PHPackages ctubio/php-proxy-keyserver - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [HTTP & Networking](/categories/http) 4. / 5. ctubio/php-proxy-keyserver ActiveProject[HTTP & Networking](/categories/http) ctubio/php-proxy-keyserver ========================== PHP proxy and extensible web interface forwarding standard HKP requests to a local or remote SKS OpenPGP Keyserver. v0.3.4(9y ago)45515MITPHPPHP ~5.6 Since May 24Pushed 6y ago3 watchersCompare [ Source](https://github.com/ctubio/php-proxy-keyserver)[ Packagist](https://packagist.org/packages/ctubio/php-proxy-keyserver)[ Docs](https://github.com/ctubio/php-proxy-keyserver)[ RSS](/packages/ctubio-php-proxy-keyserver/feed)WikiDiscussions master Synced 1mo ago READMEChangelogDependencies (5)Versions (44)Used By (0) [![Release](https://camo.githubusercontent.com/44d55d5be3f519fb28cf7e3eea5342cf20fecebba327129f5317a70b7a33c9b4/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f767072652f63747562696f2f7068702d70726f78792d6b65797365727665722e7376673f6c6162656c3d72656c65617365)](https://packagist.org/packages/ctubio/php-proxy-keyserver)[![Platform License](https://camo.githubusercontent.com/8bcfb7c887001965275eec96a7b28e3cedee11a5bca8f3c9d642fb7c22a7af48/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f706c6174666f726d2d756e69782d2d6c696b652d6c69676874677261792e737667)](https://www.gnu.org/)[![Software License](https://camo.githubusercontent.com/d889a18b9b7fe9994dd1216ec40fe986735181c28eef2a98facdc0e1697cb3d2/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f6c6963656e73652d4d49542d3131313131312e737667)](LICENSE) These sources are happy serving public keys at (check the [pool status](https://sks-keyservers.net/status/)!). [![Build Status](https://camo.githubusercontent.com/309d968dc4abea17113ba2b6e244e992c9a75481f27cb08ee6dda70c66e79c08/68747470733a2f2f696d672e736869656c64732e696f2f7472617669732f63747562696f2f7068702d70726f78792d6b65797365727665722f6d61737465722e7376673f6c6162656c3d746573742532307375697465)](https://travis-ci.org/ctubio/php-proxy-keyserver)[![Coverage Status](https://camo.githubusercontent.com/be5ce1d7aeab29a2dcff5cebb092e39eb35ca83fde743149fc4a345cc7ef4b16/68747470733a2f2f696d672e736869656c64732e696f2f636f766572616c6c732f63747562696f2f7068702d70726f78792d6b65797365727665722f6d61737465722e7376673f6c6162656c3d636f6465253230636f766572616765)](https://coveralls.io/r/ctubio/php-proxy-keyserver?branch=master)[![SensioLabsInsight](https://camo.githubusercontent.com/99a9a5e7fabf32463b03f29e3227d1eb0a19e942e8868dbc060ceaabde0afae3/68747470733a2f2f696d672e736869656c64732e696f2f73656e73696f6c6162732f692f39663665346238642d643432612d346337342d396463352d6662613236333939633337332e737667)](https://insight.sensiolabs.com/projects/9f6e4b8d-d42a-4c74-9dc5-fba26399c373)[![Dependency Status](https://camo.githubusercontent.com/ac4687004248676116abb128093318be073e9792dd757a0a97542160d1f061dc/68747470733a2f2f7777772e76657273696f6e6579652e636f6d2f757365722f70726f6a656374732f3535363266393735333636343636303031393234303230302f62616467652e7376673f7374796c653d666c6174)](https://www.versioneye.com/user/projects/5562f9753664660019240200)[![Open Issues](https://camo.githubusercontent.com/8d00aea5d6749bef94beee8a6bf48c8faaca345b73095708e0353c36d7b0940c/68747470733a2f2f696d672e736869656c64732e696f2f6769746875622f6973737565732f63747562696f2f7068702d70726f78792d6b65797365727665722e737667)](https://github.com/ctubio/php-proxy-keyserver/issues) ### Main Features [](#main-features) - Minimalistic php framework focused to extend and prettify the default web interface of a keyserver. - PHPize any request at any port for humans, but keep the