Commit 4a34c6e5 authored by Leigh Stoller's avatar Leigh Stoller

In an attempt to fix the apache certificate problems, Mike and I decided to

split into two separate apache servers, one for the web interface and
another for all the geni RPC ports. Shot in the dark, we are out of ideas.
parent 622d5318
#
# Copyright (c) 2002-2012 University of Utah and the Flux Group.
# Copyright (c) 2002-2015 University of Utah and the Flux Group.
#
# {{{EMULAB-LICENSE
#
......@@ -27,6 +27,7 @@ SRCDIR = @srcdir@
TESTBED_SRCDIR = @top_srcdir@
OBJDIR = ..
SUBDIR = apache
PGENISUPPORT = @PROTOGENI_SUPPORT@
SYSTEM := $(shell uname -s)
ifeq ($(SYSTEM),FreeBSD)
......@@ -41,6 +42,10 @@ include $(OBJDIR)/Makeconf
OPS_FILES = httpd.conf-ops php.ini
CONFIG_FILES = httpd.conf $(OPS_FILES)
ifeq ($(PGENISUPPORT),1)
CONFIG_GENI = httpd-geni.conf
CONFIG_FILES += $(CONFIG_GENI)
endif
#
# Move to Apache 22 ...
......@@ -136,12 +141,17 @@ ifeq ($(SCRIPT_HACK),1)
endif
ifeq ($(APACHE_VERSION),22)
install: install-dirs install-scripts httpd.conf
install: install-dirs install-scripts httpd.conf pgeni-install
$(INSTALL_DATA) httpd.conf $(INSTALL_APACHE_CONFIG)/httpd.conf
control-install: install-dirs install-scripts httpd.conf-ops
$(INSTALL_DATA) httpd.conf-ops $(INSTALL_APACHE_CONFIG)/httpd.conf
pgeni-install: $(CONFIG_GENI)
ifeq ($(PGENISUPPORT),1)
$(INSTALL_DATA) httpd-geni.conf $(INSTALL_APACHE_CONFIG)/httpd-geni.conf
endif
utah: httpd.conf.utah httpd.conf-ops.utah
else
install: install-dirs install-scripts httpd.conf.fixed
......
