httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Boyle Owen" <Owen.Bo...@swx.com>
Subject RE: [users@httpd] adding SSL - is a distinct virtual host mandatory?
Date Tue, 04 Oct 2005 06:44:13 GMT
> -----Original Message-----
> From: Axel-Stéphane SMORGRAV
> 
> If you are planning on serving both SSL and non-SSL 
> connections, then yes, a separate virtual host is necessary 
> for one of the two.
> 
> The fact is that the SSLEngine directive is only valid in a 
> server or virtual host context. I do not know the reason for 
> that, but I am sure there is one.

Just to clear up some apparent confusion on this thread: I think the point everyone is missing
is that an SSL-encrypted website uses a *different protocol* than plain old HTTP. Instead
of thinking of SSL as some sort of add-on (like mod_perl) to a "normal" website, look carefully
at the protocol part of the address - it is "https". So, at a network level, HTTPS is as distinct
from HTTP as FTP or SMTP.

Once you see that, you should see that obviously it needs a distinct TCP/IP socket (ie, IP
address and/or port number).

The confusion arises because browsers and web servers can handle either protocol so we get
the idea that HTTPS is just fancy HTTP. It's not - it needs it's own socket and this is conventionally
achieved by using the same IP as the webserver but on port 443.

This boils down to having a separate port-based VH assigned to port 443 containing all the
SSL directives and a "Listen 443" directive at the server level.

Rgds,
Owen Boyle
Disclaimer: Any disclaimer attached to this message may be ignored. 

PS - did you install mod_ssl?

> 
> The most important things you need to configure are "SSLEngine On", 
> 
> These are the overall settings I use for SSL. Replace 
> everything enclosed in %% by actual values.
> 
> #
> SSLSessionCache         shm:%%SERVER_ROOT%%/logs/ssl_scache
> SSLSessionCacheTimeout  300
> 
> ## On Solaris, I use pthread. I think it works on SuSE as well.
> SSLMutex pthread
> 
> ## Your system may not have /dev/random. In that case you may 
> just use builtin for startup.
> SSLRandomSeed startup file:/dev/random 1024
> SSLRandomSeed connect builtin
> 
> SSLProtocol All -SSLv2
> SSLCipherSuite ALL:!ADH:!EXP:!aNULL:!eNULL:!LOW:RC4+RSA:+HIGH:+MEDIUM
> SSLVerifyDepth 3
> 
> <Files ~ "\.(cgi|shtml|phtml|php3?)$">
>     SSLOptions +StdEnvVars
> </Files>
> 
> SSLCACertificatePath %%X509_ROOT%%/ssl.crt
> 
> <Directory "%%SERVER_ROOT%%/cgi-bin">
>      SSLOptions  +ExportCertData +StdEnvVars
> </Directory>
> 
> For the virtual host itself, I generally use the follwing template:
> 
> Listen %%HTTP_ADDR%%:%%HTTPS_PORT%%
> 
> <VirtualHost %%HTTP_ADDR%%:%%HTTPS_PORT%%>
>     ServerName %%PUBLIC_NAME%%:%%HTTPS_PORT%%
> 
>     SSLCertificateFile %%X509_ROOT%%/ssl.crt/%%PUBLIC_NAME%%.crt
>     SSLCertificateKeyFile %%X509_ROOT%%/ssl.key/%%PUBLIC_NAME%%.key
>     SSLEngine on
> 
>     DocumentRoot %%SERVER_ROOT%%/htdocs
> 
>     ErrorLog %%SERVER_LOGS%%/reverse_error_log
>     CustomLog %%SERVER_LOGS%%/reverse_access_log combined env=!dontlog
> 
>     ## Add whatever you need here
> 
> </VirtualHost>
> 
> You can then specify the parameters for the non-SSL 
> connections at server level. What you need is a Listen 
> directives, some log specifications...
> 
> -ascs
> 
> 
> -----Original Message-----
> From: Andrew Clarke [mailto:aclarke@civica.com.au] 
> Sent: Tuesday, October 04, 2005 2:26 AM
> To: Apache Users
> Subject: [users@httpd] adding SSL - is a distinct virtual 
> host mandatory?
> 
> 
> SuSE 9.3 hosting Apache 2.0.53 (the build from SuSE installs) 
> and Firefox
> 1.0.6 for a self-contained server and workstation on a laptop.
> 
> I'm working on getting https working for the first time, and 
> keep reading hints that it's usual to make another virtual 
> host to carry the SSL. Is this required, or just "a good 
> idea"? If it's a good idea, why?
> 
> On a closely related topic, I eventually reached the point of 
> creating a self-certified CA and have made my server keys, 
> but the first response I get from an https://localhost access 
> is an alert box from the browser:
> 
>     "the connection to myserver has terminated unexpectedly.
>     Some data may have been transferred".
> 
> I do not even get an alert asking if I want to accept a 
> self-certified certificate, so the problem has to be very 
> early in the sequence.
> 
> Of course I'm going to assume that there's a few SSL config 
> parameters I need to set, but I was hoping that the default 
> .conf supplied by SuSE/Apache would only need the 
> certificates plugging in and it would just work. Are there 
> any SSL config parameters I MUST set before it will work? 
> The documentation lacks a clear tutorial (that I've been able 
> to find) so I'd really appreciate it if someone could 
> enumerate the essential parameters. I'll find out what they 
> all mean from there.
> 
> Thanks in advance,
> A Clarke.
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP 
> Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
> 
> 

Diese E-mail ist eine private und persönliche Kommunikation. Sie hat keinen Bezug zur Börsen-
bzw. Geschäftstätigkeit der SWX Gruppe. This e-mail is of a private and personal nature.
It is not related to the exchange or business activities of the SWX Group. Le présent e-mail
est un message privé et personnel, sans rapport avec l'activité boursière du Groupe SWX.
 
 
This message is for the named person's use only. It may contain confidential, proprietary
or legally privileged information. No confidentiality or privilege is waived or lost by any
mistransmission. If you receive this message in error, please notify the sender urgently and
then immediately delete the message and any copies of it from your system. Please also immediately
destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose,
distribute, print, or copy any part of this message if you are not the intended recipient.
The sender's company reserves the right to monitor all e-mail communications through their
networks. Any views expressed in this message are those of the individual sender, except where
the message states otherwise and the sender is authorised to state them to be the views of
the sender's company.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message