서버 운영/APM 서버 구축

우분투 20.04 APM 서버 주요 환경 파일 원문 - Apache2

씨실과 날실 2020. 10. 5. 09:00

[관련 게시물]

Ubuntu 20.04 LTS에서 APM 설치

2020/09/14 - [서버 운영/APM 서버 구축] - 우분투(Ubuntu) 20.04에서 APM 설치 - 아파치(Apache2 설치

2020/09/16 - [서버 운영/APM 서버 구축] - 우분투(Ubuntu) 20.04에서 APM 설치 - 마리아DB(MariaDB) 10.3 설치

2020/09/18 - [서버 운영/APM 서버 구축] - 우분투(Ubuntu) 20.04에서 APM 설치 - 마리아DB(MariaDB) 10.5 설치

2020/09/20 - [서버 운영/APM 서버 구축] - 우분투(Ubuntu) 20.04에서 APM 설치 - PHP 7.4 설치

2020/09/22 - [서버 운영/APM 서버 구축] - 우분투(Ubuntu) 20.04에서 APM 설치 - APM 설치 후 방화벽 설정

2020/09/24 - [서버 운영/APM 서버 구축] - MariaDB 10.4 이후의 계정 인증 관련 변화(unix_socket, mysql_native_password 인증 / 계정, 암호 및 전역 권한 정보 저장 테이블 변경 등)

2020/09/26 - [서버 운영/APM 서버 구축] - 우분투 20.04 APM 서버 기본 환경 파일 설정 - apache2.conf 기본 설정

2020/09/28 - [서버 운영/APM 서버 구축] - 우분투 20.04 APM 서버 기본 환경 파일 설정 - php.ini 기본 설정

 

Ubuntu 20.04에서 설치한 Apache2 서버 주요 설정 파일 원문

2020/09/30 - [서버 운영/APM 서버 구축] - 우분투 20.04 APM 서버 주요 환경 파일 목록

2020/10/05 - [서버 운영/APM 서버 구축] - 우분투 20.04 APM 서버 주요 환경 파일 원문 - Apache2

2020/10/07 - [서버 운영/APM 서버 구축] - 우분투 20.04 APM 서버 주요 환경 파일 원문 - PHP 7.4 - php.ini

Ubuntu 20.04에서 설치한 Apache2 서버 주요 설정 파일 내 지시어 설명

2020/10/09 - [서버 운영/APM 서버 구축] - [Ubuntu 20.04 - Apache2 서버] apache2.conf의 기본값에 사용된 지시어 설명

2020/10/11 - [서버 운영/APM 서버 구축] - [Ubuntu 20.04 - Apache2 서버] ports.conf 의 기본값에 사용된 지시어 설명

2020/10/13 - [서버 운영/APM 서버 구축] - [Ubuntu 20.04 - Apache2 서버] envvars의 기본값에 사용된 지시어 설명

2020/10/15 - [서버 운영/APM 서버 구축] - [Ubuntu 20.04 - Apache2 서버] security.conf의 기본값에 사용된 지시어 설명

2020/10/17 - [서버 운영/APM 서버 구축] - [Ubuntu 20.04 - Apache2 서버] 000-default.conf의 기본값에 사용된 지시어 설명

2020/10/19 - [서버 운영/APM 서버 구축] - [Ubuntu 20.04 - Apache2 서버] default-ssl.conf의 기본값에 사용된 지시어 설명


Ubuntu 20.04에서 phpMyAdmin 설치 및 설정

2021.02.20 - [서버 운영/APM 서버 구축] - 우분투 20.04에서 phpMyAdmin 설치 01 - 저장소 설치

2021.03.15 - [서버 운영/APM 서버 구축] - 우분투 20.04에서 phpMyAdmin 설치 02 - Apache 서버 관리자를 위한수동 설치(버전 5.1.0 기준)

2021.03.17 - [서버 운영/APM 서버 구축] - 우분투 20.04에서 phpMyAdmin 설치 03 - 보안강화 작업

2021.03.19 - [서버 운영/APM 서버 구축] - phpMyAdmin 설치 04 - 웹호스팅 사용자를 위한 수동 설치(버전 5.1.0 기준)

