# This is an example configuration file for Apache-SSL.
# Copyright (C) 1995,6,7,8,9 Ben Laurie

# By popular demand, this file now illustrates the way to create two websites,
# one secured (on port 8887), the other not (on port 8888).

# You may need one of thse
User editor ← nobody以外を指定した方がよい
Group editor ← nobody以外を指定した方がよい

LogLevel debug ← 指定することにより、設定ミスなどの発見に役立つ情報が得られます

# If built with --enable-shared=max...
#LoadModule auth_module /home/ben/apache-ssl/apache_1.3.4-ssl/src/modules/standard/mod_auth.so
#LoadModule config_log_module /home/ben/apache-ssl/apache_1.3.4-ssl/src/modules/standard/mod_log_config.so
#LoadModule cgi_module /home/ben/apache-ssl/apache_1.3.4-ssl/src/modules/standard/mod_cgi.so
#LoadModule alias_module /home/ben/apache-ssl/apache_1.3.4-ssl/src/modules/standard/mod_alias.so

# Disable CA list sending for testing...
#SSLNoCAList

# Load some randomness.
# This is loaded at startup, reading at most 1024 bytes from /dev/urandom.
# You may prefer to use /dev/random, but be aware that some OSes (e.g. Linux)
# insist on returning all 1024 bytes, thus blocking the server until the
# randomness is available.
# The randomness will be _shared_ between all server instances. You can have
# as many of these as you want.
SSLRandomFile /dev/urandom 1024
# And this one will be loaded before SSL is negotiated for each connection.
# Again, you can have as many of these as you want, and they will all be used
# at each connection.
SSLRandomFilePerConnection /dev/urandom 1024


# SSL Servers MUST be standalone, currently.
ServerType standalone

# The default port for SSL is 443...
Port 443
Listen 443

# My test document root
#DocumentRoot /home/ben/www/docs
DocumentRoot /usr/local/www/htdocs_secure ← 通常のHTTPサービスとは別の物を指定するとよい

<Directory /usr/local/www/htdocs_secure>
# This directive forbids access except when SSL is in use. Very handy for
# defending against configuration errors that expose stuff that should be
# protected
SSLRequireSSL
# Conversely, you can forbid SSL with...
# SSLDenySSL

# Use these here if renegotiation is permitted
#SSLVerifyClient 2
#SSLVerifyDepth 2

#AuthType Basic
#AuthName Experimental
#AuthGroupFile /dev/null
#AuthUserFile /home/ben/www/users
#require valid-user
</Directory>

# Watch what's going on
TransferLog logs/transfer_log

# Note that all SSL options can apply to virtual hosts.

# Disable SSL. Useful in combination with virtual hosts. Note that SSLEnable is
# now also supported.
#SSLDisable
SSLEnable

# Set the path for the global cache server executable.
# If this facility gives you trouble, you can disable it by setting
# CACHE_SESSIONS to FALSE in apache_ssl.c
SSLCacheServerPath /usr/local/www/bin/gcache ← Apache-SSLでは、処理にgcacheという外部プログラムを使用

# Set the global cache server port number, or path. If it is a path, a Unix
# domain socket is used. If a number, a TCP socket.
SSLCacheServerPort logs/gcache_port
#SSLCacheServerPort 1234

# Directory for the cache server to run in (in case of crashes). Optional.
SSLCacheServerRunDir /tmp

# Set the session cache timeout, in seconds (set to 15 for testing, use a
# higher value in real life)
SSLSessionCacheTimeout 15

# Set the CA certificate verification path (must be PEM encoded).
# (in addition to getenv("SSL_CERT_DIR"), I think).
SSLCACertificatePath /usr/local/www/certs

# Set the CA certificate verification file (must be PEM encoded).
# (in addition to getenv("SSL_CERT_FILE"), I think).
#SSLCACertificateFile /some/where/somefile
#SSLCACertificateFile /home/ben/apache-ssl/apache_1.3.4-ssl/SSLconf/conf/httpsd.pem
SSLCACertificateFile /usr/local/openssl/misc/demoCA/cacert.pem ← ＣＡ証明書の指定