original output for gpg/pool clients. - 8 skins (thank you folks!), but you can make your own (with dynamic php blocks or static html). - Optionally auto addition and validation of user submitted membership lines for new peers. - Optionally auto indent and validation of html pages before output html responses. - Meaningful (hope you like stack traces) error messages while developing skins/pages. - Webserver configs ready for apache2 or nginx (and tor hidden service and piwik tracker). - Load Balancer configs ready for haproxy (between PHP and HKP, or balance PHP too). - BOINC Status GUI RPC ready for display current assigned tasks on your server farm. - Or trash all *modern* features and stick with the great old plain html frontend (for historical purposes). ### How to run your own SKS Keyserver with PHP and friends: [](#how-to-run-your-own-sks-keyserver-with-php-and-friends) ``` $ # Check the latest sks version: $ curl https://bitbucket.org/skskeyserver/sks-keyserver/raw/default/VERSION $ # Check the available sks versions in your sources: $ apt-cache policy sks $ # Check your current sks version: $ sks version $ # Decide if you wanna download and compile the latest sks version. $ # The README file have examples of configuration files for sks, nginx/apache, haproxy and tor. $ # Check if your keyserver is up and running (in all machines): $ netstat -anp | egrep --color 'sks' tcp 0 0 0.0.0.0:11370 0.0.0.0:* LISTEN 8198/sks tcp 0 0 127.0.0.1:11371 0.0.0.0:* LISTEN 8197/sks tcp6 0 0 :::11370 :::* LISTEN 8198/sks unix 2 [ ACC ] STREAM LISTENING 29826 8197/sks /var/lib/sks/db_com_sock unix 2 [ ACC ] STREAM LISTENING 29835 8198/sks /var/lib/sks/recon_com_sock $ # If you don't see any output, please start the keyserver daemons with similar configs. $ # Optionally, check if your load balancer is up and running (in primary machine): $ netstat -anp | egrep --color 'haproxy' tcp 0 0 0.0.0.0:11369 0.0.0.0:* LISTEN 2438/haproxy unix 2 [ ] DGRAM 11553 2008/rsyslogd /var/lib/haproxy/dev/log unix 2 [ ] DGRAM 12323 2438/haproxy $ # Here port 11369 is used, but you are free to choose any other number if you wish. $ # A load balancer isn't mandatory, unless you plan to generate daily keydumps. $ # Optionally, check if your tor is up and running (in primary machine): $ netstat -anp | egrep --color 'tor' tcp 0 0 127.0.0.1:9050 0.0.0.0:* LISTEN 11655/tor unix 2 [ ACC ] STREAM LISTENING 53139133 11655/tor /var/run/tor/control unix 3 [ ] STREAM CONNECTED 53139131 11655/tor unix 3 [ ] STREAM CONNECTED 53139130 11655/tor $ # Here port 9050 is used, but you are free to choose any other number if you wish. $ # A tor hidden service isn't mandatory, unless you plan to provide anonymity. $ # Check if your webserver is up and running (in primary machine): $ netstat -anp | egrep --color 'apache2|nginx' tcp 0 0 10.10.10.2:11371 0.0.0.0:* LISTEN 3197/apache2 tcp 0 0 10.10.10.2:80 0.0.0.0:* LISTEN 3197/apache2 tcp 0 0 10.10.10.2:443 0.0.0.0:* LISTEN 3197/apache2 tcp6 0 0 2607:f298:6050:6f:11371 :::* LISTEN 9647/apache2 tcp6 0 0 2607:f298:6050:6f81::80 :::* LISTEN 9647/apache2 tcp6 0 0 2607:f298:6050:6f81:443 :::* LISTEN 9647/apache2 $ # The 4th column may be your own public IPs of your virtual machine/server. $ # If you don't see any output, please start the webserver daemon with similar configs. $ # Download and compose the php proxy and the extensible web interface between them: $ cd /var/www $ mkdir your.domain.name $ cd your.domain.name $ composer self-update $ composer create-project ctubio/php-proxy-keyserver . --keep-vcs $ make config $ make help $ # All done, thank you! $ # Validate if your website can