Redmine

#

# This is the Apache server configuration file providing SSL support.

# It contains the configuration directives to instruct the server how to

# serve pages over an https connection. For detailed information about these 

# directives see <URL:http://httpd.apache.org/docs/2.4/mod/mod_ssl.html>

# 

# Do NOT simply read the instructions in here without understanding

# what they do.  They're here only as hints or reminders.  If you are unsure

# consult the online docs. You have been warned.  

#

# Required modules: mod_log_config, mod_setenvif, mod_ssl,

#          socache_shmcb_module (for default value of SSLSessionCache)

#

# Pseudo Random Number Generator (PRNG):

# Configure one or more sources to seed the PRNG of the SSL library.

# The seed data should be of good random quality.

# WARNING! On some platforms /dev/random blocks if not enough entropy

# is available. This means you then cannot use the /dev/random device

# because it would lead to very long connection times (as long as

# it requires to make more entropy available). But usually those

# platforms additionally provide a /dev/urandom device which doesn't

# block. So, if available, use this one instead. Read the mod_ssl User

# Manual for more details.

#

#SSLRandomSeed startup file:/dev/random  512

#SSLRandomSeed startup file:/dev/urandom 512

#SSLRandomSeed connect file:/dev/random  512

#SSLRandomSeed connect file:/dev/urandom 512

#

# When we also provide SSL we have to listen to the 

# standard HTTP port (see above) and to the HTTPS port

#

# Note: Configurations that use IPv6 but not IPv4-mapped addresses need two

#       Listen directives: "Listen [::]:8443" and "Listen 0.0.0.0:8443"

#

Listen 8443

##

##  SSL Global Context

##

##  All SSL configuration in this context applies both to

##  the main server and all SSL-enabled virtual hosts.

##

#   SSL Cipher Suite:

#   List the ciphers that the client is permitted to negotiate.

#   See the mod_ssl documentation for a complete list.

SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5

#   Speed-optimized SSL Cipher configuration:

#   If speed is your main concern (on busy HTTPS servers e.g.),

#   you might want to force clients to specific, performance

#   optimized ciphers. In this case, prepend those ciphers

#   to the SSLCipherSuite list, and enable SSLHonorCipherOrder.

#   Caveat: by giving precedence to RC4-SHA and AES128-SHA

#   (as in the example below), most connections will no longer

#   have perfect forward secrecy - if the server's key is

#   compromised, captures of past or future traffic must be

#   considered compromised, too.

#SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5

#SSLHonorCipherOrder on 

#   Pass Phrase Dialog:

#   Configure the pass phrase gathering process.

#   The filtering dialog program (`builtin' is an internal

#   terminal dialog) has to provide the pass phrase on stdout.

SSLPassPhraseDialog  builtin

#   Inter-Process Session Cache:

#   Configure the SSL Session Cache: First the mechanism 

#   to use and second the expiring timeout (in seconds).

#SSLSessionCache         "dbm:/opt/Redmine/apache2/logs/ssl_scache"

SSLSessionCache        "shmcb:/opt/Redmine/apache2/logs/ssl_scache(512000)"

SSLSessionCacheTimeout  300

#-------------------------

<VirtualHost *:8080> 

  ServerName helpdesk.myOrg.com

  RewriteEngine On

  # Redirect any non HTTPS requests to the HTTPS server

     RewriteCond %{HTTP_HOST} ^myOrgshelpdesk.myOrg.com$ [NC]

       RewriteRule ^(.*)$ https://myOrgshelpdesk.myOrg.com$1 [R=301,L]

         Include /etc/apache2/common/hide-svn

           Include /etc/apache2/common/deflate

           </VirtualHost>

#-------------------------

##

## SSL Virtual Host Context

##

<VirtualHost _default_:8443>

RewriteEngine On

RewriteCond %{HTTPS} !=on

RewriteRule ^/(.*) https://%{145.67.74.673:8080/redmine}/$1 [R,L]

#   General setup for the virtual host

DocumentRoot "/opt/Redmine/apache2/htdocs"

