diff options
| author | Daniel Gruno <humbedooh@apache.org> | 2012-04-26 16:40:34 +0200 |
|---|---|---|
| committer | Daniel Gruno <humbedooh@apache.org> | 2012-04-26 16:40:34 +0200 |
| commit | 14e7630d1848fdc08199a23270b51108890349c0 (patch) | |
| tree | 5db8070971f640ffc12af58ea8820490aa330333 | |
| parent | syntax updates (diff) | |
| download | apache2-14e7630d1848fdc08199a23270b51108890349c0.tar.xz apache2-14e7630d1848fdc08199a23270b51108890349c0.zip | |
Syntax and formatting fixings
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1330881 13f79535-47bb-0310-9956-ffa450edef68
| -rw-r--r-- | docs/manual/ssl/ssl_faq.xml | 40 | ||||
| -rw-r--r-- | docs/manual/ssl/ssl_howto.xml | 198 |
2 files changed, 117 insertions, 121 deletions
diff --git a/docs/manual/ssl/ssl_faq.xml b/docs/manual/ssl/ssl_faq.xml index bd35c3dc4f..a7e36f8833 100644 --- a/docs/manual/ssl/ssl_faq.xml +++ b/docs/manual/ssl/ssl_faq.xml @@ -172,11 +172,11 @@ relative hyperlinks?</a></li> fully-qualified hyperlinks (because you have to change the URL scheme). Using <module>mod_rewrite</module> however, you can manipulate relative hyperlinks, to achieve the same effect.</p> - <example> - RewriteEngine on<br /> - RewriteRule ^/(.*)_SSL$ https://%{SERVER_NAME}/$1 [R,L]<br /> - RewriteRule ^/(.*)_NOSSL$ http://%{SERVER_NAME}/$1 [R,L] - </example> + <highlight language="config"> +RewriteEngine on +RewriteRule ^/(.*)_SSL$ https://%{SERVER_NAME}/$1 [R,L] +RewriteRule ^/(.*)_NOSSL$ http://%{SERVER_NAME}/$1 [R,L] + </highlight> <p>This rewrite ruleset lets you use hyperlinks of the form <code><a href="document.html_SSL"></code>, to switch to HTTPS @@ -253,10 +253,10 @@ Certificate for testing purposes?</title> -keyout server.key</strong></code><br /> These can be used as follows in your <code>httpd.conf</code> file: - <pre> - SSLCertificateFile /path/to/this/server.crt - SSLCertificateKeyFile /path/to/this/server.key - </pre> + <highlight language="config"> +SSLCertificateFile /path/to/this/server.crt +SSLCertificateKeyFile /path/to/this/server.key + </highlight> </li> <li>It is important that you are aware that this <code>server.key</code> does <em>not</em> have any passphrase. @@ -333,10 +333,10 @@ Certificate for testing purposes?</title> <li>You should now have two files: <code>server.key</code> and <code>server.crt</code>. These can be used as follows in your <code>httpd.conf</code> file: - <pre> - SSLCertificateFile /path/to/this/server.crt - SSLCertificateKeyFile /path/to/this/server.key - </pre> + <highlight language="config"> +SSLCertificateFile /path/to/this/server.crt +SSLCertificateKeyFile /path/to/this/server.key + </highlight> The <code>server.csr</code> file is no longer needed. </li> @@ -650,9 +650,9 @@ Virtual Hosting to identify different SSL virtual hosts?</title> you must make sure to put the non-SSL port number on the NameVirtualHost directive, e.g.</p> - <example> + <highlight language="config"> NameVirtualHost 192.168.1.1:80 - </example> + </highlight> <p>Other workaround solutions include: </p> @@ -702,11 +702,11 @@ Explorer (MSIE)?</title> keep-alive connections or send the SSL close notify messages to MSIE clients. This can be done by using the following directive in your SSL-aware virtual host section:</p> - <example> - SetEnvIf User-Agent "MSIE [2-5]" \<br /> - nokeepalive ssl-unclean-shutdown \<br /> - downgrade-1.0 force-response-1.0 - </example> + <highlight language="config"> +SetEnvIf User-Agent "MSIE [2-5]" \ + nokeepalive ssl-unclean-shutdown \ + downgrade-1.0 force-response-1.0 + </highlight> <p>Further, some MSIE versions have problems with particular ciphers. Unfortunately, it is not possible to implement a MSIE-specific workaround for this, because the ciphers are needed as early as the diff --git a/docs/manual/ssl/ssl_howto.xml b/docs/manual/ssl/ssl_howto.xml index ebca08faa2..bada94668f 100644 --- a/docs/manual/ssl/ssl_howto.xml +++ b/docs/manual/ssl/ssl_howto.xml @@ -39,17 +39,15 @@ before progressing to the advanced techniques.</p> <p>Your SSL configuration will need to contain, at minimum, the following directives.