSLCertificateFile ${_TLS_CERT_CHAIN}
- SSLCertificateKeyFile ${_TLS_KEY}
- </IfDefine>
- SSLCACertificatePath /etc/ssl/certs/
- #SSLCARevocationPath /etc/apache2/ssl.crl/
- #SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl
- #SSLVerifyClient require
- #SSLVerifyDepth 10
- #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
- <FilesMatch "\.(cgi|shtml|phtml|php)$">
- SSLOptions +StdEnvVars
- </FilesMatch>
- <Directory /usr/lib/cgi-bin>
- SSLOptions +StdEnvVars
- </Directory>
- BrowserMatch "MSIE [2-6]" \
- nokeepalive ssl-unclean-shutdown \
- downgrade-1.0 force-response-1.0
- # MSIE 7 and newer should be able to use keepalive
- BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
- #CustomLog /var/log/apache2/ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
|