##
## This file Added by Emulab - Version: 5.X
## Do not remove the above line.
##
## This file is intended for use by sites running the emulab software. It
## was installed by the testbed installation process.
##
#
# This is the main Apache server configuration file. It contains the
# configuration directives that give the server its instructions.
# See <URL:http://httpd.apache.org/docs/2.2/> for detailed information.
# In particular, see
# <URL:http://httpd.apache.org/docs/2.2/mod/directives.html>
# for a discussion of each configuration directive.
#
#
# Do NOT simply read the instructions in here without understanding
# what they do. They're here only as hints or reminders. If you are unsure
# consult the online docs. You have been warned.
#
# The configuration directives are grouped into three basic sections:
# 1. Directives that control the operation of the Apache server process as a
# whole (the 'global environment').
# 2. Directives that define the parameters of the 'main' or 'default' server,
# which responds to requests that aren't handled by a virtual host.
# These directives also provide default values for the settings
# of all virtual hosts.
# 3. Settings for virtual hosts, which allow Web requests to be sent to
# different IP addresses or hostnames and have them handled by the
# same Apache server process.
#
# Configuration and logfile names: If the filenames you specify for many
# of the server's control files begin with "/" (or "drive:/" for Win32), the
# server will use that explicit path. If the filenames do *not* begin
# with "/", the value of ServerRoot is prepended -- so "logs/foo.log"
# with ServerRoot set to "/etc/httpd" will be interpreted by the
# server as "/etc/httpd/logs/foo.log".
#
### Section 1: Global Environment
#
# The directives in this section affect the overall operation of Apache,
# such as the number of concurrent requests it can handle or where it
# can find its configuration files.
#
#
# Don't give away too much information about all the subcomponents
# we are running. Comment out this line if you don't mind remote sites
# finding out what major optional modules you are running
ServerTokens OS
#
# ServerRoot: The top of the directory tree under which the server's
# configuration, error, and log files are kept.
#
# NOTE! If you intend to place this on an NFS (or otherwise network)
# mounted filesystem then please read the LockFile documentation
# (available at <URL:http://httpd.apache.org/docs/2.2/mod/mpm_common.html#lockfile>);
# you will save yourself a lot of trouble.
#
# Do NOT add a slash at the end of the directory path.
#
ServerRoot "/usr/local"