2021.03.21 - [서버 운영/APM 서버 구축] - phpMyAdmin 설치 05 - setup 페이지를 통한 구성 파일 생성

Ubuntu 18.04 LTS에서 APM 설치

2018/11/09 - [서버 운영/APM 서버 구축] - Apache 서버 설치

2018/11/14 - [서버 운영/APM 서버 구축] - MariaDB 설치

2018/11/16 - [서버 운영/APM 서버 구축] - MariaDB 업그레이드 1

2018/11/16 - [서버 운영/APM 서버 구축] - MariaDB 업그레이드 2 - ERROR 1524 (HY000): Plugin 'unix_socket' is not loaded

2018/11/16 - [서버 운영/APM 서버 구축] - MariaDB 업그레이드 3

2018/11/19 - [서버 운영/APM 서버 구축] - PHP7 설치

2018/11/21 - [서버 운영/APM 서버 구축] - 서버 환경 파일 수정 - php.ini, apache2.conf

 

Ubuntu 18.04 LTS에서 MariaDB 백업 및 업그레이드

2019/01/15 - [서버 운영/APM 서버 구축] - MariaDB & MySQL 백업과 복원 - Nextcloud 14

2019/06/27 - [서버 운영/APM 서버 구축] - MariaDB 업그레이드 (Upgrading from MariaDB 10.3 to MariaDB 10.4)

 

Ubuntu 18.04 LTS에서 PHP 버전 전환

2019/07/05 - [서버 운영/APM 서버 구축] - Apache와 Shell에서 PHP 버전 전환하기(How to Switch between Multiple PHP Version)

 

Ubuntu 18.04 LTS에서 phpmyadmin 설치 및 운용

2018/11/23 - [서버 운영/APM 서버 구축] - phpmyadmin 설치 - APT 패키지 관리자를 통한 설치

2019/06/18 - [서버 운영/APM 서버 구축] - APT 패키지 관리자를 통해 설치한 phpMyAdmin 업그레이드 방법(업그레이드 버전 4.9.0.1)

2019/07/01 - [서버 운영/APM 서버 구축] - phpMyAdmin 수동 설치 01 - 일반 설치

2019/07/03 - [서버 운영/APM 서버 구축] - phpMyAdmin 수동 설치 02 - 심볼릭 링크를 이용한 보안 접속

2019/06/16 - [서버 운영/APM 서버 구축] - phpMyAdmin 4.6.6deb5와 PHP 7.2 간 호환성 문제 해결 - Warning in ./libraries/sql.lib.php#613

 

XAMPP 설치 및 운용

2019/04/20 - [서버 운영/서버 구축 꾸러미] - XAMPP에 대하여(버전 7.1.28 / 7.2.17 / 7.3.4)

2019/04/22 - [서버 운영/서버 구축 꾸러미] - XAMPP for Windows 7.3.4 인스톨러 설치

2019/04/25 - [서버 운영/서버 구축 꾸러미] - XAMPP for Windows 설정

2019/06/03 - [서버 운영/서버 구축 꾸러미] - XAMPP 포터블(portable) 사용법

2019/06/05 - [서버 운영/서버 구축 꾸러미] - XAMPP for Linux 4.3.5 설치 및 사용법

 

서버 운영을 위한 관련 연재글

2018/11/07 - [리눅스/Ubuntu] - 방화벽 설정 - ufw

2018/11/12 - [서버 운영/버추얼박스(VirtualBox)] - 가상머신(Virtualbox) 내 서버 외부접속

2019/01/05 - [미디어위키/미디어위키 설치 및 관리] - 호스트 컴퓨터에서 가상머신 내 미디어위키 접속 및 작업을 위한 버추얼박스 포트포워딩 설정

2019/03/15 - [서버 운영/APM 서버 구축] - PHP 7.3으로의 업그레이드 및 사용 연기 권장 안내 - PHP Notice: compact(): Undefined variable:

 

 

 

