infrastructure/ansible
1
0
Fork 0
Code Issues Pull requests 7 Projects Releases Packages Wiki Activity Actions

This removes all files related to keyserver and sks. Revert if still needed

Browse source
This commit is contained in:
Stephen Smoogen 2020-02-07 20:06:08 +00:00 committed by Pierre-Yves Chibon
parent 7a2fc30aa8
commit 5ab2061c88
16 changed files with 0 additions and 848 deletions
Download patch file Download diff file Expand all files Collapse all files

83
files/keyserver/sks.conf
View file

@ -1,83 +0,0 @@
ServerName keys.fedoraproject.org
Listen 80.239.156.219:11371
NameVirtualHost *:443
<ifModule !mod_proxy.c>
LoadModule proxy_module modules/mod_proxy.so
</IfModule>
<IfModule !mod_proxy_http.c>
LoadModule proxy_http_module modules/mod_proxy_http.so
</IfModule>
<IfModule !mod_proxy_balancer.c>
LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
</IfModule>
<IfModule !mod_headers.c>
LoadModule headers_module modules/mod_headers.so
</IfModule>
<IfModule !mod_authz_host.c>
LoadModule authz_host_module modules/mod_authz_host.so
</IfModule>
<IfModule !mod_log_config.c>
LoadModule log_config_module modules/mod_log_config.so
</IfModule>
<IfModule !mod_env.c>
LoadModule env_module modules/mod_env.so
</IfModule>
<Directory />
Options FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
</Directory>
<VirtualHost *:80>
ServerAdmin sysadmin-keys-members@fedoraproject.org
ServerName keys.fedoraproject.org
ProxyPass / http://127.0.0.1:11371/
ProxyPassReverse / http://127.0.0.1:11371/
SetEnv proxy-nokeepalive 1
ProxyVia Full
</VirtualHost>
<VirtualHost *:443>
ServerAdmin sysadmin-keys-members@fedoraproject.org
ServerName keys.fedoraproject.org
ServerAlias keys01.fedoraproject.org
SSLEngine on
SSLCertificateFile /etc/pki/tls/wildcard-2014.fedoraproject.org.cert
SSLCertificateChainFile /etc/pki/tls/wildcard-2014.fedoraproject.org.intermediate.cert
SSLCertificateKeyFile /etc/pki/tls/wildcard-2014.fedoraproject.org.key
ProxyPass / http://localhost:11371/
ProxyPassReverse / http://localhost:11371/
SetEnv proxy-nokeepalive 1
ProxyVia Full
</VirtualHost>
<VirtualHost *:443>
ServerAdmin sysadmin-keys-members@fedoraproject.org
ServerName pool.sks-keyservers.net
ServerAlias sks-keyservers.net
ServerAlias *.sks-keyservers.net
SSLEngine on
SSLCertificateFile /etc/pki/tls/keys_fedoraproject_org.crt.pem
SSLCertificateKeyFile /etc/pki/tls/keys_fedoraproject_org.key
ProxyPass / http://localhost:11371/
ProxyPassReverse / http://localhost:11371/
SetEnv proxy-nokeepalive 1
ProxyVia Full
</VirtualHost>
<VirtualHost *:11371>
ServerAdmin sysadmin-keys-members@fedoraproject.org
ServerName keys.fedoraproject.org
ProxyPass / http://127.0.0.1:11371/
ProxyPassReverse / http://127.0.0.1:11371/
SetEnv proxy-nokeepalive 1
ProxyVia Full
</VirtualHost>

1
master.yml
View file

@ -46,7 +46,6 @@
- import_playbook: /srv/web/infra/ansible/playbooks/groups/gnome-backups.yml
- import_playbook: /srv/web/infra/ansible/playbooks/groups/ipa.yml
- import_playbook: /srv/web/infra/ansible/playbooks/groups/kerneltest.yml
- import_playbook: /srv/web/infra/ansible/playbooks/groups/keyserver.yml
- import_playbook: /srv/web/infra/ansible/playbooks/groups/koji-hub.yml
- import_playbook: /srv/web/infra/ansible/playbooks/groups/kojipkgs.yml
- import_playbook: /srv/web/infra/ansible/playbooks/groups/logserver.yml

