# see also unfold.conf
# see also unfold-initi-ssl.sh
#
# NOTE on packaging
# 
# this is not enabled by default because it would prevent apache from
# starting up properly when /etc/unfold/trusted_roots is empty
# 
# So on debian you would typically need to run
# a2ensite unfold-ssl.conf
# unfold-init-ssl.sh
# service apache2 restart
#
# This port is configured with client-certificate *required*
# corresponding trusted roots (e.g. ple.gid and plc.gid) should be 
# configured in /etc/unfold/trusted_roots
# 

<VirtualHost *:443>
	WSGIDaemonProcess unfold-ssl processes=2 threads=25
	WSGIProcessGroup  unfold-ssl
	CustomLog ${APACHE_LOG_DIR}/myslice-ssl-access.log common
	ErrorLog ${APACHE_LOG_DIR}/myslice-ssl-error.log
        WSGIScriptAlias / /usr/share/unfold/apache/unfold.wsgi
        <Directory /usr/share/unfold/apache/>
        <Files unfold.wsgi>
        Order deny,allow
        Allow from all
        </Files>
        </Directory>
        Alias /static/ /usr/share/unfold/static/
        <Directory /usr/share/unfold/static>
        Order deny,allow
        Allow from all
        </Directory>

	SSLEngine on
	SSLVerifyClient require
	SSLVerifyDepth 5
# make this a symlink to /etc/sfa/trusted_roots if that makes sense in your env.
	SSLCACertificatePath /etc/unfold/trusted_roots
# see init-ssl.sh for how to create self-signed stuff in here
	SSLCertificateFile    /etc/unfold/myslice.cert
	SSLCertificateKeyFile /etc/unfold/myslice.key

#	SSLOptions +StdEnvVars +ExportCertData
	SSLOptions +StdEnvVars
</VirtualHost>