#
# PidFile: The file in which the server should record its process
# identification number when it starts.
#
PidFile /var/run/httpd.geni.pid
#
# Timeout: The number of seconds before receives and sends time out.
#
Timeout 1000
#
# KeepAlive: Whether or not to allow persistent connections (more than
# one request per connection). Set to "Off" to deactivate.
#
KeepAlive On
#
# MaxKeepAliveRequests: The maximum number of requests to allow
# during a persistent connection. Set to 0 to allow an unlimited amount.
# We recommend you leave this number high, for maximum performance.
#
MaxKeepAliveRequests 100
#
# KeepAliveTimeout: Number of seconds to wait for the next request from the
# same client on the same connection.
#
KeepAliveTimeout 15
##
## Server-Pool Size Regulation (MPM specific)
##
# prefork MPM
# StartServers: number of server processes to start
# MinSpareServers: minimum number of server processes which are kept spare
# MaxSpareServers: maximum number of server processes which are kept spare
# ServerLimit: maximum value for MaxClients for the lifetime of the server
# MaxClients: maximum number of server processes allowed to start
# MaxRequestsPerChild: maximum number of requests a server process serves
<IfModule prefork.c>
StartServers 30
MinSpareServers 30
MaxSpareServers 45
ServerLimit 200
MaxClients 150
MaxRequestsPerChild 0
</IfModule>
# worker MPM
# StartServers: initial number of server processes to start
# MaxClients: maximum number of simultaneous client connections
# MinSpareThreads: minimum number of worker threads which are kept spare
# MaxSpareThreads: maximum number of worker threads which are kept spare
# ThreadsPerChild: constant number of worker threads in each server process
# MaxRequestsPerChild: maximum number of requests a server process serves
<IfModule worker.c>
StartServers 5
MaxClients 150
MinSpareThreads 15
MaxSpareThreads 50
ThreadsPerChild 20
MaxRequestsPerChild 0
</IfModule>
#
# Listen: Allows you to bind Apache to specific IP addresses and/or
# ports, in addition to the default. See also the <VirtualHost>
# directive.
#
# Change this to Listen on specific IP addresses as shown below to
# prevent Apache from glomming onto all bound IP addresses (0.0.0.0)
#
#Listen 12.34.56.78:80
#
# Dynamic Shared Object (DSO) Support
#
# To be able to use the functionality of a module which was built as a DSO you
# have to place corresponding `LoadModule' lines at this location so the
# directives contained in it are actually available _before_ they are used.
# Statically compiled modules (those listed by `httpd -l') do not need
# to be loaded here.
#
# Example:
# LoadModule foo_module libexec/apache22/mod_foo.so
#
#LoadModule auth_basic_module libexec/apache22/mod_auth_basic.so
#LoadModule auth_digest_module libexec/apache22/mod_auth_digest.so
#LoadModule authn_file_module libexec/apache22/mod_authn_file.so
#LoadModule authn_alias_module libexec/apache22/mod_authn_alias.so
#LoadModule authn_anon_module libexec/apache22/mod_authn_anon.so
#LoadModule authn_dbm_module libexec/apache22/mod_authn_dbm.so
#LoadModule authn_default_module libexec/apache22/mod_authn_default.so
LoadModule authz_host_module libexec/apache22/mod_authz_host.so
#LoadModule authz_user_module libexec/apache22/mod_authz_user.so
#LoadModule authz_owner_module libexec/apache22/mod_authz_owner.so
LoadModule authz_groupfile_module libexec/apache22/mod_authz_groupfile.so
#LoadModule authz_dbm_module libexec/apache22/mod_authz_dbm.so
LoadModule authz_default_module libexec/apache22/mod_authz_default.so
#LoadModule ldap_module libexec/apache22/mod_ldap.so
#LoadModule authnz_ldap_module libexec/apache22/mod_authnz_ldap.so
LoadModule include_module libexec/apache22/mod_include.so
LoadModule log_config_module libexec/apache22/mod_log_config.so
LoadModule logio_module libexec/apache22/mod_logio.so
LoadModule env_module libexec/apache22/mod_env.so
#LoadModule ext_filter_module libexec/apache22/mod_ext_filter.so
#LoadModule mime_magic_module libexec/apache22/mod_mime_magic.so
LoadModule expires_module libexec/apache22/mod_expires.so
LoadModule deflate_module libexec/apache22/mod_deflate.so
LoadModule headers_module libexec/apache22/mod_headers.so
#LoadModule usertrack_module libexec/apache22/mod_usertrack.so
LoadModule setenvif_module libexec/apache22/mod_setenvif.so
LoadModule mime_module libexec/apache22/mod_mime.so
#LoadModule dav_module libexec/apache22/mod_dav.so
#LoadModule status_module libexec/apache22/mod_status.so
#LoadModule autoindex_module libexec/apache22/mod_autoindex.so
LoadModule info_module libexec/apache22/mod_info.so
#LoadModule dav_fs_module libexec/apache22/mod_dav_fs.so
LoadModule vhost_alias_module libexec/apache22/mod_vhost_alias.so
LoadModule negotiation_module libexec/apache22/mod_negotiation.so
LoadModule dir_module libexec/apache22/mod_dir.so
LoadModule actions_module libexec/apache22/mod_actions.so
#LoadModule speling_module libexec/apache22/mod_speling.so
#LoadModule userdir_module libexec/apache22/mod_userdir.so
LoadModule alias_module libexec/apache22/mod_alias.so
LoadModule rewrite_module libexec/apache22/mod_rewrite.so
#LoadModule proxy_module libexec/apache22/mod_proxy.so
#LoadModule proxy_balancer_module libexec/apache22/mod_proxy_balancer.so
#LoadModule proxy_ftp_module libexec/apache22/mod_proxy_ftp.so
#LoadModule proxy_http_module libexec/apache22/mod_proxy_http.so
#LoadModule proxy_connect_module libexec/apache22/mod_proxy_connect.so
LoadModule cache_module libexec/apache22/mod_cache.so
LoadModule suexec_module libexec/apache22/mod_suexec.so
LoadModule disk_cache_module libexec/apache22/mod_disk_cache.so
#LoadModule file_cache_module libexec/apache22/mod_file_cache.so
#LoadModule mem_cache_module libexec/apache22/mod_mem_cache.so