search/retrieve/submit pgp public keys. $ # Validate if your keyserver works using the command line tool gpg (or others). $ # Import the most recent database dump, and use the mailing list to find peers. $ # Please, feel free to extend or customize as you need the web interface! ``` ### Troubleshooting [](#troubleshooting) ##### Common Installation Problems: [](#common-installation-problems) ``` -bash: composer: command not found ``` to fix it, see ##### Silly Winny Problems: [](#silly-winny-problems) ``` 'make' is not recognized as an internal or external command ``` to fix it, see ### What if.. [](#what-if) ##### ..i want to make a skin? [](#i-want-to-make-a-skin) run the following command to create a new skin (using `skin/default` as a base, or any other), and if you would like to share it, please read the [CONTRIBUTING](CONTRIBUTING) file: ``` $ cp -r skin/default skin/new-skin ``` ##### ..i want documentation about the available methods in `skin/*.phtml` files? [](#i-want-documentation-about-the-available-methods-in-skinphtml-files) Yes Sir/Milady, please make use of `$this` 3 built-in methods from any phtml file: ``` # get any value from etc/php-proxy-keyserver.ini string $this->getConfig(string $option); # (you can add new options to the config file as you need) # for example: echo $this->getConfig('hkp_load_balanced_addr'); # may print 127.0.0.1 echo $this->getConfig('custom_var'); # may print custom_value ``` ``` # get any block form skin/blocks/* string $this->getBlock(string $block); # (you can get blocks from any depth in the path) # for example: echo $this->getBlock('gnu_inside'); # parse and print skin/block/gnu_inside.phtml echo $this->getBlock('happy/gnu_inside'); # parse and print skin/block/happy/gnu_inside.phtml ``` ``` # get any page form skin/page/* string $this->getPage([string $page]); # (useful in the layout, or to show some page in the footer of all pages?) # for example: echo $this->getPage(); # parse and print the current page based on http request echo $this->getPage('index'); # parse and print page/index.phtml echo $this->getPage('path/file'); # parse and print path/file.phtml ``` ##### ..i don't want to use php? [](#i-dont-want-to-use-php) the `skin/default` uses a php layout to build the given page with blocks. But if you would like to use only html files or any other static format, please see the source of [skin/pgpkeyserver-lite](https://github.com/mattrude/pgpkeyserver-lite) or [skin/XHTML+ES](https://github.com/ctubio/sks-keyserver-sampleWeb-XHTML-ES) as examples. ##### ..i want to make a skin for the community but without run my own keyserver? [](#i-want-to-make-a-skin-for-the-community-but-without-run-my-own-keyserver) feel free to use my keyserver for your development, the address is `pgp.key-server.io` (see the answer below). ##### ..my server is just a webserver? [](#my-server-is-just-a-webserver) the keyserver may be provided by another different server, if that is your case, please edit `etc/php-proxy-keyserver.ini` and customize the value of `hkp_load_balanced_addr` to match the address of the keyserver. ##### ..i want to upgrade to a new version of php-proxy-keyserver? [](#i-want-to-upgrade-to-a-new-version-of-php-proxy-keyserver) please run the following commands (using v1.2.3 as an example): ``` $ git fetch; # see the available new versions in the output $ git checkout v1.2.3; # upgrade to v1.2.3 ``` or you can revert back to a previous version with: ``` $ git checkout v1.2.2; # downgrade back to v1.2.2 ``` ##### ..my keyserver is not an instance of `sks`? [](#my-keyserver-is-not-an-instance-of-sks) the php proxy will work with any keyserver as