Alias /repo/ /srv/cache/lookaside/ # default SSL configuration... Listen 443 SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000) SSLSessionCacheTimeout 300 Mutex default SSLRandomSeed startup file:/dev/urandom 256 SSLRandomSeed connect builtin SSLCryptoDevice builtin # SSL host # This alias must come before the /repo/ one to avoid being overridden. ScriptAlias /repo/pkgs/upload.cgi /srv/web/upload.cgi Alias /repo/ /srv/cache/lookaside/ ServerName pkgs.fedoraproject.org ServerAdmin webmaster@fedoraproject.org SSLEngine on SSLCertificateFile conf/pkgs.fedoraproject.org_key_and_cert.pem SSLCertificateKeyFile conf/pkgs.fedoraproject.org_key_and_cert.pem SSLCACertificateFile conf/cacert.pem SSLCARevocationFile /etc/pki/tls/crl.pem SSLCipherSuite RSA:!EXPORT:!DH:!LOW:!NULL:+MEDIUM:+HIGH # Must be 'optional' everywhere in order to have POST operations work to upload.cgi SSLVerifyClient optional # Must be here for POST operations to upload.cgi SSLOptions +OptRenegotiate ErrorLog logs/ssl_error_log CustomLog logs/ssl_access_log \ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%{SSL_CLIENT_S_DN_OU}x\" %{SSL_CLIENT_S_DN_CN}x %{SSL_CLIENT_S_DN_emailAddress}x \"%r\" %b" SSLVerifyClient optional SSLVerifyDepth 1 SSLOptions +StrictRequire +StdEnvVars +OptRenegotiate # require that the client auth cert was created by us and signed by us SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \ and %{SSL_CLIENT_S_DN_O} eq "Fedora Project" \ and %{SSL_CLIENT_S_DN_OU} eq "Fedora User Cert" \ and %{SSL_CLIENT_I_DN_O} eq "Fedora Project" \ and %{SSL_CLIENT_I_DN_OU} eq "Fedora Project CA" ) SSLRequireSSL SSLVerifyClient optional SSLVerifyDepth 1 SSLOptions +StrictRequire +StdEnvVars +OptRenegotiate # require that the access comes from internal or that # the client auth cert was created by us and signed by us SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \ and %{SSL_CLIENT_S_DN_O} eq "Fedora Project" \ and %{SSL_CLIENT_S_DN_OU} eq "Fedora User Cert" \ and %{SSL_CLIENT_I_DN_O} eq "Fedora Project" \ and %{SSL_CLIENT_I_DN_OU} eq "Fedora Project CA" )