mod_ssl.html

这个是我在web培训时老师提供的手册

SSLOptions +FakeBasicAuth -StrictRequire<br />
&lt;Files ~ "\.(cgi|shtml)$"&gt;<br />
    SSLOptions +StdEnvVars +CompatEnvVars -ExportCertData<br />
&lt;Files&gt;
</code></p></div>

</div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="directive-section"><h2><a name="SSLPassPhraseDialog" id="SSLPassPhraseDialog">SSLPassPhraseDialog</a> <a name="sslpassphrasedialog" id="sslpassphrasedialog">指令</a></h2>
<table border="1" cellpadding="0" cellspacing="0" bordercolor="#AAAAAA" class="directive">
<tr><th><a href="directive-dict.html#Description">说明</a></th><td>Type of pass phrase dialog for encrypted private 
keys</td></tr>
<tr><th><a href="directive-dict.html#Syntax">语法</a></th><td><code>SSLPassPhraseDialog <em>type</em></code></td></tr>
<tr><th><a href="directive-dict.html#Default">默认值</a></th><td><code>SSLPassPhraseDialog builtin</code></td></tr>
<tr><th><a href="directive-dict.html#Context">作用域</a></th><td>server config</td></tr>
<tr><th><a href="directive-dict.html#Status">状态</a></th><td>扩展(E)</td></tr>
<tr><th><a href="directive-dict.html#Module">模块</a></th><td>mod_ssl</td></tr>
</table>
<p>
When Apache starts up it has to read the various Certificate (see
<code class="directive"><a href="#sslcertificatefile">SSLCertificateFile</a></code>) and
Private Key (see <code class="directive"><a href="#sslcertificatekeyfile">SSLCertificateKeyFile</a></code>) files of the
SSL-enabled virtual servers. Because for security reasons the Private
Key files are usually encrypted, mod_ssl needs to query the
administrator for a Pass Phrase in order to decrypt those files. This
query can be done in two ways which can be configured by
<em>type</em>:</p>
<ul>
<li><code>builtin</code>
    <p>
    This is the default where an interactive terminal dialog occurs at startup
    time just before Apache detaches from the terminal. Here the administrator
    has to manually enter the Pass Phrase for each encrypted Private Key file.
    Because a lot of SSL-enabled virtual hosts can be configured, the
    following reuse-scheme is used to minimize the dialog: When a Private Key
    file is encrypted, all known Pass Phrases (at the beginning there are
    none, of course) are tried. If one of those known Pass Phrases succeeds no
    dialog pops up for this particular Private Key file. If none succeeded,
    another Pass Phrase is queried on the terminal and remembered for the next
    round (where it perhaps can be reused).</p>
    <p>
    This scheme allows mod_ssl to be maximally flexible (because for N encrypted
    Private Key files you <em>can</em> use N different Pass Phrases - but then
    you have to enter all of them, of course) while minimizing the terminal
    dialog (i.e. when you use a single Pass Phrase for all N Private Key files
    this Pass Phrase is queried only once).</p></li>

<li><code>|/path/to/program [args...]</code> 

   <p>This mode allows an external program to be used which acts as a
   pipe to a particular input device; the program is sent the standard
   prompt text used for the <code>builtin</code> mode on
   <code>stdin</code>, and is expected to write password strings on
   <code>stdout</code>.  If several passwords are needed (or an
   incorrect password is entered), additional prompt text will be
   written subsequent to the first password being returned, and more
   passwords must then be written back.</p></li>

<li><code>exec:/path/to/program</code>
    <p>
    Here an external program is configured which is called at startup for each
    encrypted Private Key file. It is called with two arguments (the first is
    of the form "<code>servername:portnumber</code>", the second is either
    "<code>RSA</code>" or "<code>DSA</code>"), which indicate for which
    server and algorithm it has to print the corresponding Pass Phrase to
    <code>stdout</code>. The intent is that this external program first runs
    security checks to make sure that the system is not compromised by an
    attacker, and only when these checks were passed successfully it provides
    the Pass Phrase.</p>
    <p>
    Both these security checks, and the way the Pass Phrase is determined, can
    be as complex as you like. Mod_ssl just defines the interface: an
    executable program which provides the Pass Phrase on <code>stdout</code>.
    Nothing more or less! So, if you're really paranoid about security, here
    is your interface. Anything else has to be left as an exercise to the
    administrator, because local security requirements are so different.</p>
    <p>
    The reuse-algorithm above is used here, too. In other words: The external
    program is called only once per unique Pass Phrase.</p></li>
</ul>
<div class="example"><h3>示例</h3><p><code>
SSLPassPhraseDialog exec:/usr/local/apache/sbin/pp-filter
</code></p></div>

</div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="directive-section"><h2><a name="SSLProtocol" id="SSLProtocol">SSLProtocol</a> <a name="sslprotocol" id="sslprotocol">指令</a></h2>
<table border="1" cellpadding="0" cellspacing="0" bordercolor="#AAAAAA" class="directive">
<tr><th><a href="directive-dict.html#Description">说明</a></th><td>Configure usable SSL protocol flavors</td></tr>
<tr><th><a href="directive-dict.html#Syntax">语法</a></th><td><code>SSLProtocol [+|-]<em>protocol</em> ...</code></td></tr>
<tr><th><a href="directive-dict.html#Default">默认值</a></th><td><code>SSLProtocol all</code></td></tr>
<tr><th><a href="directive-dict.html#Context">作用域</a></th><td>server config, virtual host</td></tr>
<tr><th><a href="directive-dict.html#Override">覆盖项</a></th><td>Options</td></tr>
<tr><th><a href="directive-dict.html#Status">状态</a></th><td>扩展(E)</td></tr>
<tr><th><a href="directive-dict.html#Module">模块</a></th><td>mod_ssl</td></tr>
</table>
<p>
This directive can be used to control the SSL protocol flavors mod_ssl should
use when establishing its server environment. Clients then can only connect
with one of the provided protocols.</p>
<p>
The available (case-insensitive) <em>protocol</em>s are:</p>
<ul>
<li><code>SSLv2</code>
    <p>
    This is the Secure Sockets Layer (SSL) protocol, version 2.0. It is the
    original SSL protocol as designed by Netscape Corporation.</p></li>