</p> -<example> - Listen 443<br /> - <VirtualHost *:443><br /> - <indent> - ServerName www.example.com<br /> - SSLEngine on<br /> - SSLCertificateFile /path/to/www.example.com.cert<br /> - SSLCertificateKeyFile /path/to/www.example.com.key<br /> - </indent> - </VirtualHost> -</example> +<highlight language="config"> +Listen 443 +<VirtualHost *:443> + ServerName www.example.com + SSLEngine on + SSLCertificateFile /path/to/www.example.com.cert + SSLCertificateKeyFile /path/to/www.example.com.key +</VirtualHost> +</highlight> </section> @@ -65,18 +63,18 @@ requires a strong cipher for access to a particular URL?</a></li> <title>How can I create an SSL server which accepts strong encryption only?</title> <p>The following enables only the strongest ciphers:</p> - <example><title>httpd.conf</title> - SSLCipherSuite HIGH:!aNULL:!MD5<br /> - </example> + <highlight language="config"> + SSLCipherSuite HIGH:!aNULL:!MD5 + </highlight> <p>While with the following configuration you specify a preference for specific speed-optimized ciphers (which will be selected by mod_ssl, provided that they are supported by the client):</p> - <example><title>httpd.conf</title> - SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:!aNULL:!MD5<br /> - SSLHonorCipherOrder on - </example> + <highlight language="config"> +SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:!aNULL:!MD5 +SSLHonorCipherOrder on + </highlight> </section> <section id="strongurl"> @@ -90,16 +88,16 @@ URL?</title> blocks, to give a per-directory solution, and can automatically force a renegotiation of the SSL parameters to meet the new configuration. This can be done as follows:</p> - <example> - # be liberal in general<br /> - SSLCipherSuite ALL:!aNULL:RC4+RSA:+HIGH:+MEDIUM:+LOW:+EXP:+eNULL<br /> - <br /> - <Location /strong/area><br /> - # but https://hostname/strong/area/ and below<br /> - # requires strong ciphers<br /> - SSLCipherSuite HIGH:!aNULL:!MD5<br /> - </Location> - </example> + <highlight language="config"> +# be liberal in general +SSLCipherSuite ALL:!aNULL:RC4+RSA:+HIGH:+MEDIUM:+LOW:+EXP:+eNULL + +<Location /strong/area> +# but https://hostname/strong/area/ and below +# requires strong ciphers +SSLCipherSuite HIGH:!aNULL:!MD5 +</Location> + </highlight> </section> </section> <!-- /ciphersuites --> @@ -125,13 +123,13 @@ Intranet website, for clients coming from the Internet?</a></li> need to do is to create client certificates signed by your own CA certificate (<code>ca.crt</code>) and then verify the clients against this certificate.</p> - <example><title>httpd.conf</title> - # require a client certificate which has to be directly<br /> - # signed by our CA certificate in ca.crt<br /> - SSLVerifyClient require<br /> - SSLVerifyDepth 1<br /> - SSLCACertificateFile conf/ssl.crt/ca.crt - </example> + <highlight language="config"> +# require a client certificate which has to be directly +# signed by our CA certificate in ca.crt +SSLVerifyClient require +SSLVerifyDepth 1 +SSLCACertificateFile conf/ssl.crt/ca.crt + </highlight> </section> <section id="arbitraryclients"> @@ -142,15 +140,15 @@ Intranet website, for clients coming from the Internet?</a></li> you can use the per-directory reconfiguration features of <module>mod_ssl</module>:</p> - <example><title>httpd.conf</title> - SSLVerifyClient none<br /> - SSLCACertificateFile conf/ssl.crt/ca.crt<br /> - <br /> - <Location /secure/area><br /> - SSLVerifyClient require<br /> - SSLVerifyDepth 1<br /> - </Location><br /> - </example> + <highlight language="config"> +SSLVerifyClient none +SSLCACertificateFile conf/ssl.crt/ca.crt + +<Location /secure/area> +SSLVerifyClient require +SSLVerifyDepth 1 +</Location> + </highlight> </section> <section id="certauthenticate"> @@ -169,23 +167,22 @@ Intranet website, for clients coming from the Internet?