Ubuntu 20.04 Apache2 주요 구성 파일 원문

/etc/apache2/apache2.conf

study@study-VirtualBox:~$ cat -n /etc/apache2/apache2.conf
     1	# This is the main Apache server configuration file.  It contains the
     2	# configuration directives that give the server its instructions.
     3	# See http://httpd.apache.org/docs/2.4/ for detailed information about
     4	# the directives and /usr/share/doc/apache2/README.Debian about Debian specific
     5	# hints.
     6	#
     7	#
     8	# Summary of how the Apache 2 configuration works in Debian:
     9	# The Apache 2 web server configuration in Debian is quite different to
    10	# upstream's suggested way to configure the web server. This is because Debian's
    11	# default Apache2 installation attempts to make adding and removing modules,
    12	# virtual hosts, and extra configuration directives as flexible as possible, in
    13	# order to make automating the changes and administering the server as easy as
    14	# possible.
    15	
    16	# It is split into several files forming the configuration hierarchy outlined
    17	# below, all located in the /etc/apache2/ directory:
    18	#
    19	#	/etc/apache2/
    20	#	|-- apache2.conf
    21	#	|	`--  ports.conf
    22	#	|-- mods-enabled
    23	#	|	|-- *.load
    24	#	|	`-- *.conf
    25	#	|-- conf-enabled
    26	#	|	`-- *.conf
    27	# 	`-- sites-enabled
    28	#	 	`-- *.conf
    29	#
    30	#
    31	# * apache2.conf is the main configuration file (this file). It puts the pieces
    32	#   together by including all remaining configuration files when starting up the
    33	#   web server.
    34	#
    35	# * ports.conf is always included from the main configuration file. It is
    36	#   supposed to determine listening ports for incoming connections which can be
    37	#   customized anytime.
    38	#
    39	# * Configuration files in the mods-enabled/, conf-enabled/ and sites-enabled/
    40	#   directories contain particular configuration snippets which manage modules,
    41	#   global configuration fragments, or virtual host configurations,
    42	#   respectively.
    43	#
    44	#   They are activated by symlinking available configuration files from their
    45	#   respective *-available/ counterparts. These should be managed by using our
    46	#   helpers a2enmod/a2dismod, a2ensite/a2dissite and a2enconf/a2disconf. See
    47	#   their respective man pages for detailed information.
    48	#
    49	# * The binary is called apache2. Due to the use of environment variables, in
    50	#   the default configuration, apache2 needs to be started/stopped with
    51	#   /etc/init.d/apache2 or apache2ctl. Calling /usr/bin/apache2 directly will not
    52	#   work with the default configuration.
    53	
    54	
    55	# Global configuration
    56	#
    57	
    58	#
    59	# ServerRoot: The top of the directory tree under which the server's
    60	# configuration, error, and log files are kept.
    61	#
    62	# NOTE!  If you intend to place this on an NFS (or otherwise network)
    63	# mounted filesystem then please read the Mutex documentation (available
    64	# at );
    65	# you will save yourself a lot of trouble.
    66	#
    67	# Do NOT add a slash at the end of the directory path.
    68	#
    69	#ServerRoot "/etc/apache2"
    70	
    71	#
    72	# The accept serialization lock file MUST BE STORED ON A LOCAL DISK.
    73	#
    74	#Mutex file:$ default
    75	
    76	#
    77	# The directory where shm and other runtime files will be stored.
    78	#
    79	
    80	DefaultRuntimeDir $
    81	
    82	#
    83	# PidFile: The file in which the server should record its process
    84	# identification number when it starts.
    85	# This needs to be set in /etc/apache2/envvars
    86	#
    87	PidFile $
    88	
    89	#
    90	# Timeout: The number of seconds before receives and sends time out.
    91	#
    92	Timeout 300
    93	
    94	#
    95	# KeepAlive: Whether or not to allow persistent connections (more than
    96	# one request per connection). Set to "Off" to deactivate.
    97	#
    98	KeepAlive On
    99	
   100	#
   101	# MaxKeepAliveRequests: The maximum number of requests to allow
   102	# during a persistent connection. Set to 0 to allow an unlimited amount.
   103	# We recommend you leave this number high, for maximum performance.