ServerName myOrgshelpdesk.myOrg.com

ServerAdmin rupesh.helwade@example.com

ErrorLog "/opt/Redmine/apache2/logs/error_log"

TransferLog "/opt/Redmine/apache2/logs/access_log"

#   SSL Engine Switch:

#   Enable/Disable SSL for this virtual host.

SSLEngine on

#   Server Certificate:

#   Point SSLCertificateFile at a PEM encoded certificate.  If

#   the certificate is encrypted, then you will be prompted for a

#   pass phrase.  Note that a kill -HUP will prompt again.  Keep

#   in mind that if you have both an RSA and a DSA certificate you

#   can configure both in parallel (to also allow the use of DSA

#   ciphers, etc.)

#   Some ECC cipher suites (http://www.ietf.org/rfc/rfc4492.txt)

#   require an ECC certificate which can also be configured in

#   parallel.

SSLCertificateFile "/opt/Redmine/apache2/conf/server.crt"

#Tried by Rupesh 

RequestHeader set X_FORWARDED_PROTO "https"

#SSLCertificateFile "/opt/Redmine/apache2/conf/server-dsa.crt"

#SSLCertificateFile "/opt/Redmine/apache2/conf/server-ecc.crt"

#   Server Private Key:

#   If the key is not combined with the certificate, use this

#   directive to point at the key file.  Keep in mind that if

#   you've both a RSA and a DSA private key you can configure

#   both in parallel (to also allow the use of DSA ciphers, etc.)

#   ECC keys, when in use, can also be configured in parallel

SSLCertificateKeyFile "/opt/Redmine/apache2/conf/server.key"

#SSLCertificateKeyFile "/opt/Redmine/apache2/conf/server-dsa.key"

#SSLCertificateKeyFile "/opt/Redmine/apache2/conf/server-ecc.key"

#   Server Certificate Chain:

#   Point SSLCertificateChainFile at a file containing the

#   concatenation of PEM encoded CA certificates which form the

#   certificate chain for the server certificate. Alternatively

#   the referenced file can be the same as SSLCertificateFile

#   when the CA certificates are directly appended to the server

#   certificate for convenience.

#SSLCertificateChainFile "/opt/Redmine/apache2/conf/server-ca.crt"

#   Certificate Authority (CA):

#   Set the CA certificate verification path where to find CA

#   certificates for client authentication or alternatively one

#   huge file containing all of them (file must be PEM encoded)

#   Note: Inside SSLCACertificatePath you need hash symlinks

#         to point to the certificate files. Use the provided

#         Makefile to update the hash symlinks after changes.

#SSLCACertificatePath "/opt/Redmine/apache2/conf/ssl.crt"

#SSLCACertificateFile "/opt/Redmine/apache2/conf/ssl.crt/ca-bundle.crt"

#   Certificate Revocation Lists (CRL):

#   Set the CA revocation path where to find CA CRLs for client

#   authentication or alternatively one huge file containing all

#   of them (file must be PEM encoded).

#   The CRL checking mode needs to be configured explicitly

#   through SSLCARevocationCheck (defaults to "none" otherwise).

#   Note: Inside SSLCARevocationPath you need hash symlinks

#         to point to the certificate files. Use the provided

#         Makefile to update the hash symlinks after changes.

#SSLCARevocationPath "/opt/Redmine/apache2/conf/ssl.crl"

#SSLCARevocationFile "/opt/Redmine/apache2/conf/ssl.crl/ca-bundle.crl"

#SSLCARevocationCheck chain

#   Client Authentication (Type):

#   Client certificate verification type and depth.  Types are

#   none, optional, require and optional_no_ca.  Depth is a

#   number which specifies how deeply to verify the certificate

#   issuer chain before deciding the certificate is not valid.

#SSLVerifyClient require

#SSLVerifyDepth  10

#   TLS-SRP mutual authentication:

#   Enable TLS-SRP and set the path to the OpenSSL SRP verifier

#   file (containing login information for SRP user accounts). 

#   Requires OpenSSL 1.0.1 or newer. See the mod_ssl FAQ for

#   detailed instructions on creating this file. Example:

#   "openssl srp -srpvfile /opt/Redmine/apache2/conf/passwd.srpv -add username"

#SSLSRPVerifierFile "/opt/Redmine/apache2/conf/passwd.srpv"

