- SSLEngine on
- SSLProtocol all -SSLv2
- SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM
-
- SSLCertificateFile /usr/local/apache/conf/ssl.crt
- SSLCertificateKeyFile /usr/local/apache/conf/ssl.key
- SSLCertificateChainFile /usr/local/apache/conf/sub.class1.server.ca.pem
- SSLCACertificateFile /usr/local/apache/conf/ca.pem
- SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
- CustomLog /usr/local/apache/logs/ssl_request_log \
- "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
-
-(Note that the directory /usr/local/apache/conf/ may not exist on your machine.
-For Debian, for instance, the directory might be /etc/apache2/ - in which you can create an ssl subdirectory if it doesn’t already exist.
-Then you have /etc/apache2/ssl/… instead of /usr/local/apache/conf/…)
-
-You thus end up with two entries for your Friendica site - one for simple http and one for https.
-
-Note to those who want to force SSL:
-Don't redirect to SSL in your Apache settings.
-Friendica's own admin panel has a special setting for SSL policy.
-Please use this facility instead.
-
-Mixing certificates on Apache – StartSSL and others (self-signed)
----
-
-Many people using a virtual private or dedicated server will be running more than Friendica on it.
-They will probably want to use SSL for other sites they run on the server, too.
-To achieve this, they may wish to employ more than one certificate with a single IP – for instance, a trusted one for Friendica and a self-signed certificate for personal stuff (possibly a wildcard certificate covering arbitrary subdomains).
-
-For this to work, Apache offers a NameVirtualHost directive.
-You can see how to use it in httpd.conf in the following pattern.
-Note that wildcards (*) in httpd.conf break the NameVirtualHost method – you can’t use them in this new configuration.
-In other words, no more *80> or *443>.
-And you really must specify the IP, too, even if you only have one.
-Also note that you will soon be needing two additional NameVirtualHost lines at the top of the file to cater for IPv6.
-
- NameVirtualHost 12.123.456.1:443
- NameVirtualHost 12.123.456.1:80
-
- <VirtualHost www.anywhere.net:80>
- DocumentRoot /var/www/anywhere
- Servername www.anywhere.net
- </VirtualHost>
-
- <VirtualHost www.anywhere.net:443>
- DocumentRoot /var/www/anywhere
- Servername www.anywhere.net
- SSLEngine On
- <pointers to a an eligible cert>
- <more ssl stuff >
- <other stuff>
- </VirtualHost>
-
- <VirtualHost www.somewhere-else.net:80>
- DocumentRoot /var/www/somewhere-else
- Servername www.somewhere-else.net
- </VirtualHost>
-
- <VirtualHost www.somewhere-else:443>
- DocumentRoot /var/www/somewhere-else
- Servername www.somewhere-else.net
- SSLEngine On
- <pointers to another eligible cert>
- <more ssl stuff >
- <other stuff>
- </VirtualHost>
-
-Of course, you may optionally be using other places like the sites-available directory to configure Apache, in which case only some of this information need be in httpd.conf or ports.conf - specifically, the NameVirtualHost lines must be there.
-But if you're savvy about alternatives like that, you will probably be able to figure out the details yourself.
-
-Just restart Apache when you're done, whichever way you decide to do it.
-
-StartSSL on Nginx