1
playbooks/fedmsgupdate.yml
View file

@ -13,7 +13,6 @@
- include_playbook: /srv/web/infra/ansible/playbooks/groups/elections.yml
- include_playbook: /srv/web/infra/ansible/playbooks/groups/fedocal.yml
- include_playbook: /srv/web/infra/ansible/playbooks/groups/gallery.yml
- include_playbook: /srv/web/infra/ansible/playbooks/groups/keyserver.yml
- include_playbook: /srv/web/infra/ansible/playbooks/groups/koji-hub.yml
- include_playbook: /srv/web/infra/ansible/playbooks/groups/mailman.yml
- include_playbook: /srv/web/infra/ansible/playbooks/groups/notifs-backend.yml

40
playbooks/groups/keyserver.yml
View file

@ -1,40 +0,0 @@
# create a new sks keyserver
# NOTE: should be used with --limit most of the time
# NOTE: make sure there is room/space for this server on the vmhost
# NOTE: most of these vars_path come from group_vars/gallery-web* or from hostvars
- import_playbook: "/srv/web/infra/ansible/playbooks/include/virt-create.yml myhosts=keys"
- name: make the box be real
hosts: keys
user: root
gather_facts: True
vars_files:
- /srv/web/infra/ansible/vars/global.yml
- "/srv/private/ansible/vars.yml"
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
roles:
- base
- rkhunter
- nagios_client
- hosts
- fas_client
- sudo
- collectd/base
- { role: openvpn/client,
when: env != "staging" }
- apache
- certbot
- keyserver
pre_tasks:
- import_tasks: "{{ tasks_path }}/yumrepos.yml"
tasks:
- import_tasks: "{{ tasks_path }}/2fa_client.yml"
- import_tasks: "{{ tasks_path }}/motd.yml"
handlers:
- import_tasks: "{{ handlers_path }}/restart_services.yml"

132
roles/keyserver/files/css.css
View file

@ -1,132 +0,0 @@
* { font-family: helvetica, sans-serif; }
h1,
p {
margin: 0; /* Let's zero those margins */
}
h2 { color: #3c6eb4; margin: 0;}
#container {
/* border: 1px solid #555; /* Nice transition from white background */
width: 600px; /* Should be narrow enough for small screens */
margin: 0 auto; /* Centering */
font-size: 1.1em; /* Font big enough not to need to squint */
line-height: 1.3em;
}
#title {
/* background-color:#e2e5e2; */
padding: 10px;
}
#title h1, #title h2 {
margin-top: 0.3em;
}
#info {
/* background-color:#e2e5e2; */
padding: 5px 10px;
}
#main {
/* background : #FAFBEA; */
padding: 0 10px 10px 10px;
}
#main header {
padding-top: 1em;
}
#main p {
margin: 0.5em 0;
}
#keytext {
width: 100%;
height: 150px;
border: 1px solid #555;
background : #fff;
max-width: 100%;
display: block;
}
ul {
width: 100%;
list-style-type: none;
padding-left: 0;
}
li {
width: 99%;
}
li label {
width: 57%;
display: inline-block;
}
button {
border-radius: 3px;
-moz-border-radius: 3px;
background: -webkit-gradient(linear, left top, left bottom, from(#fff), to(#ddd));
background: -moz-linear-gradient(top, #fff, #ddd);
border: 1px solid #bbb;
}
#info p {line-height: 1.1em; margin-bottom: 0.3em;}
#bodyform {
margin-top: 20px;
color: #555;
font-weight: normal;
font-size: 16px;
}
#headcontent {
width: 700px;
margin: auto;
display: table;
}
#lefttop {
float: left;
text-align: left;
}
#righttop {
float:right;
text-align: right;
}
hr {
background: #3c6eb4;
height: 8px;
border: 0px;
}
footer {
background: #3c6eb4;
margin: auto;
color: #fff;
}
footer p { width: 500px; margin: auto; text-align: center;}
a {text-decoration: none; color: #B8C9FF; font-weight: bold;}
fieldset {
border: 2px solid #4462C4;
}
legend {
color: #3c6eb4;
}