long as it is based on the [OpenPGP HTTP Keyserver Protocol (HKP)](http://ietfreport.isoc.org/all-ids/draft-shaw-openpgp-hkp-00.txt). ##### ..i would like to see some sks configs: [](#i-would-like-to-see-some-sks-configs) please take this as an example: ``` # debuglevel 3 is default (max. debuglevel is 10) basedir: /var/lib/sks debuglevel: 3 hostname: your.domain.name nodename: your.node.name hkp_port: 11371 hkp_address: 127.0.0.1 recon_port: 11370 #recon_address: 127.0.0.1 # server_contact: 0xYOUR64BITKEYID from_addr: pgp-public-keys@hostname sendmail_cmd: /usr/sbin/sendmail -t -oi initial_stat: disable_mailsync: membership_reload_interval: 21 stat_hour: 21 # # set DB file pagesize as recommended by db_tuner # pagesize is (n * 512) bytes # NOTE: These must be set _BEFORE_ [fast]build & pbuild and remain set # for the life of the database files. To change a value requires recreating # the database from a dump # # KDB/key 65536 pagesize: 1 28 # # KDB/keyid 32768 keyid_pagesize: 64 # # KDB/meta 512 meta_pagesize: 1 # KDB/subkeyid 65536 subkeyid_pagesize: 128 # # KDB/time 65536 time_pagesize: 128 # # KDB/tqueue 512 tqueue_pagesize: 1 # # KDB/word - db_tuner suggests 512 bytes. This locked the build process # Better to use a default of 8 (4096 bytes) for now word_pagesize: 8 # # PTree/ptree 4096 ptree_pagesize: 8 ``` ##### ..i would like to see some tor configs: [](#i-would-like-to-see-some-tor-configs) please take this as an example, where you should replace the keyword `YOUR.PUBLIC.IPv4`. Enable Tor Hidden Service for SKS: ``` DataDirectory /var/lib/tor HiddenServiceDir /var/lib/tor/hidden_service/ HiddenServicePort 11371 YOUR.PUBLIC.IPv4:11371 HiddenServicePort 80 YOUR.PUBLIC.IPv4:80 HiddenServicePort 443 YOUR.PUBLIC.IPv4:443 ``` ##### ..i would like to see some haproxy configs: [](#i-would-like-to-see-some-haproxy-configs) here is a basic setup for a network (see the output of netstat command at the top of the README file) with a single `apache2` running a single `php-proxy-keyserver` that forwards hkp request to a single `haproxy` to balance the load of multiple redundant `sks` keyservers (the objective here is to avoid the downtimes while making daily keydumps, additionaly you can put the webserver behind another load balancing setup, ofcourse): ``` global log /dev/log local0 log /dev/log local1 notice chroot /var/lib/haproxy maxconn 4096 user haproxy group haproxy daemon defaults log global mode http option httplog option dontlognull option http-server-close option forwardfor timeout connect 5000 timeout client 50000 timeout server 50000 retries 2 option redispatch stats enable stats hide-version stats uri /haproxy errorfile 400 /etc/haproxy/errors/400.http errorfile 403 /etc/haproxy/errors/403.http errorfile 408 /etc/haproxy/errors/408.http errorfile 500 /etc/haproxy/errors/500.http errorfile 502 /etc/haproxy/errors/502.http errorfile 503 /etc/haproxy/errors/503.http errorfile 504 /etc/haproxy/errors/504.http listen php-proxy-keyserver *:11369 balance leastconn server carles.tubio.sks-database_0 127.0.0.1:11371 check server carles.tubio.sks-database_1 10.10.10.21:11371 check server carles.tubio.sks-database_2 10.10.10.22:11371 check server carles.tubio.sks-database_3 10.10.10.23:11371 check ``` ##### ..i would like to see some nginx configs: [](#i-would-like-to-see-some-nginx-configs) please take this files as an examples, where you should replace the keywords `YOUR.PUBLIC.IPv4`, `YOUR.PUBLIC.IPv6` and `YOUR.DOMAIN.NAME`. Enable support for standard HKP, HTTP and HTTTPS requests: ``` server { listen YOUR.PUBLIC.IPv4:80; listen [YOUR.PUBLIC.IPv6]:80; listen YOUR.PUBLIC.IPv4:443 