apache 2.x SSL/SSL Proxy配置

## This is the Apache server configuration file providing SSL support.# It contains the configuration directives to instruct the server how to# serve pages over an https connection. For detailing information about these # directives see <URL:http://httpd.apache.org/docs/2.2/mod/mod_ssl.html># # Do NOT simply read the instructions in here without understanding# what they do.  They're here only as hints or reminders.  If you are unsure# consult the online docs. You have been warned.  ### Pseudo Random Number Generator (PRNG):# Configure one or more sources to seed the PRNG of the SSL library.# The seed data should be of good random quality.# WARNING! On some platforms /dev/random blocks if not enough entropy# is available. This means you then cannot use the /dev/random device# because it would lead to very long connection times (as long as# it requires to make more entropy available). But usually those# platforms additionally provide a /dev/urandom device which doesn't# block. So, if available, use this one instead. Read the mod_ssl User# Manual for more details.##SSLRandomSeed startup file:/dev/random  512#SSLRandomSeed startup file:/dev/urandom 512#SSLRandomSeed connect file:/dev/random  512#SSLRandomSeed connect file:/dev/urandom 512## When we also provide SSL we have to listen to the # standard HTTP port (see above) and to the HTTPS port## Note: Configurations that use IPv6 but not IPv4-mapped addresses need two#       Listen directives: "Listen [::]:443" and "Listen 0.0.0.0:443"##监听地址Listen 192.168.100.8:443####  SSL Global Context####  All SSL configuration in this context applies both to##  the main server and all SSL-enabled virtual hosts.####   Some MIME-types for downloading Certificates and CRLs#AddType application/x-x509-ca-cert .crtAddType application/x-pkcs7-crl    .crl#   Pass Phrase Dialog:#   Configure the pass phrase gathering process.#   The filtering dialog program (`builtin' is a internal#   terminal dialog) has to provide the pass phrase on stdout.SSLPassPhraseDialog  builtin#   Inter-Process Session Cache:#   Configure the SSL Session Cache: First the mechanism #   to use and second the expiring timeout (in seconds).#SSLSessionCache         "dbm:C:/Program Files/Apache Software Foundation/Apache2.2/logs/ssl_scache"SSLSessionCache        "shmcb:C:/Program Files/Apache Software Foundation/Apache2.2/logs/ssl_scache(512000)"SSLSessionCacheTimeout  300#   Semaphore:#   Configure the path to the mutual exclusion semaphore the#   SSL engine uses internally for inter-process synchronization. SSLMutex default#### SSL Virtual Host Context###监听地址<VirtualHost 192.168.100.8:443>#   General setup for the virtual hostDocumentRoot "C:/Program Files/Apache Software Foundation/Apache2.2/htdocs"ServerName 192.168.100.8:443ServerAdmin la@ga.comErrorLog "C:/Program Files/Apache Software Foundation/Apache2.2/logs/error.log"TransferLog "C:/Program Files/Apache Software Foundation/Apache2.2/logs/access.log"#   SSL Engine Switch:#   Enable/Disable SSL for this virtual host.#此虚拟主机打开SSLSSLEngine on#   SSL Cipher Suite:#   List the ciphers that the client is permitted to negotiate.#   See the mod_ssl documentation for a complete list.SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULLSSLProxyCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL#   Server Certificate:#   Point SSLCertificateFile at a PEM encoded certificate.  If#   the certificate is encrypted, then you will be prompted for a#   pass phrase.  Note that a kill -HUP will prompt again.  Keep#   in mind that if you have both an RSA and a DSA certificate you#   can configure both in parallel (to also allow the use of DSA#   ciphers, etc.)#由CA签发回来的服务器证书（Base64编码 X.509）SSLCertificateFile "C:/Program Files/Apache Software Foundation/Apache2.2/conf/server.crt"#SSLCertificateFile "C:/Program Files/Apache Software Foundation/Apache2.2/conf/server-dsa.crt"#   Server Private Key:#   If the key is not combined with the certificate, use this#   directive to point at the key file.  