   104	#
   105	MaxKeepAliveRequests 100
   106	
   107	#
   108	# KeepAliveTimeout: Number of seconds to wait for the next request from the
   109	# same client on the same connection.
   110	#
   111	KeepAliveTimeout 5
   112	
   113	
   114	# These need to be set in /etc/apache2/envvars
   115	User $
   116	Group $
   117	
   118	#
   119	# HostnameLookups: Log the names of clients or just their IP addresses
   120	# e.g., www.apache.org (on) or 204.62.129.132 (off).
   121	# The default is off because it'd be overall better for the net if people
   122	# had to knowingly turn this feature on, since enabling it means that
   123	# each client request will result in AT LEAST one lookup request to the
   124	# nameserver.
   125	#
   126	HostnameLookups Off
   127	
   128	# ErrorLog: The location of the error log file.
   129	# If you do not specify an ErrorLog directive within a 
   130	# container, error messages relating to that virtual host will be
   131	# logged here.  If you *do* define an error logfile for a 
   132	# container, that host's errors will be logged there and not here.
   133	#
   134	ErrorLog $/error.log
   135	
   136	#
   137	# LogLevel: Control the severity of messages logged to the error_log.
   138	# Available values: trace8, ..., trace1, debug, info, notice, warn,
   139	# error, crit, alert, emerg.
   140	# It is also possible to configure the log level for particular modules, e.g.
   141	# "LogLevel info ssl:warn"
   142	#
   143	LogLevel warn
   144	
   145	# Include module configuration:
   146	IncludeOptional mods-enabled/*.load
   147	IncludeOptional mods-enabled/*.conf
   148	
   149	# Include list of ports to listen on
   150	Include ports.conf
   151	
   152	
   153	# Sets the default security model of the Apache2 HTTPD server. It does
   154	# not allow access to the root filesystem outside of /usr/share and /var/www.
   155	# The former is used by web applications packaged in Debian,
   156	# the latter may be used for local directories served by the web server. If
   157	# your system is serving content from a sub-directory in /srv you must allow
   158	# access here, or in any related virtual host.
   159	
   160		Options FollowSymLinks
   161		AllowOverride None
   162		Require all denied
   163	
   164	
   165	
   166		AllowOverride None
   167		Require all granted
   168	
   169	
   170	
   171		Options Indexes FollowSymLinks
   172		AllowOverride None
   173		Require all granted
   174	
   175	
   176	#
   177	#	Options Indexes FollowSymLinks
   178	#	AllowOverride None
   179	#	Require all granted
   180	#
   181	
   182	
   183	
   184	
   185	# AccessFileName: The name of the file to look for in each directory
   186	# for additional configuration directives.  See also the AllowOverride
   187	# directive.
   188	#
   189	AccessFileName .htaccess
   190	
   191	#
   192	# The following lines prevent .htaccess and .htpasswd files from being
   193	# viewed by Web clients.
   194	#
   195	
   196		Require all denied
   197	
   198	
   199	
   200	#
   201	# The following directives define some format nicknames for use with
   202	# a CustomLog directive.
   203	#
   204	# These deviate from the Common Log Format definitions in that they use %O
   205	# (the actual bytes sent including headers) instead of %b (the size of the
   206	# requested file), because the latter makes it impossible to detect partial
   207	# requests.
   208	#
   209	# Note that the use of %i instead of %h is not recommended.
   210	# Use mod_remoteip instead.
   211	#
   212	LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%i\" \"%i\"" vhost_combined
   213	LogFormat "%h %l %u %t \"%r\" %>s %O \"%i\" \"%i\"" combined
   214	LogFormat "%h %l %u %t \"%r\" %>s %O" common
   215	LogFormat "%i -> %U" referer
   216	LogFormat "%i" agent
   217	
   218	# Include of directories ignores editors' and dpkg's backup files,
   219	# see README.Debian for details.
   220	
   221	# Include generic snippets of statements
   222	IncludeOptional conf-enabled/*.conf
   223	
   224	# Include the virtual host configurations:
   225	IncludeOptional sites-enabled/*.conf
   226	
   227	# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
study@study-VirtualBox:~$ 

