projects / invirt/packages/invirt-web.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Do better at SSL/TLS with only strong ciphers
[invirt/packages/invirt-web.git] / files / etc / apache2 / sites-available / ssl.mako
diff --git a/files/etc/apache2/sites-available/ssl.mako b/files/etc/apache2/sites-available/ssl.mako
index dfd5af9..6b7e414 100644 (file)
--- a/files/etc/apache2/sites-available/ssl.mako
+++ b/files/etc/apache2/sites-available/ssl.mako
@@ -8,8 +8,8 @@ Listen 442
 Listen 446
 
 <%def name="invirt_webinterface()">
-       DocumentRoot /var/www/sipb-xen-www
-       <Directory /var/www/sipb-xen-www>
+       DocumentRoot /var/www/invirt-web
+       <Directory /var/www/invirt-web>
                Options Indexes FollowSymLinks MultiViews ExecCGI
                AllowOverride None
                Order allow,deny
@@ -24,14 +24,8 @@ ${caller.body()}
        RewriteRule ^/static(.*) - [L]
        RewriteRule ^/overlord/static(.*) /static/$1 [L]
        RewriteRule ^/admin/static(.*) /static/$1 [L]
-       RewriteRule ^/trac.fcgi(.*) - [L]
-       RewriteRule ^/trac/chrome/common(.*) /usr/share/trac/htdocs$1 [L]
-       RewriteRule ^/trac(.*) /var/www/trac/trac.fcgi$1 [L]
-       RewriteRule ^/var(.*) - [L]
-       RewriteRule ^/wiki(.*) - [L]
-       RewriteRule ^/kill.cgi - [L]
-       RewriteRule ^/~ - [L]
-       RewriteRule ^/(.*) /var/www/sipb-xen-www/main.fcgi/$1 [L]
+       RewriteRule ^/trac(.*) ${tracuri}$1 [R,L]
+       RewriteRule ^/(.*) /var/www/invirt-web/auth.fcgi/$1 [L]
 
        RewriteLog /var/log/apache2/rewrite.log
        RewriteLogLevel 0 
@@ -48,12 +42,15 @@ ${caller.body()}
        SSLEngine on
 
        SSLCertificateFile ssl/server.crt
+       SSLCertificateChainFile ssl/server.crt
        SSLCertificateKeyFile ssl/server.key
        
-       SSLCACertificateFile ssl/mitCAclient.pem
+       SSLCACertificateFile /etc/ssl/certs/mitCAclient.pem
        SSLVerifyDepth 10
 
        SSLOptions +StdEnvVars
+        SSLProtocol all -SSLv2
+        SSLCipherSuite RC4-SHA:AES128-SHA:ALL:!ADH:!EXP:!LOW:!MD5:!SSLV2:!NULL
        
        SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
 
@@ -79,7 +76,7 @@ ${caller.body()}
                KrbMethodNegotiate on
                KrbMethodK5Passwd off
                KrbAuthoritative off
-               KrbAuthRealms ${cfg.authn[0].realm}
+               KrbAuthRealms ${cfg.kerberos.realm}
                Krb5Keytab /etc/invirt/keytab
                KrbSaveCredentials off
        </%call>
@@ -90,7 +87,7 @@ ${caller.body()}
        ServerAdmin ${errmail}
        ServerName ${hostname}:446
        
-       DocumentRoot /var/www/sipb-xen-www
+       DocumentRoot /var/www/invirt-web
        <Directory />
                Options Indexes FollowSymLinks MultiViews ExecCGI
                AllowOverride None
@@ -110,11 +107,14 @@ ${caller.body()}
        SSLEngine on
 
        SSLCertificateFile ssl/server.crt
+       SSLCertificateChainFile ssl/server.crt
        SSLCertificateKeyFile ssl/server.key
        
        SSLVerifyClient none
 
        SSLOptions +StdEnvVars
+        SSLProtocol all -SSLv2
+        SSLCipherSuite RC4-SHA:AES128-SHA:ALL:!ADH:!EXP:!LOW:!MD5:!SSLV2:!NULL
        
        SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0        
 </VirtualHost>
Unnamed repository; edit this file 'description' to name the repository.