## Fraction of httpd.conf defining an SSL Virtual Host
## 

## SSL Virtual Host Context for FullyQualified_DNS_Host_Alias

## Either the IP address or the port number has to be different from
## the default. Simply using a DNS_Host_Alias doesn't work with SSL!!! 
## However, defining and using a DNS_Host_Alias with a separate 
## certificate is recommended. 
## The Port_Number selected has to be higher than 1024 in order not 
## to be blocked by the firewall. It is better to select an unassigned 
## number. See http://www.iana.org/assignments/port-numbers
## The Port_Number has to be declared in the <Listen> directive earlier
## on in the httpd.conf, outside the VirtualHost definition.
## If Directory listing is desirable the directive
## 	Options Indexes 
## has to be present  earlier on in the httpd.conf, 
## outside the VirtualHost definition.
## Your VirtualHost's URL will look like: 
## https://FullyQualified_DNS_Host_Alias:Port_Number
## Maria Dimou 20040122

<VirtualHost FullyQualified_DNS_Host_Alias:Port_Number>

#  General setup for the virtual host
DocumentRoot "/the/homedir/of/this/VirtualHost"
ServerName FullyQualified_DNS_Host_Alias
ServerAdmin email_of_this_VirtualHost_owner
ErrorLog /var/log/httpd/FullyQualified_DNS_Host_Alias-error_log
TransferLog /var/log/httpd/FullyQualified_DNS_Host_Alias-access_log

#   SSL Engine Switch:
#   Enable/Disable SSL for this virtual host.
SSLEngine on

#
# Your private community - Ensure that clients are authorized.
#
#<Directory "/the/homedir/of/this/VirtualHost">
#ErrorDocument 403 /403_forbidden.html
#</Directory>

#   SSL Cipher Suite:
#   List the ciphers that the client is permitted to negotiate.
#   See the mod_ssl documentation for a complete list.
#SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

#   Server Certificate:
#   Point SSLCertificateFile at a PEM encoded certificate.  If
#   the certificate is encrypted, then you will be prompted for a
#   pass phrase.  Note that a kill -HUP will prompt again. A test
#   certificate can be generated with `make certificate' under
#   built time. Keep in mind that if you've both a RSA and a DSA
#   certificate you can configure both in parallel (to also allow
#   the use of DSA ciphers, etc.)
SSLCertificateFile /path/to/the/certificate/of/FullyQualified_DNS_Host_Alias

#   Server Private Key:
#   If the key is not combined with the certificate, use this
#   directive to point at the key file.  Keep in mind that if
#   you've both a RSA and a DSA private key you can configure
#   both in parallel (to also allow the use of DSA ciphers, etc.)
SSLCertificateKeyFile /path/to/the/cert_key/of/FullyQualified_DNS_Host_Alias

#   Server Certificate Chain:
#   Point SSLCertificateChainFile at a file containing the
#   concatenation of PEM encoded CA certificates which form the
#   certificate chain for the server certificate. Alternatively
#   the referenced file can be the same as SSLCertificateFile
#   when the CA certificates are directly appended to the server
#   certificate for convinience.
SSLCertificateChainFile /path/to/the/certificate/of/FullyQualified_DNS_Host_Alias

#   Certificate Authority (CA):
#   Set the CA certificate verification path where to find CA
#   certificates for client authentication or alternatively one
#   huge file containing all of them (file must be PEM encoded)
#   Note: Inside SSLCACertificatePath you need hash symlinks
#         to point to the certificate files. Use the provided
#         Makefile to update the hash symlinks after changes.
SSLCACertificatePath /path/to/all_CA_certs

#   Certificate Revocation Lists (CRL):
#   Set the CA revocation path where to find CA CRLs for client
#   authentication or alternatively one huge file containing all
#   of them (file must be PEM encoded)
#   Note: Inside SSLCARevocationPath you need hash symlinks
#         to point to the certificate files. Use the provided
#         Makefile to update the hash symlinks after changes.
SSLCARevocationPath /path/to/all_CA_CRLs

#   Client Authentication (Type):
#   Client certificate verification type and depth.  Types are
#   none, optional, require and optional_no_ca.  Depth is a
#   number which specifies how deeply to verify the certificate
#   issuer chain before deciding the certificate is not valid.
#<Directory "/the/homedir/of/this/VirtualHost">
#ErrorDocument 403 /403_forbidden.html
#SSLVerifyClient require
#SSLVerifyDepth  5
#</Directory>
#<Directory "/a/sub-dir/of/this/VirtualHost">
#SSLVerifyClient optional
#SSLVerifyDepth  5
#</Directory>
#   Access Control:

#SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire
#<Files ~ "\.(cgi|shtml|phtml|php3?)$">
#    SSLOptions +StdEnvVars
#</Files>
#<Location "/cgi-bin">
#    SSLOptions +StdEnvVars
#</Location>
<Location "/the/homedir/of/this/VirtualHost">
    SSLRequireSSL
#    SSLOptions +ExportCertData +StrictRequire
</Location>

SetEnvIf User-Agent ".*MSIE.*" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0

#   Per-Server Logging:
#   The home of a custom SSL log file. Use this when you want a
#   compact non-error SSL logfile on a virtual host basis.
CustomLog logs/ssl_request_log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

SetEnvIf User-Agent ".*MSIE.*" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0

#   Per-Server Logging:
#   The home of a custom SSL log file. Use this when you want a
#   compact non-error SSL logfile on a virtual host basis.
CustomLog logs/ssl_request_log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

</VirtualHost>