91
roles/keyserver/files/index.html
View file

@ -1,91 +0,0 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">
<head>
<link rel="stylesheet" type="text/css" media="all" href="css.css" />
<title>Fedora Project GPG Key Server</title>
</head>
<body>
<div id=bodyform>
<div id=headcontent>
<div id=lefttop>
<a href="https://fedoraproject.org">
<img src='https://fedoraproject.org/static/images/fedora-logo.png'>
</a>
</div>
<div id=righttop>
<h1>SKS OpenPGP Key server</h1>
<h2>keys.fedoraproject.org</h2>
</div>
</div>
<hr></hr>
<div id="container">
<div id="main" role="main">
<header>
<h2>Extract a key</h2>
</header>
<p>You can find a key by typing in some words that appear in the
userid (name, email, etc.) of the key you're looking for, or
by typing in the keyid in hex format ("0x&#8230;")</p>
<form id="lookup" action="/pks/lookup" method="get">
<fieldset checked="true"> <legend>Search for a public key</legend>
<ul>
<li> <label for="search">String</label> <input id="search"
name="search" placeholder="0xDEADBEEF" required="" autofocus=""
type="text"> </li>
<li> <label for="fingerprint">Show PGP Fingerprints</label>
<input id="fingerprint" name="fingerprint" type="checkbox">
</li>
<li> <label for="hash">Show SKS full-key hashes</label> <input
id="hash" name="hash" type="checkbox"> </li>
<li> <label for="matching">Get regular index of matching
keys</label> <input id="matching" name="op" value="index"
type="radio"> </li>
<li> <label for="verbose">Get verbose index of matching
keys</label> <input id="verbose" name="op" value="vindex"
checked="checked" type="radio"> </li>
<li> <label for="asciiarmored">Retrieve ascii-armored
keys</label> <input id="asciiarmored" name="op" value="get"
type="radio"> </li>
<li> <label for="fullkey">Retrieve keys by full-key hash</label>
<input id="fullkey" name="op" value="hget" type="radio">
</li>
</ul>
<button type="reset">Reset</button> <button type="submit">Search
for a key</button> </fieldset>
</form>
<header>
<h2>Submit a key</h2>
</header>
<p>You can submit a key by simply pasting in the ASCII-armored
version of your key and clicking on submit.</p>
<form id="add" action="/pks/add" method="post">
<fieldset> <textarea id="keytext" name="keytext" rows="5" cols="30"></textarea>
<button type="reset">Reset</button> <button checked="true"
type="submit">Submit this key</button></fieldset>
</form>
</div>
<!-- end of #main -->
</div>
<!--! end of #container -->
<footer id="info">
<p><a href="https://bitbucket.org/skskeyserver/sks-keyserver/wiki/Home">SKS</a> is
a new <a href="http://www.openpgp.org/">OpenPGP</a>
keyserver. The main innovation of SKS is that it includes a
highly-efficient reconciliation algorithm for keeping the
keyservers synchronized.</p>
<p style="text-align: center;"><a href="/pks/lookup?op=stats">SKS statistics</a></p>
</footer>
</div>
</body>
</html>

BIN
roles/keyserver/files/keyserver.mod
View file

Binary file not shown.

BIN
roles/keyserver/files/keyserver.pp
View file

Binary file not shown.

