Initial Chef repository

cookbooks/apache2/templates/default/mods/ssl.conf.erb

@@ -0,0 +1,108 @@
+<IfModule mod_ssl.c>
+  #
+  # Pseudo Random Number Generator (PRNG):
+  # Configure one or more sources to seed the PRNG of the SSL library.
+  # The seed data should be of good random quality.
+  # WARNING! On some platforms /dev/random blocks if not enough entropy
+  # is available. This means you then cannot use the /dev/random device
+  # because it would lead to very long connection times (as long as
+  # it requires to make more entropy available). But usually those
+  # platforms additionally provide a /dev/urandom device which doesn't
+  # block. So, if available, use this one instead. Read the mod_ssl User
+  # Manual for more details.
+  #
+  SSLRandomSeed startup builtin
+  SSLRandomSeed startup file:/dev/urandom 512
+  SSLRandomSeed connect builtin
+  SSLRandomSeed connect file:/dev/urandom 512
+
+  ##
+  ##  SSL Global Context
+  ##
+  ##  All SSL configuration in this context applies both to
+  ##  the main server and all SSL-enabled virtual hosts.
+  ##
+
+  #
+  #   Some MIME-types for downloading Certificates and CRLs
+  #
+  AddType application/x-x509-ca-cert .crt
+  AddType application/x-pkcs7-crl    .crl
+
+  #   Pass Phrase Dialog:
+  #   Configure the pass phrase gathering process.
+  #   The filtering dialog program (`builtin' is a internal
+  #   terminal dialog) has to provide the pass phrase on stdout.
+  SSLPassPhraseDialog <%= node['apache']['mod_ssl']['pass_phrase_dialog'] %>
+
+  #   Inter-Process Session Cache:
+  #   Configure the SSL Session Cache: First the mechanism
+  #   to use and second the expiring timeout (in seconds).
+  SSLSessionCache         <%= node['apache']['mod_ssl']['session_cache'] %>
+  SSLSessionCacheTimeout  <%= node['apache']['mod_ssl']['session_cache_timeout'] %>
+
+<% if node['apache']['version'] != '2.4' -%>
+  #   Semaphore:
+  #   Configure the path to the mutual exclusion semaphore the
+  #   SSL engine uses internally for inter-process synchronization.
+  SSLMutex <%= node['apache']['mod_ssl']['mutex'] %>
+<% end -%>
+
+  #   SSL Cipher Suite:
+  #   List the ciphers that the client is permitted to negotiate.
+  #   See the mod_ssl documentation for a complete list.
+  #   enable only secure ciphers:
+  SSLCipherSuite <%= node['apache']['mod_ssl']['cipher_suite'] %>
+
+  #   Speed-optimized SSL Cipher configuration:
+  #   If speed is your main concern (on busy HTTPS servers e.g.),
+  #   you might want to force clients to specific, performance
+  #   optimized ciphers. In this case, prepend those ciphers
+  #   to the SSLCipherSuite list, and enable SSLHonorCipherOrder.
+  #   Caveat: by giving precedence to RC4-SHA and AES128-SHA
+  #   (as in the example below), most connections will no longer
+  #   have perfect forward secrecy - if the server's key is
+  #   compromised, captures of past or future traffic must be
+  #   considered compromised, too.
+  #SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5
+  SSLHonorCipherOrder <%= node['apache']['mod_ssl']['honor_cipher_order'] %>
+
+  #   The protocols to enable.
+  #   Available values: all, SSLv3, TLSv1, TLSv1.1, TLSv1.2
+  #   SSL v2  is no longer supported
+  SSLProtocol <%= node['apache']['mod_ssl']['protocol'] %>
+
+  #   Allow insecure renegotiation with clients which do not yet support the
+  #   secure renegotiation protocol. Default: Off
+  SSLInsecureRenegotiation <%= node['apache']['mod_ssl']['insecure_renegotiation'] %>
+
+<% unless node['apache']['mod_ssl']['strict_sni_vhost_check'] == "Off"%>
+  #   Whether to forbid non-SNI clients to access name based virtual hosts.
+  #   Default: Off
+  SSLStrictSNIVHostCheck <%= node['apache']['mod_ssl']['strict_sni_vhost_check'] %>
+<% end %>
+
+<% if node['apache']['version'] == '2.4' -%>
+  #   Enable compression on the SSL level
+  #   Enabling compression causes security issues in most setups (the so called CRIME attack).
+  #   Default: Off
+  SSLCompression         <%= node['apache']['mod_ssl']['compression'] %>
+
+  #   OCSP Stapling, only in httpd 2.3.3 and later
+  #   This option enables OCSP stapling, as defined by the "Certificate Status Request" TLS
+  #   extension specified in RFC 6066. If enabled (and requested by the client), mod_ssl will
+  #   include an OCSP response for its own certificate in the TLS handshake.
+  #   Configuring an SSLStaplingCache is a prerequisite for enabling OCSP stapling.
+  #   Default: Off
+  <% if node['apache']['mod_ssl']['use_stapling'] == 'On' -%>
+  SSLUseStapling         <%= node['apache']['mod_ssl']['use_stapling'] %>
+  SSLStaplingResponderTimeout <%= node['apache']['mod_ssl']['stapling_responder_timeout'] %>
+  SSLStaplingReturnResponderErrors <%= node['apache']['mod_ssl']['stapling_return_responder_errors'] %>
+  SSLStaplingCache        <%= node['apache']['mod_ssl']['stapling_cache'] %>
+  <% end -%>
+<% end -%>
+
+  <% node['apache']['mod_ssl']['directives'].sort_by { |key, val| key }.each do |directive, value| -%>
+      <%= directive %> <%= value %>
+  <% end -%>
+</IfModule>