- Timestamp:
- Jun 20, 2016, 2:51:01 PM (7 years ago)
- Branches:
- asyncio, debian/master, debian/stretch-backports, main, master, proxy-ticket, upstream
- Children:
- c3c96ca
- Parents:
- 743e31f
- git-author:
- Thomas Klute <thomas2.klute@…> (06/20/16 14:19:22)
- git-committer:
- Thomas Klute <thomas2.klute@…> (06/20/16 14:51:01)
- File:
-
- 1 edited
-
doc/mod_gnutls_manual.mdwn (modified) (3 diffs)
Legend:
- Unmodified
- Added
- Removed
-
doc/mod_gnutls_manual.mdwn
r743e31f rfc124e9 625 625 --------------------------- 626 626 627 The following is an example of s tandard TLS Hosting, using one IP628 Addresses for each virtual host 627 The following is an example of simple TLS hosting, using one IP 628 Addresses for each virtual host. 629 629 630 630 # Load the module into Apache. … … 632 632 GnuTLSCache gdbm /var/cache/www-tls-cache 633 633 GnuTLSCacheTimeout 500 634 # With normal TLS Websites, you need one IP Address per-site. 635 Listen 1.2.3.1:443 636 Listen 1.2.3.2:443 637 Listen 1.2.3.3:443 638 Listen 1.2.3.4:443 639 <VirtualHost 1.2.3.1:443> 640 GnuTLSEnable on 641 GnuTLSPriorities NONE:+AES-128-CBC:+3DES-CBC:+ARCFOUR-128:+RSA:+DHE-RSA:+DHE-DSS:+SHA1:+MD5:+COMP-NULL 642 DocumentRoot /www/site1.example.com/html 643 ServerName site1.example.com:443 644 GnuTLSCertificateFile conf/ssl/site1.crt 645 GnuTLSKeyFile conf/ss/site1.key 634 635 # Without SNI you need one IP Address per-site. 636 Listen 192.0.2.1:443 637 Listen 192.0.2.2:443 638 Listen 192.0.2.3:443 639 Listen 192.0.2.4:443 640 641 <VirtualHost 192.0.2.1:443> 642 GnuTLSEnable on 643 GnuTLSPriorities SECURE128 644 DocumentRoot /www/site1.example.com/html 645 ServerName site1.example.com:443 646 GnuTLSCertificateFile conf/tls/site1.crt 647 GnuTLSKeyFile conf/tls/site1.key 646 648 </VirtualHost> 647 <VirtualHost 1.2.3.2:443> 648 # This virtual host enables SRP authentication 649 GnuTLSEnable on 650 GnuTLSPriorities NORMAL:+SRP 651 DocumentRoot /www/site2.example.com/html 652 ServerName site2.example.com:443 653 GnuTLSSRPPasswdFile conf/ssl/tpasswd.site2 654 GnuTLSSRPPasswdConfFile conf/ssl/tpasswd.site2.conf 649 650 <VirtualHost 192.0.2.2:443> 651 # This virtual host enables SRP authentication 652 GnuTLSEnable on 653 GnuTLSPriorities NORMAL:+SRP 654 DocumentRoot /www/site2.example.com/html 655 ServerName site2.example.com:443 656 GnuTLSSRPPasswdFile conf/tls/tpasswd.site2 657 GnuTLSSRPPasswdConfFile conf/tls/tpasswd.site2.conf 655 658 </VirtualHost> 656 <VirtualHost 1.2.3.3:443> 657 # This server enables SRP, OpenPGP and X.509 authentication. 658 GnuTLSEnable on 659 GnuTLSPriorities NORMAL:+SRP:+SRP-RSA:+SRP-DSS 660 DocumentRoot /www/site3.example.com/html 661 ServerName site3.example.com:443 662 GnuTLSCertificateFile conf/ssl/site3.crt 663 GnuTLSKeyFile conf/ss/site3.key 664 GnuTLSClientVerify ignore 665 GnuTLSPGPCertificateFile conf/ss/site3.pub.asc 666 GnuTLSPGPKeyFile conf/ss/site3.sec.asc 667 GnuTLSSRPPasswdFile conf/ssl/tpasswd.site3 668 GnuTLSSRPPasswdConfFile conf/ssl/tpasswd.site3.conf 659 660 <VirtualHost 192.0.2.3:443> 661 # This server enables SRP, OpenPGP and X.509 authentication. 