Keep in mind that if#   you've both a RSA and a DSA private key you can configure#   both in parallel (to also allow the use of DSA ciphers, etc.)#自生成的服务器密钥#openssl genrsa -des3 -out server.key 1024#创建证书签发请求：#openssl req -new -key server.key -out server.csrSSLCertificateKeyFile "C:/Program Files/Apache Software Foundation/Apache2.2/conf/server.key"#SSLCertificateKeyFile "C:/Program Files/Apache Software Foundation/Apache2.2/conf/server-dsa.key"#   Server Certificate Chain:#   Point SSLCertificateChainFile at a file containing the#   concatenation of PEM encoded CA certificates which form the#   certificate chain for the server certificate. Alternatively#   the referenced file can be the same as SSLCertificateFile#   when the CA certificates are directly appended to the server#   certificate for convinience.#CA的证书链，如是多级CA，将各个点的Base64(cer)包含到一个文件里。SSLCertificateChainFile "C:/Program Files/Apache Software Foundation/Apache2.2/conf/ssl.crt/all.crt"#   Certificate Authority (CA):#   Set the CA certificate verification path where to find CA#   certificates for client authentication or alternatively one#   huge file containing all of them (file must be PEM encoded)#   Note: Inside SSLCACertificatePath you need hash symlinks#         to point to the certificate files. Use the provided#         Makefile to update the hash symlinks after changes.#CA证书链，如是多级CA，将各个点的Base64(cer)包含到一个文件里，注意：文件必须有，否则无法接受客户端证书。SSLCACertificatePath "C:/Program Files/Apache Software Foundation/Apache2.2/conf/ssl.crt"SSLCACertificateFile "C:/Program Files/Apache Software Foundation/Apache2.2/conf/ssl.crt/all.crt"#   Certificate Revocation Lists (CRL):#   Set the CA revocation path where to find CA CRLs for client#   authentication or alternatively one huge file containing all#   of them (file must be PEM encoded)#   Note: Inside SSLCARevocationPath you need hash symlinks#         to point to the certificate files. Use the provided#         Makefile to update the hash symlinks after changes.#SSLCARevocationPath "C:/Program Files/Apache Software Foundation/Apache2.2/conf/ssl.crl"#SSLCARevocationFile "C:/Program Files/Apache Software Foundation/Apache2.2/conf/ssl.crl/ca-bundle.crl"#   Client Authentication (Type):#   Client certificate verification type and depth.  Types are#   none, optional, require and optional_no_ca.  Depth is a#   number which specifies how deeply to verify the certificate#   issuer chain before deciding the certificate is not valid.#客户端证书请求。SSLVerifyClient require#根据CA的证书链决定。SSLVerifyDepth  2#   Access Control:#   With SSLRequire you can do per-directory access control based#   on arbitrary complex boolean expressions containing server#   variable checks and other lookup directives.  The syntax is a#   mixture between C and Perl.  See the mod_ssl documentation#   for more details.#<Location />#SSLRequire (    %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \#            and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \#            and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \#            and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \#            and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20       ) \#           or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/#</Location>#   SSL Engine Options:#   Set various options for the SSL engine.#   o FakeBasicAuth:#     Translate the client X.509 into a Basic Authorisation.  This means that#     the standard Auth/DBMAuth methods can be used for access control.  The#     user name is the `one line' version of the client's X.509 certificate.#     Note that no password is obtained from the user. Every entry in the user#     file needs this password: `xxj31ZMTZzkVA'.#   o ExportCertData:#     This exports two additional environment variables: SSL_CLIENT_CERT and#     SSL_SERVER_CERT. These contain the PEM-encoded certificates of the#     server (always existing) and the client (only existing when client#     authentication is used). This can be used to import the certificates#     into CGI scripts.