 

/etc/apache2/ports.conf

study@study-VirtualBox:~$ cat -n /etc/apache2/ports.conf
     1	# If you just change the port or add more ports here, you will likely also
     2	# have to change the VirtualHost statement in
     3	# /etc/apache2/sites-enabled/000-default.conf
     4	
     5	Listen 80
     6	
     7	
     8		Listen 443
     9	
    10	
    11	
    12		Listen 443
    13	
    14	
    15	# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
study@study-VirtualBox:~$ 

 

/etc/apache2/envvars

study@study-VirtualBox:~$ cat -n /etc/apache2/envvars
     1	# envvars - default environment variables for apache2ctl
     2	
     3	# this won't be correct after changing uid
     4	unset HOME
     5	
     6	# for supporting multiple apache2 instances
     7	if [ "$" != "$" ] ; then
     8		SUFFIX="-$"
     9	else
    10		SUFFIX=
    11	fi
    12	
    13	# Since there is no sane way to get the parsed apache2 config in scripts, some
    14	# settings are defined via environment variables and then used in apache2ctl,
    15	# /etc/init.d/apache2, /etc/logrotate.d/apache2, etc.
    16	export APACHE_RUN_USER=www-data
    17	export APACHE_RUN_GROUP=www-data
    18	# temporary state file location. This might be changed to /run in Wheezy+1
    19	export APACHE_PID_FILE=/var/run/apache2$SUFFIX/apache2.pid
    20	export APACHE_RUN_DIR=/var/run/apache2$SUFFIX
    21	export APACHE_LOCK_DIR=/var/lock/apache2$SUFFIX
    22	# Only /var/log/apache2 is handled by /etc/logrotate.d/apache2.
    23	export APACHE_LOG_DIR=/var/log/apache2$SUFFIX
    24	
    25	## The locale used by some modules like mod_dav
    26	export LANG=C
    27	## Uncomment the following line to use the system default locale instead:
    28	#. /etc/default/locale
    29	
    30	export LANG
    31	
    32	## The command to get the status for 'apache2ctl status'.
    33	## Some packages providing 'www-browser' need '--dump' instead of '-dump'.
    34	#export APACHE_LYNX='www-browser -dump'
    35	
    36	## If you need a higher file descriptor limit, uncomment and adjust the
    37	## following line (default is 8192):
    38	#APACHE_ULIMIT_MAX_FILES='ulimit -n 65536'
    39	
    40	## If you would like to pass arguments to the web server, add them below
    41	## to the APACHE_ARGUMENTS environment.
    42	#export APACHE_ARGUMENTS=''
    43	
    44	## Enable the debug mode for maintainer scripts.
    45	## This will produce a verbose output on package installations of web server modules and web application
    46	## installations which interact with Apache
    47	#export APACHE2_MAINTSCRIPT_DEBUG=1
study@study-VirtualBox:~$ 

 

/etc/apache2/conf-available/security.conf

 

#
# Disable access to the entire file system except for the directories that
# are explicitly allowed later.
#
# This currently breaks the configurations that come with some web application
# Debian packages.
#
#
#   AllowOverride None
#   Require all denied
#


# Changing the following options will not really affect the security of the
# server, but might make attacks slightly more difficult in some cases.

#
# ServerTokens
# This directive configures what you return as the Server HTTP response
# Header. The default is 'Full' which sends information about the OS-Type
# and compiled in modules.
# Set to one of:  Full | OS | Minimal | Minor | Major | Prod
# where Full conveys the most information, and Prod the least.
#ServerTokens Minimal
ServerTokens OS
#ServerTokens Full

#
# Optionally add a line containing the server version and virtual host
# name to server-generated pages (internal error documents, FTP directory
# listings, mod_status and mod_info output etc., but not CGI generated
# documents or custom error documents).
# Set to "EMail" to also include a mailto: link to the ServerAdmin.
# Set to one of:  On | Off | EMail
#ServerSignature Off
ServerSignature On

#
# Allow TRACE method
#
# Set to "extended" to also reflect the request body (only for testing and
# diagnostic purposes).
#
# Set to one of:  On | Off | extended
TraceEnable Off
#TraceEnable On

#
# Forbid access to version control directories
#
# If you use version control systems in your document root, you should
# probably deny access to their directories. For example, for subversion:
#
#<directorymatch "="" \.svn">
#   Require all denied
#