662 GnuTLSEnable on 663 GnuTLSPriorities NORMAL:+SRP:+SRP-RSA:+SRP-DSS:+CTYPE-OPENPGP 664 DocumentRoot /www/site3.example.com/html 665 ServerName site3.example.com:443 666 GnuTLSCertificateFile conf/tls/site3.crt 667 GnuTLSKeyFile conf/tls/site3.key 668 GnuTLSClientVerify ignore 669 GnuTLSPGPCertificateFile conf/tls/site3.pub.asc 670 GnuTLSPGPKeyFile conf/tls/site3.sec.asc 671 GnuTLSSRPPasswdFile conf/tls/tpasswd.site3 672 GnuTLSSRPPasswdConfFile conf/tls/tpasswd.site3.conf 669 673 </VirtualHost> 670 <VirtualHost 1.2.3.4:443> 671 GnuTLSEnable on 672 # %COMPAT disables some security features to enable maximum compatibility with clients. 673 GnuTLSPriorities NONE:+AES-128-CBC:+ARCFOUR-128:+RSA:+SHA1:+MD5:+COMP-NULL:%COMPAT 674 DocumentRoot /www/site4.example.com/html 675 ServerName site4.example.com:443 676 GnuTLSCertificateFile conf/ssl/site4.crt 677 GnuTLSKeyFile conf/ss/site4.key 674 675 <VirtualHost 192.0.2.4:443> 676 GnuTLSEnable on 677 # %COMPAT disables some security features to enable maximum 678 # compatibility with clients. Don't use this if you need strong 679 # security. 680 GnuTLSPriorities NORMAL:%COMPAT 681 DocumentRoot /www/site4.example.com/html 682 ServerName site4.example.com:443 683 GnuTLSCertificateFile conf/tls/site4.crt 684 GnuTLSKeyFile conf/tls/site4.key 678 685 </VirtualHost> 679 686 … … 681 688 ------------------------------ 682 689 683 `mod_gnutls` can also use "Server Name Indication", as specified in 684 RFC 3546. This allows hosting many TLS Websites, with a Single IP 685 Address. Currently all the recent browsers support this 686 standard. Here is an example, using SNI: ` ` 687 690 `mod_gnutls` supports "Server Name Indication", as specified in 691 RFC 3546. This allows hosting many TLS websites with a single IP 692 address. All recent browsers support this standard. Here is an 693 example using SNI: 688 694 689 695 # Load the module into Apache. 690 696 LoadModule gnutls_module modules/mod_gnutls.so 691 # With normal TLS Websites, you need one IP Address per-site. 692 Listen 1.2.3.1:443 693 # This could also be 'Listen *:443', 694 # just like '*:80' is common for non-https 695 # This tells apache, that for this IP/Port combination, we want to use 696 # Name Based Virtual Hosting. In the case of Server Name Indication, 697 # it lets mod_gnutls pick the correct Server Certificate. 698 NameVirtualHost 1.2.3.1:443 699 <VirtualHost 1.2.3.1:443> 700 GnuTLSEnable on 701 GnuTLSSessionTickets on 702 GnuTLSPriorities NORMAL 703 DocumentRoot /www/site1.example.com/html 704 ServerName site1.example.com:443 705 GnuTLSCertificateFile conf/ssl/site1.crt 706 GnuTLSKeyFile conf/ss/site1.key 697 698 # SNI allows hosting multiple sites using one IP address. This 699 # could also be 'Listen *:443', just like '*:80' is common for 700 # non-HTTPS 701 Listen 198.51.100.1:443 702 703 <VirtualHost _default_:443> 704 GnuTLSEnable on 705 GnuTLSSessionTickets on 706 GnuTLSPriorities NORMAL 707 DocumentRoot /www/site1.example.com/html 708 ServerName site1.example.com:443 709 GnuTLSCertificateFile conf/tls/site1.crt 710 GnuTLSKeyFile conf/tls/site1.key 707 711 </VirtualHost> 708 <VirtualHost 1.2.3.1:443> 709 GnuTLSEnable on 710 GnuTLSPriorities NORMAL 711 DocumentRoot /www/site2.example.com/html 712 ServerName site2.example.com:443 713 GnuTLSCertificateFile conf/ssl/site2.crt 714 GnuTLSKeyFile conf/ss/site2.key 712 713 <VirtualHost _default_:443> 714 GnuTLSEnable on 715 GnuTLSPriorities NORMAL 716 DocumentRoot /www/site2.example.com/html 717 ServerName site2.example.com:443 718 GnuTLSCertificateFile conf/tls/site2.crt 719 GnuTLSKeyFile conf/tls/site2.key 715 720 </VirtualHost> 716 <VirtualHost 1.2.3.1:443> 717 