ssl; listen [YOUR.PUBLIC.IPv6]:443 ssl; server_name www.YOUR.DOMAIN.NAME; rewrite ^ $scheme://YOUR.DOMAIN.NAME$uri permanent; ssl_certificate /etc/nginx/keys/YOUR.DOMAIN.NAME.crt; ssl_certificate_key /etc/nginx/keys/YOUR.DOMAIN.NAME.key; ssl_session_timeout 5m; ssl_protocols SSLv3 TLSv1.2; ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP; ssl_prefer_server_ciphers on; } server { listen YOUR.PUBLIC.IPv4:80; listen [YOUR.PUBLIC.IPv6]:80; listen YOUR.PUBLIC.IPv4:11371; listen [YOUR.PUBLIC.IPv6]:11371; listen YOUR.PUBLIC.IPv4:443 ssl; listen [YOUR.PUBLIC.IPv6]:443 ssl; root /var/www/YOUR.DOMAIN.NAME/pub; index php-proxy-keyserver.php; disable_symlinks off; server_name YOUR.DOMAIN.NAME pool.sks-keyservers.net *.pool.sks-keyservers.net; location /dump { autoindex on; add_before_body /dump/.css; } location / { try_files $uri $uri/ /php-proxy-keyserver.php?$query_string; } location ~ \.php$ { fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_pass unix:/var/run/php5-fpm.sock; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; include fastcgi_params; } location ~ /\.ht { deny all; } ssl_certificate /etc/nginx/keys/YOUR.DOMAIN.NAME.crt; ssl_certificate_key /etc/nginx/keys/YOUR.DOMAIN.NAME.key; ssl_session_timeout 5m; ssl_protocols SSLv3 TLSv1.2; ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP; ssl_prefer_server_ciphers on; } ``` ##### ..i would like to see some apache2 configs: [](#i-would-like-to-see-some-apache2-configs) please take this files as an examples, where you should replace the keywords `YOUR.PUBLIC.IPv4`, `YOUR.PUBLIC.IPv6` and `YOUR.DOMAIN.NAME`. Enable support for standard HKP requests: ``` Listen YOUR.PUBLIC.IPv4:11371 NameVirtualHost YOUR.PUBLIC.IPv4:11371 Listen [YOUR.PUBLIC.IPv6]:11371 NameVirtualHost [YOUR.PUBLIC.IPv6]:11371 ServerAdmin webmaster@localhost ServerName www.YOUR.DOMAIN.NAME ServerAlias YOUR.DOMAIN.NAME DocumentRoot /var/www/YOUR.DOMAIN.NAME/pub RewriteEngine on RewriteCond %{HTTP_HOST} =www.YOUR.DOMAIN.NAME [NC] RewriteRule ^(.*) http://YOUR.DOMAIN.NAME$1 [R=301,NE] RewriteRule ^(.*)$ /php-proxy-keyserver.php?$1 [QSA,L] Options FollowSymLinks AllowOverride None Options Indexes FollowSymLinks MultiViews AllowOverride All Order allow,deny allow from all ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/ AllowOverride None Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch Order allow,deny Allow from all ErrorLog ${APACHE_LOG_DIR}/error.log # Possible values include: debug, info, notice, warn, error, crit, # alert, emerg. LogLevel warn CustomLog ${APACHE_LOG_DIR}/access.log combined ``` Enable support for HTTP requests: ``` Listen YOUR.PUBLIC.IPv4:80 NameVirtualHost YOUR.PUBLIC.IPv4:80 Listen [YOUR.PUBLIC.IPv6]:80 NameVirtualHost [YOUR.PUBLIC.IPv6]:80 ServerAdmin webmaster@localhost ServerName www.YOUR.DOMAIN.NAME ServerAlias YOUR.DOMAIN.NAME pool.sks-keyservers.net *.pool.sks-keyservers.net DocumentRoot /var/www/YOUR.DOMAIN.NAME/pub RewriteEngine on RewriteCond %{HTTP_HOST} =www.YOUR.DOMAIN.NAME [NC] RewriteRule ^(.*) http://YOUR.DOMAIN.NAME$1 [R=301,NE] RewriteRule ^(.*)$ /php-proxy-keyserver.php?$1 [QSA,L] Options FollowSymLinks AllowOverride None Options Indexes FollowSymLinks MultiViews AllowOverride All Order allow,deny allow from all ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/ AllowOverride None Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch Order allow,deny Allow from all ErrorLog ${APACHE_LOG_DIR}/error.log # Possible values include: debug, info, notice, warn, error, crit, # alert, emerg. LogLevel warn CustomLog ${APACHE_LOG_DIR}/access.log combined ``` Enable support for HTTPS requests: ``` Listen YOUR.PUBLIC.IPv4:443 NameVirtualHost YOUR.PUBLIC.IPv4:443 Listen [YOUR.PUBLIC.IPv6]:443 NameVirtualHost [YOUR.PUBLIC.IPv6]:443 ServerAdmin webmaster@localhost ServerName www.YOUR.DOMAIN.NAME ServerAlias YOUR.DOMAIN.NAME RewriteEngine on RewriteCond %{HTTP_HOST} =www.YOUR.DOMAIN.NAME [NC] RewriteRule ^(.