13
roles/keyserver/files/keyserver.te
View file

@ -1,13 +0,0 @@
module keyserver 1.0;
require {
type httpd_t;
type pgpkeyserver_port_t;
class tcp_socket name_bind;
class tcp_socket name_connect;
}
#============= httpd_t ==============
allow httpd_t pgpkeyserver_port_t:tcp_socket name_bind;
allow httpd_t pgpkeyserver_port_t:tcp_socket name_connect;

42
roles/keyserver/files/membership
View file

@ -1,42 +0,0 @@
ams.sks.heypete.com 11370 # Pete Stephenson <pete@heypete.com> (0x85EB9F44)
key.adeti.org 11370 # Marco RODRIGUES <marco@adeti.org> 0x7CE697FC
key.cccmz.de 11370 # Christian Felsing <hostmaster@ip6.li> 0xFDCAC0E5
keys2.kfwebs.net 11370 # 0x0B7F8B60E3EDFAE3
keys.andreas-puls.de 11370 # Andreas Puls <appu@gmx.net> 0xDAC73FA6
keys.christensenplace.us 11370 # Eric Christensen <eric@christensenplace.us> 0x024BB3D1
keys.communityrack.org 11370 # Andre Keller <ak@0x2a.io> 0x2351B9E3
keyserver.cais.rnp.br 11370 # Andre R. Landim <andre.landim@cais.rnp.br> 0xCBFE6A3E
keyserver.cns.vt.edu 11370 # Phil Benchoff <benchoff@vt.edu> <keymaster@cns.vt.edu>
keyserver.computer42.org 11370 # H.-Dirk Schmitt <dirk@computer42.org> 0x6A017B17
keyserver.miniskipper.at 11370 # Sven Kocksch <sven.kocksch@miniskipper.at> 0x90D94808
keyserver.nausch.org 11370 # Michael Nausch <michael@nausch.org> 0x2384C849
key-server.nl 11370 # Wijnand Modderman-Lenstra <maze@key-server.nl> 0x294DF221
keyserver.saol.no-ip.com 11370 # Peter <peter@saol.no-ip.com> 0x39E97290
keyserver.sincer.us 11370 # Petru Ghita <petrutz@venaver.info> 0x7CF29D04
keyservers.org 11370 # Rob Hansen <rjh@sixdemonbag.org>
keyserver.stack.nl 11370 # Johan van Selst <johans@stack.nl> 0xD3AE8D3A
keyserver.timlukas.de 11370 # Timlukas Bloch <timlukas@protonmail.ch> 0x54f43ad0f3139fc2
keyserver.uz.sns.it 11370 # Giovanni Mascellani, D9AB457E
keyserver.zap.org.au 11370 # John Zaitseff <J.Zaitseff@zap.org.au> 0xB0F6BC7F46D30F1432FC46190D254111C4EE569B
keys.jhcloos.com 11370 # James Cloos <cloos@jhcloos.com> 0xED7DAEA6
keys.niif.hu 11370 # Gabor Kiss <kissg@ssg.ki.iif.hu>
keys.schluesselbruecke.de 11370 # Matthias Schreiber <schreiber-matti@web.de> 0x586A2E13F52616561BFC32C95B964AE610D49726
keys.techwolf12.nl 11370 # Christiaan de Die le Clercq <contact@techwolf12.nl> 0x2F2546D8
keys.wuschelpuschel.org 11370 # 0x017D1C3D Peter Kornherr <peter@wuschelpuschel.org>
pgp.archreactor.org 11370 # Travis Megee <twmegee@seek42.net> 0xdd6017f142b7c552
pgp.circl.lu 11370 # CIRCL - info@circl.lu - 0x22BD4CD5
pgp.codelabs.ru 11370 # Eygene Ryabinkin <rea@codelabs.ru> 0x8152ECFB
pgp.key-server.io 11370 # Carles Tubio <carles.tubio@key-server.io> 0xC3B39DE0
pgpkeys.mallos.nl 11370 # Arnold Schekkerman <arnold@mallos.nl> 0xB66BBBAA
pgpkeys.urown.net 11370 # Alain Wolf <keymaster@urown.net> 0x27A69FC9A1744242
pgp.rediris.es 11370 # Francisco.monserrat <francisco.monserrat@rediris.es> 0xD3A42C61
pgp.ustc.edu.cn 11370 # Shengjing Zhu <zsj950618@gmail.com> 0xCF0E265B7DFBB2F2
pki.colliertech.org 11370 # C.J. Adams-Collier <cjac@uw.edu> 0x8E562765BA27A83C
sks.bootc.eu 11370 # Chris Boot <sks@bootc.net> 0xF5C83C05D9CEEEEE
sks.es.net 11370 # keymaster@es.net
sks.es.net 11370 # Michael Sinatra <ms@es.net> 0x35F5A79B5B4EBA62
sks.fidocon.de 11370 # unknown
sks.karotte.org 11370 # Sebastian Wiesinger <sebastian@karotte.org> 0x93A0B9CE
sks-peer.spodhuis.org 11370 # Phil Pennock <keyserver@spodhuis.org> 0x3903637F
vanunu.calyxinstitute.org 11370
zimmermann.mayfirst.org 11370 # Daniel Kahn Gillmor <dkg@fifthhorseman.net> 0xCCD2ED94D21739E9