GnuTLSEnable on 718 GnuTLSPriorities NORMAL 719 DocumentRoot /www/site3.example.com/html 720 ServerName site3.example.com:443 721 GnuTLSCertificateFile conf/ssl/site3.crt 722 GnuTLSKeyFile conf/ss/site3.key 721 722 <VirtualHost _default_:443> 723 GnuTLSEnable on 724 GnuTLSPriorities NORMAL 725 DocumentRoot /www/site3.example.com/html 726 ServerName site3.example.com:443 727 GnuTLSCertificateFile conf/tls/site3.crt 728 GnuTLSKeyFile conf/tls/site3.key 723 729 </VirtualHost> 724 <VirtualHost 1.2.3.1:443> 725 GnuTLSEnable on 726 GnuTLSPriorities NORMAL 727 DocumentRoot /www/site4.example.com/html 728 ServerName site4.example.com:443 729 GnuTLSCertificateFile conf/ssl/site4.crt 730 GnuTLSKeyFile conf/ss/site4.key 730 731 <VirtualHost _default_:443> 732 GnuTLSEnable on 733 GnuTLSPriorities NORMAL 734 DocumentRoot /www/site4.example.com/html 735 ServerName site4.example.com:443 736 GnuTLSCertificateFile conf/tls/site4.crt 737 GnuTLSKeyFile conf/tls/site4.key 731 738 </VirtualHost> 732 739 733 734 * * * * * 735 736 Performance Issues 737 ================== 738 739 `mod_gnutls` by default uses conservative settings for the server. 740 You can fine tune the configuration to reduce the load on a busy 741 server. The following examples do exactly this: 742 740 OCSP Stapling Example 741 --------------------- 742 743 This example uses an X.509 server certificate. The server will fetch 744 OCSP responses from the responder listed in the certificate and store 745 them im a memcached cache shared with another server. 743 746 744 747 # Load the module into Apache. 745 748 LoadModule gnutls_module modules/mod_gnutls.so 746 # Using 4 memcache servers to distribute the TLS Session Cache. 747 GnuTLSCache memcache "mc1.example.com mc2.example.com mc3.example.com mc4.example.com" 749 GnuTLSCache memcache "192.0.2.1:11211 192.0.2.2:11211" 748 750 GnuTLSCacheTimeout 600 749 Listen 1.2.3.1:443 750 NameVirtualHost 1.2.3.1:443 751 <VirtualHost 1.2.3.1:443> 752 GnuTLSEnable on 753 # Here we disable the Perfect forward secrecy ciphersuites (DHE) 754 # and disallow AES-256 since AES-128 is just fine. 755 GnuTLSPriorities NORMAL:!DHE-RSA:!DHE-DSS:!AES-256-CBC:%COMPAT 756 DocumentRoot /www/site1.example.com/html 757 ServerName site1.example.com:443 758 GnuTLSCertificateFile conf/ssl/site1.crt 759 GnuTLSKeyFile conf/ss/site1.key 760 </VirtualHost> 761 <VirtualHost 1.2.3.1:443> 762 GnuTLSEnable on 763 # Here we instead of disabling the DHE ciphersuites we use 764 # Diffie Hellman parameters of smaller size than the default (2048 bits). 765 # Using small numbers from 768 to 1024 bits should be ok once they are 766 # regenerated every few hours. 767 # Use "certtool --generate-dh-params --bits 1024" to get those 768 GnuTLSDHFile /etc/apache2/dh.params 769 GnuTLSPriorities NORMAL:!AES-256-CBC:%COMPAT 770 DocumentRoot /www/site2.example.com/html 771 ServerName site2.example.com:443 772 GnuTLSCertificateFile conf/ssl/site2.crt 773 GnuTLSKeyFile conf/ss/site2.key 751 752 Listen 192.0.2.1:443 753 754 <VirtualHost _default_:443> 755 GnuTLSEnable On 756 GnuTLSPriorities NORMAL 757 DocumentRoot /www/site1.example.com/html 758 ServerName site1.example.com:443 759 GnuTLSCertificateFile conf/tls/site1.crt 760 GnuTLSKeyFile conf/tls/site1.key 761 GnuTLSPriorities NORMAL 762 GnuTLSOCSPStapling On 774 763 </VirtualHost> 775 764
Note: See TracChangeset
for help on using the changeset viewer.
