# This is an example configuration file for Apache-SSL.
# Copyright (C) 1995,6,7,8,9,2000,2001 Ben Laurie

# If Apache-SSL is a DSO...
# Note that you must load the SSL module first, or other modules that use the
# SSL library will have unresolved symbols.
<IfModule !apache_ssl.c>
LoadModule apache_ssl_module /home/ben/work/apache-ssl/apache_1.3.22-ssl/src/modules/ssl/libssl.so
</IfModule>

# By popular demand, this file now illustrates the way to create two websites,
# one secured (on port 8887), the other not (on port 8888).

# You may need one of thse
User nobody 
Group nobody 

LogLevel debug

# If built with --enable-shared=max...
#LoadModule config_log_module /home/ben/work/apache-ssl/apache_1.3.22-ssl/src/modules/standard/mod_log_config.so
#LoadModule auth_module /home/ben/work/apache-ssl/apache_1.3.22-ssl/src/modules/standard/mod_auth.so
#LoadModule cgi_module /home/ben/work/apache-ssl/apache_1.3.22-ssl/src/modules/standard/mod_cgi.so
#LoadModule alias_module /home/ben/work/apache-ssl/apache_1.3.22-ssl/src/modules/standard/mod_alias.so

# Disable CA list sending for testing...
SSLNoCAList

# Load some randomness.
# This is loaded at startup, reading at most 1024 bytes from /dev/urandom.
# You may prefer to use /dev/random, but be aware that some OSes (e.g. Linux)
# insist on returning all 1024 bytes, thus blocking the server until the
# randomness is available.
# The randomness will be _shared_ between all server instances. You can have
# as many of these as you want.
SSLRandomFile file /dev/urandom 1024
# And this one will be loaded before SSL is negotiated for each connection.
# Again, you can have as many of these as you want, and they will all be used
# at each connection.
SSLRandomFilePerConnection file /dev/urandom 1024
#SSLRandomFilePerConnection egd /path/to/egd/socket 1024

# SSL Servers MUST be standalone, currently.
ServerType standalone

# The default port for SSL is 443...
Port 443
Listen 443
#Listen 8888

# My test document root
DocumentRoot /usr/local/apache/htdocs/CITX2182
#DocumentRoot /usr/local/apache/htdocs
#DocumentRoot /home/ben/work/apache-ssl/apache_1.3.4-ssl/htdocs
ServerName www.technicalprogramming.ca
#StartServers 5
#MaxClients 20

<Directory /home/ben/work/apache-ssl/apache_1.3.4-ssl/htdocs/manual>
# This directive forbids access except when SSL is in use. Very handy for
# defending against configuration errors that expose stuff that should be
# protected
SSLRequireSSL
# Conversely, you can forbid SSL with...
# SSLDenySSL

# Use these here if renegotiation is permitted
#SSLVerifyClient 2
#SSLVerifyDepth 2

#AuthType Basic
#AuthName Experimental
#AuthGroupFile /dev/null
#AuthUserFile /home/ben/www/users
#require valid-user
</Directory>

# Watch what's going on
TransferLog logs/transfer_log

# Note that all SSL options can apply to virtual hosts.

# Disable SSL. Useful in combination with virtual hosts. Note that SSLEnable is
# now also supported.
#SSLDisable
SSLEnable

# Set the path for the global cache server executable.
# If this facility gives you trouble, you can disable it by setting
# CACHE_SESSIONS to FALSE in apache_ssl.c
SSLCacheServerPath /usr/local/apache/bin/gcache
#SSLCacheServerPath ../src/modules/ssl/splashcache 3333@scuzzy ssl

# Set the global cache server port number, or path. If it is a path, a Unix
# domain socket is used. If a number, a TCP socket.
SSLCacheServerPort logs/gcache_port
#SSLCacheServerPort 1234

# Directory for the cache server to run in (in case of crashes). Optional.
SSLCacheServerRunDir /tmp

# Set the session cache timeout, in seconds (set to 15 for testing, use a
# higher value in real life)
SSLSessionCacheTimeout 15

# Set the CA certificate verification path (must be PEM encoded).
# (in addition to getenv("SSL_CERT_DIR"), I think).
#SSLCACertificatePath /usr/src/apache/apache_1.3.27/SSLconf/conf/ 

# Set the CA certificate verification file (must be PEM encoded).
# (in addition to getenv("SSL_CERT_FILE"), I think).
#SSLCACertificateFile /some/where/somefile
SSLCACertificateFile /usr/src/apache/apache_1.3.27/SSLconf/conf/httpsd.pem 