2
roles/keyserver/files/robots.txt
View file

@ -1,2 +0,0 @@
User-agent: *
Disallow: /pks/

14
roles/keyserver/files/sksconf
View file

@ -1,14 +0,0 @@
basedir: /srv/sks
#debuglevel: 10
#debug:
hostname: keys.fedoraproject.org
hkp_address: 127.0.0.1
hkp_port: 11371
recon_port: 11370
#gossip_interval: 1440
stat_hour: 00
initial_stat:
membership_reload_interval: 1
disable_mailsync:
debuglevel: 4
server_contact: 0x167B4A54236BBEAA37DCCD92ED14D5E7110810E9

6
roles/keyserver/handlers/main.yml
View file

@ -1,6 +0,0 @@
- name: restart sks-db
service: name=sks-db state=restarted
- name: restart sks-recon
service: name=sks-recon state=restarted

101
roles/keyserver/tasks/main.yml
View file

@ -1,101 +0,0 @@
---
- name: install sks
package: name=sks state=present
tags:
- packages
- name: install mod_ssl
package: name=mod_ssl state=present
tags:
- packages
- name: /srv/sks
file: >
path=/srv/sks
state=directory
owner=sks group=sks mode=0755
- name: /srv/sks/membership
copy: src="membership" dest=/srv/sks/membership owner=sks group=sks mode=0644
tags:
- config
- membership
- name: /srv/sks/sksconf
copy: src="sksconf" dest=/srv/sks/sksconf owner=sks group=sks mode=0644
tags:
- config
- name: /srv/sks/web
file: >
path=/srv/sks/web
state=directory
owner=sks group=sks mode=0755
- name: /srv/sks/web/index.html
copy: src="index.html" dest=/srv/sks/web/index.html owner=sks group=sks mode=0644
tags:
- config
- name: /srv/sks/web/css.css
copy: src="css.css" dest=/srv/sks/web/css.css owner=sks group=sks mode=0644
tags:
- config
- name: /srv/sks/web/robots.txt
copy: src="robots.txt" dest=/srv/sks/web/robots.txt owner=sks group=sks mode=0644
tags:
- config
- name: /etc/httpd/conf.d/sks.conf
template: src="sks.conf" dest=/etc/httpd/conf.d/sks.conf owner=root group=root mode=0644
tags:
- config
- sslciphers
- name: /etc/httpd/conf.d/ssl.conf
template: src="ssl.conf" dest=/etc/httpd/conf.d/ssl.conf owner=root group=root mode=0644
tags:
- config
- sslciphers
- name: /etc/pki/tls/keys_fedoraproject_org.crt.pem
copy: src="{{ private }}/files/httpd/keys_fedoraproject_org-2017.crt.pem" dest=/etc/pki/tls/keys_fedoraproject_org.crt.pem owner=root group=root mode=0600
tags:
- config
- name: /etc/pki/tls/keys_fedoraproject_org.key
copy: src="{{ private }}/files/httpd/keys_fedoraproject_org-2017.key" dest=/etc/pki/tls/keys_fedoraproject_org.key owner=root group=root mode=0600
tags:
- config
- cron: name="regenerate stats hourly"
hour="*"
minute="5"
job="pkill -f -n -SIGUSR2 'sks db'"
state=present
- name: Set sks-db to run on boot
service: name=sks-db enabled=no
ignore_errors: true
notify:
- restart sks-db
tags:
- service
- name: Set sks-recon to run on boot
service: name=sks-recon enabled=no
ignore_errors: true
notify:
- restart sks-recon
tags:
- service
# Two tasks for handling our custom selinux module
- name: copy over our custom selinux module
copy: src=keyserver.pp dest=/srv/sks/keyserver.pp
register: selinux_module
- name: install our custom selinux module
command: semodule -i /srv/sks/keyserver.pp
when: selinux_module is changed