<li><code>SSLv3</code>
    <p>
    This is the Secure Sockets Layer (SSL) protocol, version 3.0. It is the
    successor to SSLv2 and the currently (as of February 1999) de-facto
    standardized SSL protocol from Netscape Corporation. It's supported by
    almost all popular browsers.</p></li>

<li><code>TLSv1</code>
    <p>
    This is the Transport Layer Security (TLS) protocol, version 1.0. It is the
    successor to SSLv3 and currently (as of February 1999) still under
    construction by the Internet Engineering Task Force (IETF). It's still
    not supported by any popular browsers.</p></li>

<li><code>All</code>
    <p>
    This is a shortcut for "<code>+SSLv2 +SSLv3 +TLSv1</code>" and a
    convinient way for enabling all protocols except one when used in
    combination with the minus sign on a protocol as the example above 
    shows.</p></li>
</ul>
<div class="example"><h3>示例</h3><p><code>
#   enable SSLv3 and TLSv1, but not SSLv2<br />
SSLProtocol all -SSLv2
</code></p></div>

</div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="directive-section"><h2><a name="SSLProxyCACertificateFile" id="SSLProxyCACertificateFile">SSLProxyCACertificateFile</a> <a name="sslproxycacertificatefile" id="sslproxycacertificatefile">指令</a></h2>
<table border="1" cellpadding="0" cellspacing="0" bordercolor="#AAAAAA" class="directive">
<tr><th><a href="directive-dict.html#Description">说明</a></th><td>File of concatenated PEM-encoded CA Certificates 
for Remote Server Auth</td></tr>
<tr><th><a href="directive-dict.html#Syntax">语法</a></th><td><code>SSLProxyCACertificateFile <em>file-path</em></code></td></tr>
<tr><th><a href="directive-dict.html#Context">作用域</a></th><td>server config, virtual host</td></tr>
<tr><th><a href="directive-dict.html#Status">状态</a></th><td>扩展(E)</td></tr>
<tr><th><a href="directive-dict.html#Module">模块</a></th><td>mod_ssl</td></tr>
</table>
<p>
This directive sets the <em>all-in-one</em> file where you can assemble the
Certificates of Certification Authorities (CA) whose <em>remote servers</em> you deal
with. These are used for Remote Server Authentication. Such a file is simply the
concatenation of the various PEM-encoded Certificate files, in order of
preference. This can be used alternatively and/or additionally to 
<code class="directive"><a href="#sslproxycacertificatepath">SSLProxyCACertificatePath</a></code>.</p>
<div class="example"><h3>示例</h3><p><code>
SSLProxyCACertificateFile /usr/local/apache2/conf/ssl.crt/ca-bundle-remote-server.crt
</code></p></div>

</div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="directive-section"><h2><a name="SSLProxyCACertificatePath" id="SSLProxyCACertificatePath">SSLProxyCACertificatePath</a> <a name="sslproxycacertificatepath" id="sslproxycacertificatepath">指令</a></h2>
<table border="1" cellpadding="0" cellspacing="0" bordercolor="#AAAAAA" class="directive">
<tr><th><a href="directive-dict.html#Description">说明</a></th><td>Directory of PEM-encoded CA Certificates for 
Remote Server Auth</td></tr>
<tr><th><a href="directive-dict.html#Syntax">语法</a></th><td><code>SSLProxyCACertificatePath <em>directory-path</em></code></td></tr>
<tr><th><a href="directive-dict.html#Context">作用域</a></th><td>server config, virtual host</td></tr>
<tr><th><a href="directive-dict.html#Status">状态</a></th><td>扩展(E)</td></tr>
<tr><th><a href="directive-dict.html#Module">模块</a></th><td>mod_ssl</td></tr>
</table>
<p>
This directive sets the directory where you keep the Certificates of
Certification Authorities (CAs) whose remote servers you deal with. These are used to
verify the remote server certificate on Remote Server Authentication.</p>
<p>
The files in this directory have to be PEM-encoded and are accessed through
hash filenames. So usually you can't just place the Certificate files
there: you also have to create symbolic links named
<em>hash-value</em><code>.N</code>. And you should always make sure this directory
contains the appropriate symbolic links. Use the <code>Makefile</code> which
comes with mod_ssl to accomplish this task.</p>
<div class="example"><h3>示例</h3><p><code>
SSLProxyCACertificatePath /usr/local/apache2/conf/ssl.crt/
</code></p></div>

</div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="directive-section"><h2><a name="SSLProxyCARevocationFile" id="SSLProxyCARevocationFile">SSLProxyCARevocationFile</a> <a name="sslproxycarevocationfile" id="sslproxycarevocationfile">指令</a></h2>
<table border="1" cellpadding="0" cellspacing="0" bordercolor="#AAAAAA" class="directive">
<tr><th><a href="directive-dict.html#Description">说明</a></th><td>File of concatenated PEM-encoded CA CRLs for 
Remote Server Auth</td></tr>
<tr><th><a href="directive-dict.html#Syntax">语法</a></th><td><code>SSLProxyCARevocationFile <em>file-path</em></code></td></tr>
<tr><th><a href="directive-dict.html#Cont