httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Axel-St├ęphane SMORGRAV <Axel-Stephane.SMORG...@europe.adp.com>
Subject RE: [users@httpd] adding SSL - is a distinct virtual host mandatory?
Date Tue, 04 Oct 2005 06:07:22 GMT
If you are planning on serving both SSL and non-SSL connections, then yes, a separate virtual
host is necessary for one of the two.

The fact is that the SSLEngine directive is only valid in a server or virtual host context.
I do not know the reason for that, but I am sure there is one.

The most important things you need to configure are "SSLEngine On", 

These are the overall settings I use for SSL. Replace everything enclosed in %% by actual
values.

#
SSLSessionCache         shm:%%SERVER_ROOT%%/logs/ssl_scache
SSLSessionCacheTimeout  300

## On Solaris, I use pthread. I think it works on SuSE as well.
SSLMutex pthread

## Your system may not have /dev/random. In that case you may just use builtin for startup.
SSLRandomSeed startup file:/dev/random 1024
SSLRandomSeed connect builtin

SSLProtocol All -SSLv2
SSLCipherSuite ALL:!ADH:!EXP:!aNULL:!eNULL:!LOW:RC4+RSA:+HIGH:+MEDIUM
SSLVerifyDepth 3

<Files ~ "\.(cgi|shtml|phtml|php3?)$">
    SSLOptions +StdEnvVars
</Files>

SSLCACertificatePath %%X509_ROOT%%/ssl.crt

<Directory "%%SERVER_ROOT%%/cgi-bin">
     SSLOptions  +ExportCertData +StdEnvVars
</Directory>

For the virtual host itself, I generally use the follwing template:

Listen %%HTTP_ADDR%%:%%HTTPS_PORT%%

<VirtualHost %%HTTP_ADDR%%:%%HTTPS_PORT%%>
    ServerName %%PUBLIC_NAME%%:%%HTTPS_PORT%%

    SSLCertificateFile %%X509_ROOT%%/ssl.crt/%%PUBLIC_NAME%%.crt
    SSLCertificateKeyFile %%X509_ROOT%%/ssl.key/%%PUBLIC_NAME%%.key
    SSLEngine on

    DocumentRoot %%SERVER_ROOT%%/htdocs

    ErrorLog %%SERVER_LOGS%%/reverse_error_log
    CustomLog %%SERVER_LOGS%%/reverse_access_log combined env=!dontlog

    ## Add whatever you need here

</VirtualHost>

You can then specify the parameters for the non-SSL connections at server level. What you
need is a Listen directives, some log specifications...

-ascs


-----Original Message-----
From: Andrew Clarke [mailto:aclarke@civica.com.au] 
Sent: Tuesday, October 04, 2005 2:26 AM
To: Apache Users
Subject: [users@httpd] adding SSL - is a distinct virtual host mandatory?


SuSE 9.3 hosting Apache 2.0.53 (the build from SuSE installs) and Firefox
1.0.6 for a self-contained server and workstation on a laptop.

I'm working on getting https working for the first time, and keep reading hints that it's
usual to make another virtual host to carry the SSL. Is this required, or just "a good idea"?
If it's a good idea, why?

On a closely related topic, I eventually reached the point of creating a self-certified CA
and have made my server keys, but the first response I get from an https://localhost access
is an alert box from the browser:

    "the connection to myserver has terminated unexpectedly.
    Some data may have been transferred".

I do not even get an alert asking if I want to accept a self-certified certificate, so the
problem has to be very early in the sequence.

Of course I'm going to assume that there's a few SSL config parameters I need to set, but
I was hoping that the default .conf supplied by SuSE/Apache would only need the certificates
plugging in and it would just work. Are there any SSL config parameters I MUST set before
it will work? 
The documentation lacks a clear tutorial (that I've been able to find) so I'd really appreciate
it if someone could enumerate the essential parameters. I'll find out what they all mean from
there.

Thanks in advance,
A Clarke.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message