Exemplo de default-ssl.conf para Let's Encrypt

ServerAdmin webmaster@localhost



DocumentRoot /var/www/html



# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,

# error, crit, alert, emerg.

# It is also possible to configure the loglevel for particular

# modules, e.g.

#LogLevel info ssl:warn



ErrorLog ${APACHE_LOG_DIR}/error.log

CustomLog ${APACHE_LOG_DIR}/access.log combined



# For most configuration files from conf-available/, which are

# enabled or disabled at a global level, it is possible to

# include a line for only one particular virtual host. For example the

# following line enables the CGI configuration for this host only

# after it has been globally disabled with "a2disconf".

#Include conf-available/serve-cgi-bin.conf



#   SSL Engine Switch:

#   Enable/Disable SSL for this virtual host.

SSLEngine on



#   A self-signed (snakeoil) certificate can be created by installing

#   the ssl-cert package. See

#   /usr/share/doc/apache2/README.Debian.gz for more info.

#   If both key and certificate are stored in the same file, only the

#   SSLCertificateFile directive is needed.

#SSLCertificateFile	/etc/ssl/certs/ssl-cert-snakeoil.pem

#SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key

		

#SSLCertificateFile /etc/letsencrypt/live/example.com/chain.pem

#SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem

Include /etc/letsencrypt/options-ssl-apache.conf



#   Server Certificate Chain:

#   Point SSLCertificateChainFile at a file containing the

#   concatenation of PEM encoded CA certificates which form the

#   certificate chain for the server certificate. Alternatively

#   the referenced file can be the same as SSLCertificateFile

#   when the CA certificates are directly appended to the server

#   certificate for convinience.

#SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt



#   Certificate Authority (CA):

#   Set the CA certificate verification path where to find CA

#   certificates for client authentication or alternatively one

#   huge file containing all of them (file must be PEM encoded)

#   Note: Inside SSLCACertificatePath you need hash symlinks

#		 to point to the certificate files. Use the provided

#		 Makefile to update the hash symlinks after changes.

#SSLCACertificatePath /etc/ssl/certs/

#SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt



#   Certificate Revocation Lists (CRL):

#   Set the CA revocation path where to find CA CRLs for client

#   authentication or alternatively one huge file containing all

#   of them (file must be PEM encoded)

#   Note: Inside SSLCARevocationPath you need hash symlinks

#		 to point to the certificate files. Use the provided

#		 Makefile to update the hash symlinks after changes.

#SSLCARevocationPath /etc/apache2/ssl.crl/

#SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl



#   Client Authentication (Type):

#   Client certificate verification type and depth.  Types are

#   none, optional, require and optional_no_ca.  Depth is a

#   number which specifies how deeply to verify the certificate

#   issuer chain before deciding the certificate is not valid.

#SSLVerifyClient require

#SSLVerifyDepth  10



#   SSL Engine Options:

#   Set various options for the SSL engine.

#   o FakeBasicAuth:

#	 Translate the client X.509 into a Basic Authorisation.  This means that

#	 the standard Auth/DBMAuth methods can be used for access control.  The

#	 user name is the `one line' version of the client's X.509 certificate.

#	 Note that no password is obtained from the user. Every entry in the user

#	 file needs this password: `xxj31ZMTZzkVA'.

#   o ExportCertData:

#	 This exports two additional environment variables: SSL_CLIENT_CERT and

#	 SSL_SERVER_CERT. These contain the PEM-encoded certificates of the

#	 server (always existing) and the client (only existing when client

#	 authentication is used). This can be used to import the certificates

#	 into CGI scripts.

#   o StdEnvVars:

#	 This exports the standard SSL/TLS related `SSL_*' environment variables.

#	 Per default this exportation is switched off for performance reasons,

#	 because the extraction step is an expensive operation and is usually

#	 useless for serving static content. So one usually enables the

#	 exportation for CGI and SSI requests only.

#   o OptRenegotiate:

#	 This enables optimized SSL connection renegotiation handling when SSL

#	 directives are used in per-directory context.

#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire

		

SSLOptions +StdEnvVars

SSLOptions +StdEnvVars



#   SSL Protocol Adjustments:

#   The safe and default but still SSL/TLS standard compliant shutdown

#   approach is that mod_ssl sends the close notify alert but doesn't wait for

#   the



SSLEngine on



# Intermediate configuration, tweak to your needs

SSLProtocol             all -SSLv2 -SSLv3

SSLCipherSuite          ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA

SSLHonorCipherOrder     on

SSLCompression          off



SSLOptions +StrictRequire



# Add vhost name to log entries:

LogFormat "%h %l %u %t "%r" %>s %b "%{Referer}i" "%{User-agent}i"" vhost_combined

LogFormat "%v %h %l %u %t "%r" %>s %b" vhost_common



#CustomLog /var/log/apache2/access.log vhost_combined

#LogLevel warn

#ErrorLog /var/log/apache2/error.log



# Always ensure Cookies have "Secure" set (JAH 2012/1)

#Header edit Set-Cookie (?i)^(.*)(;s*secure)??((s*;)?(.*)) "$1; Secure$3$4"