Do better at SSL/TLS with only strong ciphers
[invirt/packages/invirt-web.git] / files / etc / apache2 / sites-available / ssl.mako
index 9875db1..6b7e414 100644 (file)
@@ -25,9 +25,7 @@ ${caller.body()}
        RewriteRule ^/overlord/static(.*) /static/$1 [L]
        RewriteRule ^/admin/static(.*) /static/$1 [L]
        RewriteRule ^/trac(.*) ${tracuri}$1 [R,L]
-       RewriteRule ^/kill.cgi - [L]
-       RewriteRule ^/~ - [L]
-       RewriteRule ^/(.*) /var/www/invirt-web/main.fcgi/$1 [L]
+       RewriteRule ^/(.*) /var/www/invirt-web/auth.fcgi/$1 [L]
 
        RewriteLog /var/log/apache2/rewrite.log
        RewriteLogLevel 0 
@@ -44,12 +42,15 @@ ${caller.body()}
        SSLEngine on
 
        SSLCertificateFile ssl/server.crt
+       SSLCertificateChainFile ssl/server.crt
        SSLCertificateKeyFile ssl/server.key
        
-       SSLCACertificateFile ssl/mitCAclient.pem
+       SSLCACertificateFile /etc/ssl/certs/mitCAclient.pem
        SSLVerifyDepth 10
 
        SSLOptions +StdEnvVars
+        SSLProtocol all -SSLv2
+        SSLCipherSuite RC4-SHA:AES128-SHA:ALL:!ADH:!EXP:!LOW:!MD5:!SSLV2:!NULL
        
        SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
 
@@ -75,7 +76,7 @@ ${caller.body()}
                KrbMethodNegotiate on
                KrbMethodK5Passwd off
                KrbAuthoritative off
-               KrbAuthRealms ${cfg.authn[0].realm}
+               KrbAuthRealms ${cfg.kerberos.realm}
                Krb5Keytab /etc/invirt/keytab
                KrbSaveCredentials off
        </%call>
@@ -106,11 +107,14 @@ ${caller.body()}
        SSLEngine on
 
        SSLCertificateFile ssl/server.crt
+       SSLCertificateChainFile ssl/server.crt
        SSLCertificateKeyFile ssl/server.key
        
        SSLVerifyClient none
 
        SSLOptions +StdEnvVars
+        SSLProtocol all -SSLv2
+        SSLCipherSuite RC4-SHA:AES128-SHA:ALL:!ADH:!EXP:!LOW:!MD5:!SSLV2:!NULL
        
        SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0        
 </VirtualHost>