# Point SSLCertificateFile at a PEM encoded certificate.
# If the certificate is encrypted, then you will be prompted for a pass phrase.
# Note that a kill -1 will prompt again.
# A test certificate can be generated with "make certificate".
##SSLCertificateFile /usr/local/www/certs/httpsd.pem ← 仮サーバ証明書の指定（上、下記の証明書指定はコメントに）
SSLCertificateFile /usr/local/www/certs/server_crt.pem ← サーバ証明書の指定


# If the key is not combined with the certificate, use this directive to
# point at the key file. If this starts with a '/' it specifies an absolute
# path, otherwise it is relative to the default certificate area. That is, it
# means "<default>/private/<keyfile>".
#SSLCertificateKeyFile /some/place/with/your.key
SSLCertificateKeyFile /usr/local/www/certs/server_key.pem ← サーバ秘密鍵の指定

# Set SSLVerifyClient to:
# 0 if no certicate is required
# 1 if the client may present a valid certificate
# 2 if the client must present a valid certificate
# 3 if the client may present a valid certificate but it is not required to
#   have a valid CA
SSLVerifyClient 0 ← クライアント認証 [0(使用しない)|1|2(必ず使用)|3]
# How deeply to verify before deciding they don't have a valid certificate
SSLVerifyDepth 0

# If you have enabled client cert exports (in buff.h) you need to use
# SSLExportClientCertificates to enable them. Note that the server still has to
# mess about with certs even if this is disabled (and exports are enabled)
# because the cert chain is received before we can know whether it is needed or
# not.
<Location /scripts>
#SSLExportClientCertificates
</Location>

# Translate the client X509 into a Basic authorisation. This means that the
# standard Auth/DBMAuth methods can be used for access control. The user name
# is the "one line" version of the client's X509 certificate. Note that no
# password is obtained from the user. Every entry in the user file needs this
# password: xxj31ZMTZzkVA. See the code for further explanation.
SSLFakeBasicAuth

# List the ciphers that the client is permitted to negotiate. See the source
# for a definitive list. For example:
#SSLRequiredCiphers RC4-MD5:RC4-SHA:IDEA-CBC-MD5:DES-CBC3-SHA

# These two can be used per-directory to require or ban ciphers. Note that (at
# least in the current version) Apache-SSL will not attempt to renegotiate if a
# cipher is banned (or not required).
# You should probably at least ban the null encryption ciphers.
SSLRequireCipher
SSLBanCipher NULL-MD5:NULL-SHA

# A home for miscellaneous rubbish generated by SSL. Much of it is duplicated
# in the error log file. Put this somewhere where it cannot be used for symlink
# attacks on a real server (i.e. somewhere where only root can write).
# Don't use this anymore! Now everything is logged in the error log.
#SSLLogFile /tmp/ssl.log

# Custom logging
CustomLog	logs/ssl_log "%t %{version}c %{cipher}c %{clientcert}c"

AddType application/x-httpd-php3 .php3

<VirtualHost heap:8888>
#SSLDisable
SSLEnable
</VirtualHost>

# If you want, you can disable SSL globally, and enable it in a virtual host...
#<VirtualHost heap:8887>
#SSLEnable
# and the rest of the SSL stuf...
#</VirtualHost>

# Experiment with authorization...
#<Directory /u/ben/www/1/docs>
#AuthType Basic
#AuthName Experimental
#AuthGroupFile /dev/null
#AuthUserFile /u/ben/www/1/users
#<Limit PUT GET>
#allow from all
#require valid-user
#</Limit>
#</Directory>

ScriptAlias	/scripts	/usr/local/www/scripts

<IfModule apache_ssl_keynote.c>
# KeyNote configuration (only if enabled, of course)

# Simple example: admit anyone
#SSLKeyNoteTrustedAssertion keynote/admit-all

# Or: admit no-one
#SSLKeyNoteTrustedAssertion keynote/admit-none

# Or: admit only Ben's Thawte certificate
#SSLKeyNoteTrustedAssertion keynote/admit-ben-thawte

# Or: admit Ben's Thawte certificate to part of the site
#SSLKeyNoteTrustedAssertion keynote/admit-ben-thawte-restricted

# Or: admit _any_ Thawte Freemail cert to any part of the site
SSLKeyNoteTrustedAssertion keynote/admit-thawte
SSLKeyNoteTrustedIssuerTemplate keynote/cert-issuer-simple
</IfModule>