- fix installation of (moved) man pages

- adjusted SSL template/default config for upstream changes, and added MaxRanges example to apache2-server-tuning.conf OBS-URL: https://build.opensuse.org/package/show/Apache/apache2?expand=0&rev=359
2012-02-18 21:19:08 +00:00
parent 61c26886ee
commit 8877af9243
6 changed files with 82 additions and 60 deletions
--- a/apache2-vhost-ssl.template
+++ b/apache2-vhost-ssl.template
@@ -40,14 +40,25 @@

 	#  SSL protocols
 	#  Supporting TLS only is adequate nowadays
-	SSLProtocol all -SSLv2 -SSLv3
+	SSLProtocol all -SSLv2

 	#   SSL Cipher Suite:
 	#   List the ciphers that the client is permitted to negotiate.
-	#   We disable weak ciphers by default.
-	#   See the mod_ssl documentation or "openssl ciphers -v" for a
-	#   complete list.
-	SSLCipherSuite ALL:!aNULL:!eNULL:!SSLv2:!LOW:!EXP:!MD5:@STRENGTH
+	#   See the mod_ssl documentation for a complete list.
+	SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
+
+	#   Speed-optimized SSL Cipher configuration:
+	#   If speed is your main concern (on busy HTTPS servers e.g.),
+	#   you might want to force clients to specific, performance
+	#   optimized ciphers. In this case, prepend those ciphers
+	#   to the SSLCipherSuite list, and enable SSLHonorCipherOrder.
+	#   Caveat: by giving precedence to RC4-SHA and AES128-SHA
+	#   (as in the example below), most connections will no longer
+	#   have perfect forward secrecy - if the server's key is
+	#   compromised, captures of past or future traffic must be
+	#   considered compromised, too.
+	#SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5
+	#SSLHonorCipherOrder on 

 	#   Server Certificate:
 	#   Point SSLCertificateFile at a PEM encoded certificate.  If
@@ -139,10 +150,6 @@
 	#     because the extraction step is an expensive operation and is usually
 	#     useless for serving static content. So one usually enables the
 	#     exportation for CGI and SSI requests only.
-	#   o CompatEnvVars:
-	#     This exports obsolete environment variables for backward compatibility
-	#     to Apache-SSL 1.x, mod_ssl 2.0.x, Sioux 1.0 and Stronghold 2.x. Use this
-	#     to provide compatibility to existing CGI scripts.
 	#   o StrictRequire:
 	#     This denies access when "SSLRequireSSL" or "SSLRequire" applied even
 	#     under a "Satisfy any" situation, i.e. when it applies access is denied
@@ -150,10 +157,10 @@
 	#   o OptRenegotiate:
 	#     This enables optimized SSL connection renegotiation handling when SSL
 	#     directives are used in per-directory context. 
-	#SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire
-	<Files ~ "\.(cgi|shtml|phtml|php3?)$">
+	#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
+	<FilesMatch "\.(cgi|shtml|phtml|php)$">
 	    SSLOptions +StdEnvVars
-	</Files>
+	</FilesMatch>
 	<Directory "/srv/www/cgi-bin">
 	    SSLOptions +StdEnvVars
 	</Directory>
@@ -182,7 +189,7 @@
 	#   Similarly, one has to force some clients to use HTTP/1.0 to workaround
 	#   their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
 	#   "force-response-1.0" for this.
-	SetEnvIf User-Agent ".*MSIE [1-5].*" \
+	BrowserMatch "MSIE [2-5]" \
 		 nokeepalive ssl-unclean-shutdown \
 		 downgrade-1.0 force-response-1.0