# Point SSLCertificateFile at a PEM encoded certificate.
# If the certificate is encrypted, then you will be prompted for a pass phrase.
# Note that a kill -1 will prompt again.
# A test certificate can be generated with "make certificate".
#SSLCertificateFile /home/ben/work/apache-ssl/apache_1.3.4-ssl/SSLconf/conf/httpsd.pem
SSLCertificateFile /usr/src/apache/apache_1.3.27/SSLconf/conf/httpsd.pem
SSLCertificateKeyFile /usr/src/apache/apache_1.3.27/SSLconf/conf/httpsd.pem
#SSLCertificateFile /u/ben/apache/apache_1.2.6-ssl/SSLconf/conf/t1.pem


# If the key is not combined with the certificate, use this directive to
# point at the key file. If this starts with a '/' it specifies an absolute
# path, otherwise it is relative to the default certificate area. That is, it
# means "<default>/private/<keyfile>".
#SSLCertificateKeyFile /some/place/with/your.key

# Set SSLVerifyClient to:
# 0 if no certicate is required
# 1 if the client may present a valid certificate
# 2 if the client must present a valid certificate
# 3 if the client may present a valid certificate but it is not required to
#   have a valid CA
SSLVerifyClient 0 
# How deeply to verify before deciding they don't have a valid certificate
SSLVerifyDepth 10

# If you have enabled client cert exports (in buff.h) you need to use
# SSLExportClientCertificates to enable them. Note that the server still has to
# mess about with certs even if this is disabled (and exports are enabled)
# because the cert chain is received before we can know whether it is needed or
# not.
<Location /scripts>
#SSLExportClientCertificates
</Location>

# Translate the client X509 into a Basic authorisation. This means that the
# standard Auth/DBMAuth methods can be used for access control. The user name
# is the "one line" version of the client's X509 certificate. Note that no
# password is obtained from the user. Every entry in the user file needs this
# password: xxj31ZMTZzkVA. See the code for further explanation.
SSLFakeBasicAuth

# List the ciphers that the client is permitted to negotiate. See the source
# for a definitive list. For example:
#SSLRequiredCiphers RC4-MD5:RC4-SHA:IDEA-CBC-MD5:DES-CBC3-SHA

# These two can be used per-directory to require or ban ciphers. Note that (at
# least in the current version) Apache-SSL will not attempt to renegotiate if a
# cipher is banned (or not required).
# You should probably at least ban the null encryption ciphers.
#SSLRequireCipher
SSLBanCipher NULL-MD5:NULL-SHA

# A home for miscellaneous rubbish generated by SSL. Much of it is duplicated
# in the error log file. Put this somewhere where it cannot be used for symlink
# attacks on a real server (i.e. somewhere where only root can write).
# Don't use this anymore! Now everything is logged in the error log.
#SSLLogFile /tmp/ssl.log

# Custom logging
CustomLog	logs/ssl_log "%t %{version}c %{cipher}c %{clientcert}c"

<VirtualHost tehuti:8888>
#SSLDisable
SSLEnable
</VirtualHost>

# If you want, you can disable SSL globally, and enable it in a virtual host...
#<VirtualHost heap:8887>
#SSLEnable
# and the rest of the SSL stuf...
#</VirtualHost>

# Experiment with authorization...
#<Directory /u/ben/www/1/docs>
#AuthType Basic
#AuthName Experimental
#AuthGroupFile /dev/null
#AuthUserFile /u/ben/www/1/users
#<Limit PUT GET>
#allow from all
#require valid-user
#</Limit>
#</Directory>

ScriptAlias	/cgi	/usr/local/apache/cgi-bin

<IfModule apache_ssl_keynote.c>
# KeyNote configuration (only if enabled, of course)

# Simple example: admit anyone
#SSLKeyNoteTrustedAssertion keynote/admit-all

# Or: admit no-one
#SSLKeyNoteTrustedAssertion keynote/admit-none

# Or: admit only Ben's Thawte certificate
#SSLKeyNoteTrustedAssertion keynote/admit-ben-thawte

# Or: admit Ben's Thawte certificate to part of the site
#SSLKeyNoteTrustedAssertion keynote/admit-ben-thawte-restricted

# Or: admit _any_ Thawte Freemail cert to any part of the site
SSLKeyNoteTrustedAssertion keynote/admit-thawte
SSLKeyNoteTrustedIssuerTemplate keynote/cert-issuer-simple
</IfModule>