LoadModule cgi_module libexec/apache22/mod_cgi.so
<IfDefine PGENI>
LoadModule wsgi_module libexec/apache22/mod_wsgi.so
</IfDefine>
#
# The following modules are not loaded by default:
#
#LoadModule cern_meta_module libexec/apache22/mod_cern_meta.so
#LoadModule asis_module libexec/apache22/mod_asis.so
#
# Load config files from the config directory "/etc/httpd/conf.d".
#
# DO NOT DO this in the Emulab world -- if local admin wants to screw with it,
# they can -- but we just pull everything we need into one file. We pull in
# php stuff here; ssl stuff comes later.
#
#Include conf.d/*.conf
#
# PHP is an HTML-embedded scripting language which attempts to make it
# easy for developers to write dynamically generated webpages.
#
#LoadModule php5_module libexec/apache22/libphp5.so
#
# Cause the PHP interpreter to handle files with a .php extension.
#
#AddHandler php5-script .php .php3
#AddType text/html .php .php3
#
# Add index.php to the list of files that will be served as directory
# indexes.
#
#DirectoryIndex index.php
#
# Uncomment the following line to allow PHP to pretty-print .phps
# files as PHP source code:
#
#AddType application/x-httpd-php-source .phps .php3s
#
# ExtendedStatus controls whether Apache will generate "full" status
# information (ExtendedStatus On) or just basic information (ExtendedStatus
# Off) when the "server-status" handler is called. The default is Off.
#
#ExtendedStatus On
#
# If you wish httpd to run as a different user or group, you must run
# httpd as root initially and it will switch.
#
# User/Group: The name (or #number) of the user/group to run httpd as.
# . On SCO (ODT 3) use "User nouser" and "Group nogroup".
# . On HPUX you may not be able to use shared memory as nobody, and the
# suggested workaround is to create a user www and use that user.
# NOTE that some kernels refuse to setgid(Group) or semctl(IPC_SET)
# when the value of (unsigned)Group is above 60000;
# don't use Group #-1 on these systems!
#
User nobody
Group nobody
### Section 2: 'Main' server configuration
#
# The directives in this section set up the values used by the 'main'
# server, which responds to any requests that aren't handled by a
# <VirtualHost> definition. These values also provide defaults for
# any <VirtualHost> containers you may define later in the file.
#
# All of these directives may appear inside <VirtualHost> containers,
# in which case these default settings will be overridden for the
# virtual host being defined.
#
#
# ServerAdmin: Your address, where problems with the server should be
# e-mailed. This address appears on some server-generated pages, such
# as error documents. e.g. admin@your-domain.com
#
ServerAdmin @TBOPSEMAIL_NOSLASH@
#
# ServerName gives the name and port that the server uses to identify itself.
# This can often be determined automatically, but we recommend you specify
# it explicitly to prevent problems during startup.
#
# If this is not set to valid DNS name for your host, server-generated
# redirections will not work. See also the UseCanonicalName directive.
#
# If your host doesn't have a registered DNS name, enter its IP address here.
# You will have to access it by its address anyway, and this will make
# redirections work in a sensible way.
#
#ServerName www.example.com:80
#
# UseCanonicalName: Determines how Apache constructs self-referencing
# URLs and the SERVER_NAME and SERVER_PORT variables.
# When set "Off", Apache will use the Hostname and Port supplied
# by the client. When set "On", Apache will use the value of the
# ServerName directive.
#
UseCanonicalName On
#
# Turn off the TRACE and TRACK debug methods. These have apparently
# been shown to support other XSS vulnerabilities (caught by nessus)
#
RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]
#
# DocumentRoot: The directory out of which you will serve your
# documents. By default, all requests are taken from this directory, but
# symbolic links and aliases may be used to point to other locations.
#
DocumentRoot "@prefix@/www/"
#
# Each directory to which Apache has access can be configured with respect
# to which services and features are allowed and/or disabled in that
# directory (and its subdirectories).
#
# First, we configure the "default" to be a very restrictive set of
# features.
#
<Directory />
Options None
AllowOverride None
Order deny,allow
Deny from all
</Directory>
#
# Note that from this point forward you must specifically allow
# particular features to be enabled - so if something's not working as
# you might expect, make sure that you have specifically enabled it
# below.
#
#
# When granting access, try to minimize the number of entries and hence
# complexity of the config file. Also, remember these rules:
#
# 1) <directory> directive options & authconfigs are inherited by subdirs
# 2) Putting a '+' before an option on the 'Options' line adds it to the
# existing set (likely inherited from a dir below it).
# 3) Putting a '-' before an option removes it from the existing options set.
# 4) The 'AllowOverride' directive describes how a .htaccess file can
# override configuration file settings for a directory.
# 5) Allowing a .htaccess file to override 'options' is a security hazard.
#
# People who are involved with testbed devel can get at
# stuff under /usr/testbed, but not "outsiders". If exceptions need
# to be made under /usr/testbed, create a <Directory> entry for them
# below. Try to work under the least req'd privilige model whenever
# possible. Add people's cable modems, etc. that need general devel
# access to the /usr/testbed <Directory> entry.
#
<Directory @prefix@>
Order allow,deny
deny from all
# utah emulab subnets
allow from 155.98.32.0/255.255.252.0
# utah flux subnet
allow from 155.98.60.
