1 # replace $PREFIX (usually with /usr or /usr/local)

     2 <IfModule mod_ssl.c>

     3 # note that you will need a wildcard certificate if you want namebased virtual

     4 # hosts + ssl

     5 <VirtualHost *:443>

     6 

     7 	DocumentRoot "$PREFIX/lib/ius-dav-htpasswd/cgi-bin"

     8 	AssignUserId "ius-dav-htpasswd" "ius-dav-htpasswd"

     9 

    10 	ServerAdmin webmaster@localhost

    11 	ServerName ius-dav-htpasswd.domain.tld

    12 	

    13 	ErrorLog /var/log/apache2/error.log

    14 	LogLevel warn

    15 	CustomLog /var/log/apache2/ius-dav-htpasswd.domain.tld/ssl_access.log combined

    16 

    17 	SSLEngine on

    18 	SSLCertificateFile    /etc/ssl/certs/wildcard-certificate.pem

    19 	SSLCertificateKeyFile /etc/ssl/private/key-for-wildcard-certificate.pem

    20 

    21 	#   SSL Protocol Adjustments:

    22 	#   The safe and default but still SSL/TLS standard compliant shutdown

    23 	#   approach is that mod_ssl sends the close notify alert but doesn't wait for

    24 	#   the close notify alert from client. When you need a different shutdown

    25 	#   approach you can use one of the following variables:

    26 	#   o ssl-unclean-shutdown:

    27 	#     This forces an unclean shutdown when the connection is closed, i.e. no

    28 	#     SSL close notify alert is send or allowed to received.  This violates

    29 	#     the SSL/TLS standard but is needed for some brain-dead browsers. Use

    30 	#     this when you receive I/O errors because of the standard approach where

    31 	#     mod_ssl sends the close notify alert.

    32 	#   o ssl-accurate-shutdown:

    33 	#     This forces an accurate shutdown when the connection is closed, i.e. a

    34 	#     SSL close notify alert is send and mod_ssl waits for the close notify

    35 	#     alert of the client. This is 100% SSL/TLS standard compliant, but in

    36 	#     practice often causes hanging connections with brain-dead browsers. Use

    37 	#     this only for browsers where you know that their SSL implementation

    38 	#     works correctly.

    39 	#   Notice: Most problems of broken clients are also related to the HTTP

    40 	#   keep-alive facility, so you usually additionally want to disable

    41 	#   keep-alive for those clients, too. Use variable "nokeepalive" for this.

    42 	#   Similarly, one has to force some clients to use HTTP/1.0 to workaround

    43 	#   their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and

    44 	#   "force-response-1.0" for this.

    45 	BrowserMatch ".*MSIE.*" \

    46 		nokeepalive ssl-unclean-shutdown \

    47 		downgrade-1.0 force-response-1.0

    48 

    49 	# local cgi scripts

    50 	<Directory "$PREFIX/lib/ius-dav-htpasswd/cgi-bin">

    51 	    Order Deny,Allow

    52 	    Deny from all

    53 	    Allow from 127.0.0.0/8

    54 	    AuthType "Basic"

    55 	    AuthName "ius-dav-htpasswd"

    56 	    AuthUserFile "/path/to/ius-dav-admin-htpasswd"

    57 	    Require valid-user

    58 	    SetHandler cgi-script

    59 	</Directory>

    60 

    61 </VirtualHost>

    62 </IfModule>