#   Access Control:

#   With SSLRequire you can do per-directory access control based

#   on arbitrary complex boolean expressions containing server

#   variable checks and other lookup directives.  The syntax is a

#   mixture between C and Perl.  See the mod_ssl documentation

#   for more details.

#<Location />

#SSLRequire (    %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \

#            and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \

#            and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \

#            and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \

#            and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20       ) \

#           or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/

#</Location>

#   SSL Engine Options:

#   Set various options for the SSL engine.

#   o FakeBasicAuth:

#     Translate the client X.509 into a Basic Authorisation.  This means that

#     the standard Auth/DBMAuth methods can be used for access control.  The

#     user name is the `one line' version of the client's X.509 certificate.

#     Note that no password is obtained from the user. Every entry in the user

#     file needs this password: `xxj31ZMTZzkVA'.

#   o ExportCertData:

#     This exports two additional environment variables: SSL_CLIENT_CERT and

#     SSL_SERVER_CERT. These contain the PEM-encoded certificates of the

#     server (always existing) and the client (only existing when client

#     authentication is used). This can be used to import the certificates

#     into CGI scripts.

#   o StdEnvVars:

#     This exports the standard SSL/TLS related `SSL_*' environment variables.

#     Per default this exportation is switched off for performance reasons,

#     because the extraction step is an expensive operation and is usually

#     useless for serving static content. So one usually enables the

#     exportation for CGI and SSI requests only.

#   o StrictRequire:

#     This denies access when "SSLRequireSSL" or "SSLRequire" applied even

#     under a "Satisfy any" situation, i.e. when it applies access is denied

#     and no other module can change it.

#   o OptRenegotiate:

#     This enables optimized SSL connection renegotiation handling when SSL

#     directives are used in per-directory context. 

#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire

<FilesMatch "\.(cgi|shtml|phtml|php)$">

    SSLOptions +StdEnvVars

</FilesMatch>

<Directory "/opt/Redmine/apache2/cgi-bin">

    SSLOptions +StdEnvVars

</Directory>

#   SSL Protocol Adjustments:

#   The safe and default but still SSL/TLS standard compliant shutdown

#   approach is that mod_ssl sends the close notify alert but doesn't wait for

#   the close notify alert from client. When you need a different shutdown

#   approach you can use one of the following variables:

#   o ssl-unclean-shutdown:

#     This forces an unclean shutdown when the connection is closed, i.e. no

#     SSL close notify alert is sent or allowed to be received.  This violates

#     the SSL/TLS standard but is needed for some brain-dead browsers. Use

#     this when you receive I/O errors because of the standard approach where

#     mod_ssl sends the close notify alert.

#   o ssl-accurate-shutdown:

#     This forces an accurate shutdown when the connection is closed, i.e. a

#     SSL close notify alert is send and mod_ssl waits for the close notify

#     alert of the client. This is 100% SSL/TLS standard compliant, but in

#     practice often causes hanging connections with brain-dead browsers. Use

#     this only for browsers where you know that their SSL implementation

#     works correctly. 

#   Notice: Most problems of broken clients are also related to the HTTP

#   keep-alive facility, so you usually additionally want to disable

#   keep-alive for those clients, too. Use variable "nokeepalive" for this.

#   Similarly, one has to force some clients to use HTTP/1.0 to workaround

#   their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and

#   "force-response-1.0" for this.

BrowserMatch "MSIE [2-5]" \

         nokeepalive ssl-unclean-shutdown \

         downgrade-1.0 force-response-1.0

#   Per-Server Logging:

#   The home of a custom SSL log file. Use this when you want a

#   compact non-error SSL logfile on a virtual host basis.

CustomLog "/opt/Redmine/apache2/logs/ssl_request_log" \

          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

</VirtualHost>