98
roles/keyserver/templates/sks.conf
View file

@ -1,98 +0,0 @@
ServerName keys.fedoraproject.org
Listen 140.211.169.207:11371
Listen [2605:bc80:3010:600:dead:beef:cafe:fedc]:11371
NameVirtualHost *:443
<ifModule !mod_proxy.c>
LoadModule proxy_module modules/mod_proxy.so
</IfModule>
<IfModule !mod_proxy_http.c>
LoadModule proxy_http_module modules/mod_proxy_http.so
</IfModule>
<IfModule !mod_proxy_balancer.c>
LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
</IfModule>
<IfModule !mod_headers.c>
LoadModule headers_module modules/mod_headers.so
</IfModule>
<IfModule !mod_authz_host.c>
LoadModule authz_host_module modules/mod_authz_host.so
</IfModule>
<IfModule !mod_log_config.c>
LoadModule log_config_module modules/mod_log_config.so
</IfModule>
<IfModule !mod_env.c>
LoadModule env_module modules/mod_env.so
</IfModule>
<Directory />
Options FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
</Directory>
<Directory /srv/web/acme-challenge/.well-known/>
require all granted
Allow from all
</Directory>
<VirtualHost *:80>
ServerAdmin sysadmin-keys-members@fedoraproject.org
ServerName keys.fedoraproject.org
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^/\.well-known/(.*) /srv/web/acme-challenge/.well-known/$1 [L]
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [NE]
Header always add Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
</VirtualHost>
<VirtualHost *:443>
ServerAdmin sysadmin-keys-members@fedoraproject.org
ServerName keys.fedoraproject.org
ServerAlias keys01.fedoraproject.org
Header always add Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/keys.fedoraproject.org/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/keys.fedoraproject.org/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/keys.fedoraproject.org/fullchain.pem
SSLProtocol {{ ssl_protocols }}
SSLCipherSuite {{ ssl_ciphers }}
ProxyPass / http://pool.sks-keyservers.net:11371/
ProxyPassReverse / http://pool.sks-keyservers.net:11371/
SetEnv proxy-nokeepalive 1
ProxyVia Full
</VirtualHost>
#<VirtualHost *:443>
# ServerAdmin sysadmin-keys-members@fedoraproject.org
# ServerName pool.sks-keyservers.net
# ServerAlias sks-keyservers.net
# ServerAlias *.sks-keyservers.net
#
# SSLEngine on
# SSLCertificateFile /etc/pki/tls/keys_fedoraproject_org.crt.pem
# SSLCertificateKeyFile /etc/pki/tls/keys_fedoraproject_org.key
# SSLProtocol {{ ssl_protocols }}
# SSLCipherSuite {{ ssl_ciphers }}
#
# ProxyPass / http://localhost:11371/
# ProxyPassReverse / http://localhost:11371/
# SetEnv proxy-nokeepalive 1
# ProxyVia Full
#</VirtualHost>
<VirtualHost *:11371>
ServerAdmin sysadmin-keys-members@fedoraproject.org
ServerName keys.fedoraproject.org
ProxyPass / http://pool.sks-keyservers.net:11371/
ProxyPassReverse / http://pool.sks-keyservers.net:11371/
SetEnv proxy-nokeepalive 1
ProxyVia Full
</VirtualHost>