#
# Setting this header will prevent MSIE from interpreting files as something
# else than declared by the content type in the HTTP headers.
# Requires mod_headers to be enabled.
#
#Header set X-Content-Type-Options: "nosniff"

#
# Setting this header will prevent other sites from embedding pages from this
# site as frames. This defends against clickjacking attacks.
# Requires mod_headers to be enabled.
#
#Header set X-Frame-Options: "sameorigin"


# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

 

/etc/apache2/sites-available/000-default.conf

tudy@study-VirtualBox:~$ cat -n /etc/apache2/sites-available/000-default.conf
     1	
     2		# The ServerName directive sets the request scheme, hostname and port that
     3		# the server uses to identify itself. This is used when creating
     4		# redirection URLs. In the context of virtual hosts, the ServerName
     5		# specifies what hostname must appear in the request's Host: header to
     6		# match this virtual host. For the default virtual host (this file) this
     7		# value is not decisive as it is used as a last resort host regardless.
     8		# However, you must set it for any further virtual host explicitly.
     9		#ServerName www.example.com
    10	
    11		ServerAdmin webmaster@localhost
    12		DocumentRoot /var/www/html
    13	
    14		# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
    15		# error, crit, alert, emerg.
    16		# It is also possible to configure the loglevel for particular
    17		# modules, e.g.
    18		#LogLevel info ssl:warn
    19	
    20		ErrorLog $/error.log
    21		CustomLog $/access.log combined
    22	
    23		# For most configuration files from conf-available/, which are
    24		# enabled or disabled at a global level, it is possible to
    25		# include a line for only one particular virtual host. For example the
    26		# following line enables the CGI configuration for this host only
    27		# after it has been globally disabled with "a2disconf".
    28		#Include conf-available/serve-cgi-bin.conf
    29	
    30	
    31	# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
study@study-VirtualBox:~$