</Directory>
# Overridden below if PGENI defined.
<Directory "@prefix@/www/protogeni">
AllowOverride None
Order deny,allow
deny from all
</Directory>
# Development trees
<Directory @prefix@/devel/*/www>
Options +ExecCGI
AllowOverride All
</Directory>
<Directory @prefix@/www/dev>
# Allow .htaccess files in dev trees
AllowOverride All
Order deny,allow
deny from all
# Add your allow statements here.
</Directory>
#
# This should be changed to whatever you set DocumentRoot to.
#
<Directory "@prefix@/www">
#
# Possible values for the Options directive are "None", "All",
# or any combination of:
# Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
#
# Note that "MultiViews" must be named *explicitly* --- "Options All"
# doesn't give it to you.
#
# The Options directive is both complicated and important. Please see
# http://httpd.apache.org/docs/2.2/mod/core.html#options
# for more information.
#
Options All +MultiViews -Indexes
#
# AllowOverride controls what directives may be placed in .htaccess files.
# It can be "All", "None", or any combination of the keywords:
# Options FileInfo AuthConfig Limit
#
AllowOverride All
#
# Controls who can get stuff from this server.
#
Order allow,deny
Allow from all
</Directory>
#
# AccessFileName: The name of the file to look for in each directory
# for additional configuration directives. See also the AllowOverride
# directive.
#
AccessFileName .htaccess
#
# The following lines prevent .htaccess and .htpasswd files from being
# viewed by Web clients.
#
<Files ~ "^\.ht">
Order allow,deny
Deny from all
</Files>
#
# TypesConfig describes where the mime.types file (or equivalent) is
# to be found.
#
TypesConfig /usr/local/etc/apache22/mime.types
#
# DefaultType is the default MIME type the server will use for a document
# if it cannot otherwise determine one, such as from filename extensions.
# If your server contains mostly text or HTML documents, "text/plain" is
# a good value. If most of your content is binary, such as applications
# or images, you may want to use "application/octet-stream" instead to
# keep browsers from trying to display binary files as though they are
# text.
#
DefaultType text/plain
#
# HostnameLookups: Log the names of clients or just their IP addresses
# e.g., www.apache.org (on) or 204.62.129.132 (off).
# The default is off because it'd be overall better for the net if people
# had to knowingly turn this feature on, since enabling it means that
# each client request will result in AT LEAST one lookup request to the
# nameserver.
#
HostnameLookups Off
#
# EnableMMAP: Control whether memory-mapping is used to deliver
# files (assuming that the underlying OS supports it).
# The default is on; turn this off if you serve from NFS-mounted
# filesystems. On some systems, turning it off (regardless of
# filesystem) can improve performance; for details, please see
# http://httpd.apache.org/docs/2.2/mod/core.html#enablemmap
#
#EnableMMAP off
#
# EnableSendfile: Control whether the sendfile kernel support is
# used to deliver files (assuming that the OS supports it).
# The default is on; turn this off if you serve from NFS-mounted
# filesystems. Please see
# http://httpd.apache.org/docs/2.2/mod/core.html#enablesendfile
#
#EnableSendfile off
#
# ErrorLog: The location of the error log file.
# If you do not specify an ErrorLog directive within a <VirtualHost>
# container, error messages relating to that virtual host will be
# logged here. If you *do* define an error logfile for a <VirtualHost>
# container, that host's errors will be logged there and not here.
#
ErrorLog @prefix@/log/apache_error_log.geni
#
# LogLevel: Control the number of messages logged to the error_log.
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
#
LogLevel warn
#
# The following directives define some format nicknames for use with
# a CustomLog directive (see below).
#
LogFormat "%h %l %u %t %T \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t %T \"%r\" %>s %b" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent
# "combinedio" includes actual counts of actual bytes received (%I) and sent (%O); this
# requires the mod_logio module to be loaded.
#LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
#
# The location and format of the access logfile (Common Logfile Format).
# If you do not define any access logfiles within a <VirtualHost>
# container, they will be logged here. Contrariwise, if you *do*
# define per-<VirtualHost> access logfiles, transactions will be
# logged therein and *not* in this file.
#
#CustomLog logs/access_log common
#
# If you would like to have separate agent and referer logfiles, uncomment
# the following directives.
#
#CustomLog @prefix@/log/apache_referer_log referer
#CustomLog @prefix@/log/apache_agent_log agent
#
# For a single logfile with access, agent, and referer information
# (Combined Logfile Format), use the following directive:
#
CustomLog @prefix@/log/apache_access_log.geni combined
#
# Optionally add a line containing the server version and virtual host
# name to server-generated pages (internal error documents, FTP directory
# listings, mod_status and mod_info output etc., but not CGI generated
# documents or custom error documents).
# Set to "EMail" to also include a mailto: link to the ServerAdmin.
# Set to one of: On | Off | EMail
#
ServerSignature On
#
# Aliases: Add here as many aliases as you need (with no limit). The format is
# Alias fakename realname
#
# Note that if you include a trailing / on fakename then the server will
# require it to be present in the URL. So "/icons" isn't aliased in this
# example, only "/icons/". If the fakename is slash-terminated, then the
# realname must also be slash terminated, and if the fakename omits the
# trailing slash, the realname must also omit it.
#
# We include the /icons/ alias for FancyIndexed directory listings. If you
# do not use FancyIndexing, you may comment this out.
#
Alias /icons/ "/usr/local/www/apache22/icons/"
<Directory "/usr/local/www/apache22/icons">
Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
</Directory>
#
# ScriptAlias: This controls which directories contain server scripts.
# ScriptAliases are essentially the same as Aliases, except that
# documents in the realname directory are treated as applications and
# run by the server when requested rather than as documents sent to the client.
# The same rules about trailing "/" apply to ScriptAlias directives as to
# Alias.
#
ScriptAlias /cgi-bin/ "/usr/local/www/apache22/cgi-bin/"