224
roles/keyserver/templates/ssl.conf
View file

@ -1,224 +0,0 @@
#
# This is the Apache server configuration file providing SSL support.
# It contains the configuration directives to instruct the server how to
# serve pages over an https connection. For detailing information about these
# directives see <URL:http://httpd.apache.org/docs/2.2/mod/mod_ssl.html>
#
# Do NOT simply read the instructions in here without understanding
# what they do. They're here only as hints or reminders. If you are unsure
# consult the online docs. You have been warned.
#
LoadModule ssl_module modules/mod_ssl.so
#
# When we also provide SSL we have to listen to the
# the HTTPS port in addition.
#
Listen 443
##
## SSL Global Context
##
## All SSL configuration in this context applies both to
## the main server and all SSL-enabled virtual hosts.
##
# Pass Phrase Dialog:
# Configure the pass phrase gathering process.
# The filtering dialog program (`builtin' is a internal
# terminal dialog) has to provide the pass phrase on stdout.
SSLPassPhraseDialog builtin
# Inter-Process Session Cache:
# Configure the SSL Session Cache: First the mechanism
# to use and second the expiring timeout (in seconds).
SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout 300
# Semaphore:
# Configure the path to the mutual exclusion semaphore the
# SSL engine uses internally for inter-process synchronization.
#SSLMutex default
# Pseudo Random Number Generator (PRNG):
# Configure one or more sources to seed the PRNG of the
# SSL library. The seed data should be of good random quality.
# WARNING! On some platforms /dev/random blocks if not enough entropy
# is available. This means you then cannot use the /dev/random device
# because it would lead to very long connection times (as long as
# it requires to make more entropy available). But usually those
# platforms additionally provide a /dev/urandom device which doesn't
# block. So, if available, use this one instead. Read the mod_ssl User
# Manual for more details.
SSLRandomSeed startup file:/dev/urandom 256
SSLRandomSeed connect builtin
#SSLRandomSeed startup file:/dev/random 512
#SSLRandomSeed connect file:/dev/random 512
#SSLRandomSeed connect file:/dev/urandom 512
#
# Use "SSLCryptoDevice" to enable any supported hardware
# accelerators. Use "openssl engine -v" to list supported
# engine names. NOTE: If you enable an accelerator and the
# server does not start, consult the error logs and ensure
# your accelerator is functioning properly.
#
SSLCryptoDevice builtin
#SSLCryptoDevice ubsec
##
## SSL Virtual Host Context
##
<VirtualHost _default_:443>
# General setup for the virtual host, inherited from global configuration
#DocumentRoot "/var/www/html"
# ProxyPass / http://localhost:11371/
# ProxyPassReverse / http://localhost:11371/
#ServerName www.example.com:443
# Use separate log files for the SSL virtual host; note that LogLevel
# is not inherited from httpd.conf.
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
# SSL Protocol support:
# List the enable protocol levels with which clients will be able to
# connect. Disable SSLv2 access by default:
SSLProtocol {{ ssl_protocols }}
# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
# See the mod_ssl documentation for a complete list.
SSLCipherSuite {{ ssl_ciphers }}
# Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate. If
# the certificate is encrypted, then you will be prompted for a
# pass phrase. Note that a kill -HUP will prompt again. A new
# certificate can be generated using the genkey(1) command.
SSLCertificateFile /etc/pki/tls/keys_fedoraproject_org.crt.pem
# Server Private Key:
# If the key is not combined with the certificate, use this
# directive to point at the key file. Keep in mind that if
# you've both a RSA and a DSA private key you can configure
# both in parallel (to also allow the use of DSA ciphers, etc.)
SSLCertificateKeyFile /etc/pki/tls/keys_fedoraproject_org.key
# Server Certificate Chain:
# Point SSLCertificateChainFile at a file containing the
# concatenation of PEM encoded CA certificates which form the
# certificate chain for the server certificate. Alternatively
# the referenced file can be the same as SSLCertificateFile
# when the CA certificates are directly appended to the server
# certificate for convinience.
#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