/etc/apache2/sites-available/default-ssl.conf

study@study-VirtualBox:~$ cat -n /etc/apache2/sites-available/default-ssl.conf
     1	
     2		
     3			ServerAdmin webmaster@localhost
     4	
     5			DocumentRoot /var/www/html
     6	
     7			# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
     8			# error, crit, alert, emerg.
     9			# It is also possible to configure the loglevel for particular
    10			# modules, e.g.
    11			#LogLevel info ssl:warn
    12	
    13			ErrorLog $/error.log
    14			CustomLog $/access.log combined
    15	
    16			# For most configuration files from conf-available/, which are
    17			# enabled or disabled at a global level, it is possible to
    18			# include a line for only one particular virtual host. For example the
    19			# following line enables the CGI configuration for this host only
    20			# after it has been globally disabled with "a2disconf".
    21			#Include conf-available/serve-cgi-bin.conf
    22	
    23			#   SSL Engine Switch:
    24			#   Enable/Disable SSL for this virtual host.
    25			SSLEngine on
    26	
    27			#   A self-signed (snakeoil) certificate can be created by installing
    28			#   the ssl-cert package. See
    29			#   /usr/share/doc/apache2/README.Debian.gz for more info.
    30			#   If both key and certificate are stored in the same file, only the
    31			#   SSLCertificateFile directive is needed.
    32			SSLCertificateFile	/etc/ssl/certs/ssl-cert-snakeoil.pem
    33			SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
    34	
    35			#   Server Certificate Chain:
    36			#   Point SSLCertificateChainFile at a file containing the
    37			#   concatenation of PEM encoded CA certificates which form the
    38			#   certificate chain for the server certificate. Alternatively
    39			#   the referenced file can be the same as SSLCertificateFile
    40			#   when the CA certificates are directly appended to the server
    41			#   certificate for convinience.
    42			#SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt
    43	
    44			#   Certificate Authority (CA):
    45			#   Set the CA certificate verification path where to find CA
    46			#   certificates for client authentication or alternatively one
    47			#   huge file containing all of them (file must be PEM encoded)
    48			#   Note: Inside SSLCACertificatePath you need hash symlinks
    49			#		 to point to the certificate files. Use the provided
    50			#		 Makefile to update the hash symlinks after changes.
    51			#SSLCACertificatePath /etc/ssl/certs/
    52			#SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt
    53	
    54			#   Certificate Revocation Lists (CRL):
    55			#   Set the CA revocation path where to find CA CRLs for client
    56			#   authentication or alternatively one huge file containing all
    57			#   of them (file must be PEM encoded)
    58			#   Note: Inside SSLCARevocationPath you need hash symlinks
    59			#		 to point to the certificate files. Use the provided
    60			#		 Makefile to update the hash symlinks after changes.
    61			#SSLCARevocationPath /etc/apache2/ssl.crl/
    62			#SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl
    63	
    64			#   Client Authentication (Type):
    65			#   Client certificate verification type and depth.  Types are
    66			#   none, optional, require and optional_no_ca.  Depth is a
    67			#   number which specifies how deeply to verify the certificate
    68			#   issuer chain before deciding the certificate is not valid.
    69			#SSLVerifyClient require
    70			#SSLVerifyDepth  10
    71	
    72			#   SSL Engine Options:
    73			#   Set various options for the SSL engine.
    74			#   o FakeBasicAuth:
    75			#	 Translate the client X.509 into a Basic Authorisation.  This means that
    76			#	 the standard Auth/DBMAuth methods can be used for access control.  The
    77			#	 user name is the `one line' version of the client's X.509 certificate.
    78			#	 Note that no password is obtained from the user. Every entry in the user
    79			#	 file needs this password: `xxj31ZMTZzkVA'.
    80			#   o ExportCertData:
    81			#	 This exports two additional environment variables: SSL_CLIENT_CERT and
    82			#	 SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
    83			#	 server (always existing) and the client (only existing when client
    84			#	 authentication is used). This can be used to import the certificates
    85			#	 into CGI scripts.
    86			#   o StdEnvVars:
    87			#	 This exports the standard SSL/TLS related `SSL_*' environment variables.
    88			#	 Per default this exportation is switched off for performance reasons,
    89			#	 because the extraction step is an expensive operation and is usually
    90			#	 useless for serving static content. So one usually enables the
    91			#	 exportation for CGI and SSI requests only.
    92			#   o OptRenegotiate:
    93			#	 This enables optimized SSL connection renegotiation handling when SSL
    94			#	 directives are used in per-directory context.
    95			#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
    96			
    97					SSLOptions +StdEnvVars
    98			
    99			
   100					SSLOptions +StdEnvVars
   101			
   102	
   103			#   SSL Protocol Adjustments:
   104			#   The safe and default but still SSL/TLS standard compliant shutdown
   105			#   approach is that mod_ssl sends the close notify alert but doesn't wait for
   106			#   the close notify alert from client. When you need a different shutdown
   107			#   approach you can use one of the following variables:
   108			#   o ssl-unclean-shutdown:
   109			#	 This forces an unclean shutdown when the connection is closed, i.e. no
   110			#	 SSL close notify alert is send or allowed to received.  This violates
   111			#	 the SSL/TLS standard but is needed for some brain-dead browsers. Use
   112			#	 this when you receive I/O errors because of the standard approach where
   113			#	 mod_ssl sends the close notify alert.
   114			#   o ssl-accurate-shutdown:
   115			#	 This forces an accurate shutdown when the connection is closed, i.e. a
   116			#	 SSL close notify alert is send and mod_ssl waits for the close notify
   117			#	 alert of the client. This is 100% SSL/TLS standard compliant, but in
   118			#	 practice often causes hanging connections with brain-dead browsers. Use
   119			#	 this only for browsers where you know that their SSL implementation
   120			#	 works correctly.
   121			#   Notice: Most problems of broken clients are also related to the HTTP
   122			#   keep-alive facility, so you usually additionally want to disable
   123			#   keep-alive for those clients, too. Use variable "nokeepalive" for this.
   124			#   Similarly, one has to force some clients to use HTTP/1.0 to workaround
   125			#   their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
   126			#   "force-response-1.0" for this.
   127			# BrowserMatch "MSIE [2-6]" \
   128			#		nokeepalive ssl-unclean-shutdown \
   129			#		downgrade-1.0 force-response-1.0
   130	
   131		
   132	
   133	
   134	# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
study@study-VirtualBox:~$