</a></li> you should establish a password database containing <em>all</em> clients allowed, as follows:</p> - <example><title>httpd.conf</title><pre> + <highlight language="config"> SSLVerifyClient none <Directory /usr/local/apache2/htdocs/secure/area> - -SSLVerifyClient require -SSLVerifyDepth 5 -SSLCACertificateFile conf/ssl.crt/ca.crt -SSLCACertificatePath conf/ssl.crt -SSLOptions +FakeBasicAuth -SSLRequireSSL -AuthName "Snake Oil Authentication" -AuthType Basic -AuthBasicProvider file -AuthUserFile /usr/local/apache2/conf/httpd.passwd -Require valid-user -</Directory></pre> - </example> + SSLVerifyClient require + SSLVerifyDepth 5 + SSLCACertificateFile conf/ssl.crt/ca.crt + SSLCACertificatePath conf/ssl.crt + SSLOptions +FakeBasicAuth + SSLRequireSSL + AuthName "Snake Oil Authentication" + AuthType Basic + AuthBasicProvider file + AuthUserFile /usr/local/apache2/conf/httpd.passwd + Require valid-user +</Directory> + </highlight> <p>The password used in this example is the DES encrypted string "password". See the <directive module="mod_ssl">SSLOptions</directive> docs for more @@ -202,10 +199,9 @@ Require valid-user >SSLRequire</directive>, as follows:</p> - <example><title>httpd.conf</title><pre> + <highlight language="config"> SSLVerifyClient none <Directory /usr/local/apache2/htdocs/secure/area> - SSLVerifyClient require SSLVerifyDepth 5 SSLCACertificateFile conf/ssl.crt/ca.crt @@ -214,8 +210,8 @@ SSLVerifyClient none SSLRequireSSL SSLRequire %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \ and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} -</Directory></pre> - </example> +</Directory> + </highlight> </section> <section id="intranet"> @@ -230,50 +226,50 @@ plain HTTP access for clients on the Intranet.</title> This configuration should remain outside of your HTTPS virtual host, so that it applies to both HTTPS and HTTP.</p> - <example><title>httpd.conf</title><pre> + <highlight language="config"> SSLCACertificateFile conf/ssl.crt/company-ca.crt <Directory /usr/local/apache2/htdocs> -# Outside the subarea only Intranet access is granted -Order deny,allow -Deny from all -Allow from 192.168.1.0/24 + # Outside the subarea only Intranet access is granted + Order deny,allow + Deny from all + Allow from 192.168.1.0/24 </Directory> <Directory /usr/local/apache2/htdocs/subarea> -# Inside the subarea any Intranet access is allowed -# but from the Internet only HTTPS + Strong-Cipher + Password -# or the alternative HTTPS + Strong-Cipher + Client-Certificate - -# If HTTPS is used, make sure a strong cipher is used. -# Additionally allow client certs as alternative to basic auth. -SSLVerifyClient optional -SSLVerifyDepth 1 -SSLOptions +FakeBasicAuth +StrictRequire -SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128 - -# Force clients from the Internet to use HTTPS -RewriteEngine on -RewriteCond %{REMOTE_ADDR} !^192\.168\.1\.[0-9]+$ -RewriteCond %{HTTPS} !=on -RewriteRule . - [F] - -# Allow Network Access and/or Basic Auth -Satisfy any - -# Network Access Control -Order deny,allow -Deny from all -Allow 192.168.1.0/24 - -# HTTP Basic Authentication -AuthType basic -AuthName "Protected Intranet Area" -AuthBasicProvider file -AuthUserFile conf/protected.passwd -Require valid-user -</Directory></pre> - </example> + # Inside the subarea any Intranet access is allowed + # but from the Internet only HTTPS + Strong-Cipher + Password + # or the alternative HTTPS + Strong-Cipher + Client-Certificate + + # If HTTPS is used, make sure a strong cipher is used. + # Additionally allow client certs as alternative to basic auth. + SSLVerifyClient optional + SSLVerifyDepth 1 + SSLOptions +FakeBasicAuth +StrictRequire + SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128 + + # Force clients from the Internet to use HTTPS + RewriteEngine on + RewriteCond %{REMOTE_ADDR} !^192\.168\.1\.[0-9]+$ + RewriteCond %{HTTPS} !=on + RewriteRule . - [F] + + # Allow Network Access and/or Basic Auth + Satisfy any + + # Network Access Control + Order deny,allow + Deny from all + Allow 192.168.1.0/24 + + # HTTP Basic Authentication + AuthType basic + AuthName "Protected Intranet Area" + AuthBasicProvider file + AuthUserFile conf/protected.passwd + Require valid-user +</Directory> + </highlight> </section> </section> <!-- /access control --> |