#   o StdEnvVars:#     This exports the standard SSL/TLS related `SSL_*' environment variables.#     Per default this exportation is switched off for performance reasons,#     because the extraction step is an expensive operation and is usually#     useless for serving static content. So one usually enables the#     exportation for CGI and SSI requests only.#   o StrictRequire:#     This denies access when "SSLRequireSSL" or "SSLRequire" applied even#     under a "Satisfy any" situation, i.e. when it applies access is denied#     and no other module can change it.#   o OptRenegotiate:#     This enables optimized SSL connection renegotiation handling when SSL#     directives are used in per-directory context. #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire<FilesMatch "\.(cgi|shtml|phtml|php)$">    SSLOptions +StdEnvVars</FilesMatch><Directory "C:/Program Files/Apache Software Foundation/Apache2.2/cgi-bin">    SSLOptions +StdEnvVars</Directory>#   SSL Protocol Adjustments:#   The safe and default but still SSL/TLS standard compliant shutdown#   approach is that mod_ssl sends the close notify alert but doesn't wait for#   the close notify alert from client. When you need a different shutdown#   approach you can use one of the following variables:#   o ssl-unclean-shutdown:#     This forces an unclean shutdown when the connection is closed, i.e. no#     SSL close notify alert is send or allowed to received.  This violates#     the SSL/TLS standard but is needed for some brain-dead browsers. Use#     this when you receive I/O errors because of the standard approach where#     mod_ssl sends the close notify alert.#   o ssl-accurate-shutdown:#     This forces an accurate shutdown when the connection is closed, i.e. a#     SSL close notify alert is send and mod_ssl waits for the close notify#     alert of the client. This is 100% SSL/TLS standard compliant, but in#     practice often causes hanging connections with brain-dead browsers. Use#     this only for browsers where you know that their SSL implementation#     works correctly. #   Notice: Most problems of broken clients are also related to the HTTP#   keep-alive facility, so you usually additionally want to disable#   keep-alive for those clients, too. Use variable "nokeepalive" for this.#   Similarly, one has to force some clients to use HTTP/1.0 to workaround#   their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and#   "force-response-1.0" for this.BrowserMatch ".*MSIE.*" \         nokeepalive ssl-unclean-shutdown \         downgrade-1.0 force-response-1.0#   Per-Server Logging:#   The home of a custom SSL log file. Use this when you want a#   compact non-error SSL logfile on a virtual host basis.CustomLog "C:/Program Files/Apache Software Foundation/Apache2.2/logs/ssl_request.log" \          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"SSLProxyEngine onSSLProxyVerify require SSLProxyVerifyDepth 2 #CA证书链，如是多级CA，将各个点的Base64(cer)包含到一个文件里，注意：文件必须有，否则无法接受客户端证书。SSLProxyCACertificateFile "C:/Program Files/Apache Software Foundation/Apache2.2/conf/ssl.crt/all.crt"SSLProxyCACertificatePath "C:/Program Files/Apache Software Foundation/Apache2.2/conf/ssl.crt"#远程主机的客户端私钥与公钥整合文件#p12转为pem，openssl pkcs12 -in CASuperAdmin.pfx -out CASuperAdmin.pem#因为目前不支持带密码保护的，删除PEM的密码，openssl rsa -in CASuperAdmin.pem.org -out CASuperAdmin.pem#将p12的公钥增加到pem文件的后面SSLProxyMachineCertificateFile "C:/Program Files/Apache Software Foundation/Apache2.2/conf/ssl.crt/CASuperAdmin.pem"#SSLProxyMachineCertificatePath "C:/Program Files/Apache Software Foundation/Apache2.2/conf/ssl.crt"ProxyPass /szca/ https://192.168.100.22:9444/ProxyPassReverse /szca/ https://192.168.100.22:9444/</VirtualHost>                                  ProxyRequests Off   <Proxy *>    Order deny,allow    Allow from all  </Proxy>

#FAQ: http://lamp.linux.gov.cn/Apache/ApacheMenu/ssl/ssl_faq.html