From f77cf10d93d92cdca395ad2ce9ee80219fdc2439 Mon Sep 17 00:00:00 2001
From: Martin Zobel-Helas <zobel@debian.org>
Date: Thu, 15 Mar 2012 20:23:14 +0100
Subject: [PATCH] start to push some common SSL options to the webservers. they
 can be included if necessary. Signed-off-by: Martin Zobel-Helas
 <zobel@debian.org>

---
 .../apache2/sites-available/common-ssl.inc    | 30 +++++++++++++++++++
 1 file changed, 30 insertions(+)
 create mode 100644 modules/apache2/files/common/etc/apache2/sites-available/common-ssl.inc

diff --git a/modules/apache2/files/common/etc/apache2/sites-available/common-ssl.inc b/modules/apache2/files/common/etc/apache2/sites-available/common-ssl.inc
new file mode 100644
index 00000000..2021ab4c
--- /dev/null
+++ b/modules/apache2/files/common/etc/apache2/sites-available/common-ssl.inc
@@ -0,0 +1,30 @@
+##
+## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
+## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
+##
+
+
+#   SSL Engine Switch:
+#   Enable/Disable SSL for this virtual host.
+SSLEngine on
+
+#   SSL Protocol support:
+#   List the protocol versions which clients are allowed to
+#   connect with. Disable SSLv2 by default (cf. RFC 6176).
+SSLProtocol all -SSLv2
+
+#
+#   Some MIME-types for downloading Certificates and CRLs
+#   
+AddType application/x-x509-ca-cert .crt
+AddType application/x-pkcs7-crl    .crl
+
+#   SSL Cipher Suite:
+#   List the ciphers that the client is permitted to negotiate.
+#   See the mod_ssl documentation for a complete list.
+SSLCipherSuite ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM
+SSLHonorCipherOrder on
+
+#   Add STS
+Header add Strict-Transport-Security "max-age=604800"
+
-- 
2.39.2