# redirect to https
#Redirect / https://www.example.com/
# set high encryption
#
# check it with: nmap --script ssl-enum-ciphers -p 443 localhost
#
# or test beforehand with: openssl ciphers -v 'HIGH:!MEDIUM:!aNULL:!eNULL'
#
# CBC ciphers are obsolete (and implementation maybe incorrect), therefore
# remove:
# -ECDHE-RSA-AES256-SHA384:-ECDHE-RSA-CAMELLIA256-SHA384:
# -DHE-RSA-AES128-SHA256:-DHE-RSA-AES256-SHA256:
# -DHE-RSA-CAMELLIA128-SHA256:-DHE-RSA-CAMELLIA256-SHA256:
# -ECDHE-RSA-AES128-SHA256:-ECDHE-RSA-CAMELLIA128-SHA256
SSLCipherSuite HIGH:!MEDIUM:!aNULL:!eNULL:!TLSv1:!SHA1:!RSA:!MD5:!RC4:-ECDHE-RSA-AES256-SHA384:-ECDHE-RSA-CAMELLIA256-SHA384:-DHE-RSA-AES128-SHA256:-DHE-RSA-AES256-SHA256:-DHE-RSA-CAMELLIA128-SHA256:-DHE-RSA-CAMELLIA256-SHA256:-ECDHE-RSA-AES128-SHA256:-ECDHE-RSA-CAMELLIA128-SHA256
SSLProtocol all -TLSv1 -TLSv1.1
# SSLCompression on
ServerAdmin webmaster@localhost
#ServerName www.example.com
DocumentRoot /var/www/gitolite
Options None
AllowOverride none
Order allow,deny
Allow from all
SuexecUserGroup git git
ScriptAlias /www/ /var/www/bin/gitolite_web_interface.py
AuthType Basic
AuthName "gitolite access is required"
Require valid-user
AuthUserFile /etc/apache2/gitolite.passwd
SuexecUserGroup git git
ScriptAlias /git/ /var/www/bin/gitolite-suexec-wrapper.sh/
AuthType Basic
AuthName "gitolite access is required"
Require valid-user
AuthUserFile /etc/apache2/gitolite.passwd
DAVLockDB /var/www/DAVLock
Order Allow,Deny
Allow from all
Dav On
AuthType Basic
AuthName "gitolite access is required"
AuthUserFile /etc/apache2/gitolite.passwd
Options +Indexes
Require valid-user
AllowOverride AuthConfig
Require all denied
Options +Indexes
# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
# A self-signed (snakeoil) certificate can be created by installing
# the ssl-cert package. See
# /usr/share/doc/apache2/README.Debian.gz for more info.
# If both key and certificate are stored in the same file, only the
# SSLCertificateFile directive is needed.
SSLCertificateFile /etc/ssl/certs/gitolite.crt
SSLCertificateKeyFile /etc/ssl/private/gitolite.key