#
# "/var/www/cgi-bin" should be changed to whatever your ScriptAliased
# CGI directory exists, if you have that configured.
#
<Directory "/usr/local/www/apache22/cgi-bin">
AllowOverride None
Options None
Order deny,allow
Deny from all
</Directory>
<Directory "/usr/local/www">
Options SymLinksIfOwnerMatch
</Directory>
#
# Specify a default charset for all content served; this enables
# interpretation of all content as UTF-8 by default. To use the
# default browser choice (ISO-8859-1), or to allow the META tags
# in HTML content to override this choice, comment out this
# directive:
#
AddDefaultCharset UTF-8
# If the AddEncoding directives above are commented-out, then you
# probably should define those extensions to indicate media types:
#
AddType application/x-compress .Z
AddType application/x-gzip .gz .tgz
#
# AddHandler allows you to map certain file extensions to "handlers":
# actions unrelated to filetype. These can be either built into the server
# or added with the Action directive (see below)
#
# To use CGI scripts outside of ScriptAliased directories:
# (You will also need to add "ExecCGI" to the "Options" directive.)
#
AddHandler cgi-script .cgi
#
# This is the Apache server configuration file providing SSL support.
# It contains the configuration directives to instruct the server how to
# serve pages over an https connection. For detailing information about these
# directives see <URL:http://httpd.apache.org/docs/2.2/mod/mod_ssl.html>
#
# Do NOT simply read the instructions in here without understanding
# what they do. They're here only as hints or reminders. If you are unsure
# consult the online docs. You have been warned.
#
LoadModule ssl_module libexec/apache22/mod_ssl.so
##
## SSL Global Context
##
## All SSL configuration in this context applies both to
## the main server and all SSL-enabled virtual hosts.
##
#
# Some MIME-types for downloading Certificates and CRLs
#
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
# Pass Phrase Dialog:
# Configure the pass phrase gathering process.
# The filtering dialog program (`builtin' is a internal
# terminal dialog) has to provide the pass phrase on stdout.
SSLPassPhraseDialog builtin
# Inter-Process Session Cache:
# Configure the SSL Session Cache: First the mechanism
# to use and second the expiring timeout (in seconds).
#SSLSessionCache dc:UNIX:/var/cache/mod_ssl/distcache
SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout 300
# Semaphore:
# Configure the path to the mutual exclusion semaphore the
# SSL engine uses internally for inter-process synchronization.
SSLMutex default
# Pseudo Random Number Generator (PRNG):
# Configure one or more sources to seed the PRNG of the
# SSL library. The seed data should be of good random quality.
# WARNING! On some platforms /dev/random blocks if not enough entropy
# is available. This means you then cannot use the /dev/random device
# because it would lead to very long connection times (as long as
# it requires to make more entropy available). But usually those
# platforms additionally provide a /dev/urandom device which doesn't
# block. So, if available, use this one instead. Read the mod_ssl User
# Manual for more details.
SSLRandomSeed startup file:/dev/urandom 256
SSLRandomSeed connect builtin
#SSLRandomSeed startup file:/dev/random 512
#SSLRandomSeed connect file:/dev/random 512
#SSLRandomSeed connect file:/dev/urandom 512
#
# Use "SSLCryptoDevice" to enable any supported hardware
# accelerators. Use "openssl engine -v" to list supported
# engine names. NOTE: If you enable an accelerator and the
# server does not start, consult the error logs and ensure
# your accelerator is functioning properly.
#
SSLCryptoDevice builtin
#SSLCryptoDevice ubsec
# Logging:
# The home of the dedicated SSL protocol logfile. Errors are
# additionally duplicated in the general error log file. Put
# this somewhere where it cannot be used for symlink attacks on
# a real server (i.e. somewhere where only root can write).
# Log levels are (ascending order: higher ones include lower ones):
# none, error, warn, info, trace, debug.
#SSLLog @prefix@/log/apache_ssl_engine_log
#SSLLogLevel info
Listen @PROTOGENI_RPCPORT@
<VirtualHost @PROTOGENI_RPCNAME@:@PROTOGENI_RPCPORT@>
# General setup for the virtual host, inherited from global configuration
DocumentRoot "@prefix@/www"
ServerName @PROTOGENI_RPCNAME@
ServerAlias @BOSSNODE@
ServerAdmin @TBOPSEMAIL_NOSLASH@
LogLevel warn
ErrorLog @prefix@/log/apache_ssl_error_log.geni
LogFormat "%h %v %l %u %t %T \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\""
TransferLog @prefix@/log/apache_ssl_access_log.geni
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
# SSL Protocol support:
# List the enable protocol levels with which clients will be able to
# connect. Disable SSLv2 access by default:
SSLProtocol all -SSLv2 -SSLv3
# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
# See the mod_ssl documentation for a complete list.
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:!RC4:!MD5:!AECDH:+HIGH:+MEDIUM:!LOW