NameVirtualHost *:443 DocumentRoot /var/lib/tomcat7/webapps/metacat ## Allow CORS requests from all origins to use cookies SetEnvIf Origin "^(.*)$" ORIGIN_DOMAIN=$1 Header set Access-Control-Allow-Origin "%{ORIGIN_DOMAIN}e" env=ORIGIN_DOMAIN Header set Access-Control-Allow-Headers "Authorization, Content-Type, Origin, Cache-Control" Header set Access-Control-Allow-Methods "GET, POST, PUT, OPTIONS" Header set Access-Control-Allow-Credentials "true" ScriptAlias /metacat/cgi-bin/ /var/lib/tomcat7/webapps/metacat/cgi-bin/ AllowOverride All Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch Require all granted RewriteEngine on RewriteCond %{HTTP:Authorization} ^(.*) RewriteRule .* - [e=HTTP_AUTHORIZATION:%1] JkMount /metacat ajp13 JkMount /metacat/* ajp13 JkMount /metacat/metacat ajp13 JkMount /*.jsp ajp13 JkUnMount /metacat/cgi-bin/* ajp13 JkMount /metacatui ajp13 JkMount /metacatui/* ajp13 JkOptions +ForwardURICompatUnparsed AllowEncodedSlashes On AcceptPathInfo On # SSL Engine Switch: # Enable/Disable SSL for this virtual host. SSLEngine on SSLOptions +StrictRequire +StdEnvVars +ExportCertData # A self-signed (snakeoil) certificate can be created by installing # the ssl-cert package. See # /usr/share/doc/apache2.2-common/README.Debian.gz for more info. # If both key and certificate are stored in the same file, only the # SSLCertificateFile directive is needed. SSLCertificateFile /etc/ssl/certs/.crt SSLCertificateKeyFile /etc/ssl/private/.key SSLCertificateChainFile /etc/ssl/certs/.crt # Certificate Authority (CA): # Set the CA certificate verification path where to find CA # certificates for client authentication or alternatively one # huge file containing all of them (file must be PEM encoded) # Note: Inside SSLCACertificatePath you need hash symlinks # to point to the certificate files. Use the provided # Makefile to update the hash symlinks after changes. # Use the correct DataONE chain for validating client certificates # see: https://repository.dataone.org/software/tools/trunk/ca SSLCACertificatePath /etc/ssl/certs/ #SSLCACertificateFile /etc/ssl/certs/DataONECAChain.crt SSLVerifyClient optional SSLVerifyDepth 10 # Client Authentication (Type): # Client certificate verification type and depth. Types are # none, optional, require and optional_no_ca. Depth is a # number which specifies how deeply to verify the certificate # issuer chain before deciding the certificate is not valid. SSLVerifyClient require SSLVerifyDepth 10 #SSLRenegBufferSize 10000000 #SSLOptions +OptRenegotiate SSLVerifyClient optional # disable SSL v2 and v3 # intermediate configuration from https://mozilla.github.io/server-side-tls/ssl-config-generator/ SSLProtocol all -SSLv2 -SSLv3 SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA SSLHonorCipherOrder on