*) https://YOUR.DOMAIN.NAME$1 [R=301,NE] RewriteRule ^(.*)$ /php-proxy-keyserver.php?$1 [QSA,L] DocumentRoot /var/www/YOUR.DOMAIN.NAME/pub Options FollowSymLinks AllowOverride None Options Indexes FollowSymLinks MultiViews AllowOverride All Order allow,deny allow from all ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/ AllowOverride None Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch Order allow,deny Allow from all ErrorLog ${APACHE_LOG_DIR}/error.log # Possible values include: debug, info, notice, warn, error, crit, # alert, emerg. LogLevel warn CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined # SSL Engine Switch: # Enable/Disable SSL for this virtual host. SSLEngine on # A self-signed (snakeoil) certificate can be created by installing # the ssl-cert package. See # /usr/share/doc/apache2.2-common/README.Debian.gz for more info. # If both key and certificate are stored in the same file, only the # SSLCertificateFile directive is needed. SSLCertificateFile /etc/apache2/keys/YOUR.DOMAIN.NAME.crt SSLCertificateKeyFile /etc/apache2/keys/YOUR.DOMAIN.NAME.key # Server Certificate Chain: # Point SSLCertificateChainFile at a file containing the # concatenation of PEM encoded CA certificates which form the # certificate chain for the server certificate. Alternatively # the referenced file can be the same as SSLCertificateFile # when the CA certificates are directly appended to the server # certificate for convinience. #SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt SSLCertificateChainFile /etc/apache2/keys/YOUR.DOMAIN.NAME.int # Certificate Authority (CA): # Set the CA certificate verification path where to find CA # certificates for client authentication or alternatively one # huge file containing all of them (file must be PEM encoded) # Note: Inside SSLCACertificatePath you need hash symlinks # to point to the certificate files. Use the provided # Makefile to update the hash symlinks after changes. #SSLCACertificatePath /etc/ssl/certs/ #SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt # Certificate Revocation Lists (CRL): # Set the CA revocation path where to find CA CRLs for client # authentication or alternatively one huge file containing all # of them (file must be PEM encoded) # Note: Inside SSLCARevocationPath you need hash symlinks # to point to the certificate files. Use the provided # Makefile to update the hash symlinks after changes. #SSLCARevocationPath /etc/apache2/ssl.crl/ #SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl # Client Authentication (Type): # Client certificate verification type and depth. Types are # none, optional, require and optional_no_ca. Depth is a # number which specifies how deeply to verify the certificate # issuer chain before deciding the certificate is not valid. #SSLVerifyClient require #SSLVerifyDepth 10 # Access Control: # With SSLRequire you can do per-directory access control based # on arbitrary complex boolean expressions containing server # variable checks and other lookup directives. The syntax is a # mixture between C and Perl. See the mod_ssl documentation # for more details. # #SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \ # and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \ # and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \ # and %{TIME_WDAY} >= 1 and %{TIME_WDAY} = 8 and %{TIME_HOUR}