# Certificate Authority (CA):
# Set the CA certificate verification path where to find CA
# certificates for client authentication or alternatively one
# huge file containing all of them (file must be PEM encoded)
#SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
# Client Authentication (Type):
# Client certificate verification type and depth. Types are
# none, optional, require and optional_no_ca. Depth is a
# number which specifies how deeply to verify the certificate
# issuer chain before deciding the certificate is not valid.
#SSLVerifyClient require
#SSLVerifyDepth 10
# Access Control:
# With SSLRequire you can do per-directory access control based
# on arbitrary complex boolean expressions containing server
# variable checks and other lookup directives. The syntax is a
# mixture between C and Perl. See the mod_ssl documentation
# for more details.
#<Location />
#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
#</Location>
# SSL Engine Options:
# Set various options for the SSL engine.
# o FakeBasicAuth:
# Translate the client X.509 into a Basic Authorisation. This means that
# the standard Auth/DBMAuth methods can be used for access control. The
# user name is the `one line' version of the client's X.509 certificate.
# Note that no password is obtained from the user. Every entry in the user
# file needs this password: `xxj31ZMTZzkVA'.
# o ExportCertData:
# This exports two additional environment variables: SSL_CLIENT_CERT and
# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
# server (always existing) and the client (only existing when client
# authentication is used). This can be used to import the certificates
# into CGI scripts.
# o StdEnvVars:
# This exports the standard SSL/TLS related `SSL_*' environment variables.
# Per default this exportation is switched off for performance reasons,
# because the extraction step is an expensive operation and is usually
# useless for serving static content. So one usually enables the
# exportation for CGI and SSI requests only.
# o StrictRequire:
# This denies access when "SSLRequireSSL" or "SSLRequire" applied even
# under a "Satisfy any" situation, i.e. when it applies access is denied
# and no other module can change it.
# o OptRenegotiate:
# This enables optimized SSL connection renegotiation handling when SSL
# directives are used in per-directory context.
#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
# SSL Protocol Adjustments:
# The safe and default but still SSL/TLS standard compliant shutdown
# approach is that mod_ssl sends the close notify alert but doesn't wait for
# the close notify alert from client. When you need a different shutdown
# approach you can use one of the following variables:
# o ssl-unclean-shutdown:
# This forces an unclean shutdown when the connection is closed, i.e. no
# SSL close notify alert is send or allowed to received. This violates
# the SSL/TLS standard but is needed for some brain-dead browsers. Use
# this when you receive I/O errors because of the standard approach where
# mod_ssl sends the close notify alert.
# o ssl-accurate-shutdown:
# This forces an accurate shutdown when the connection is closed, i.e. a
# SSL close notify alert is send and mod_ssl waits for the close notify
# alert of the client. This is 100% SSL/TLS standard compliant, but in
# practice often causes hanging connections with brain-dead browsers. Use
# this only for browsers where you know that their SSL implementation
# works correctly.
# Notice: Most problems of broken clients are also related to the HTTP
# keep-alive facility, so you usually additionally want to disable
# keep-alive for those clients, too. Use variable "nokeepalive" for this.
# Similarly, one has to force some clients to use HTTP/1.0 to workaround
# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
# "force-response-1.0" for this.
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
# Per-Server Logging:
# The home of a custom SSL log file. Use this when you want a
# compact non-error SSL logfile on a virtual host basis.
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>