httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tom Allison <...@tacocat.net>
Subject [users@httpd] apache+ssl config
Date Mon, 04 Jun 2007 06:09:22 GMT
OK, at one point in my life I had something working for a very brief period that 
looked like https.
Unfortunately after a few days... it stopped.  Never got it working again...

So I'm trying to get sane directions working and I'm pretty hosed... apache will 
start but https doesn't respond.  This seems fairly common.

[Sat Jun 02 22:09:55 2007] [info] Init: Seeding PRNG with 0 bytes of entropy
[Sat Jun 02 22:09:55 2007] [info] Init: Generating temporary RSA private keys 
(512/1024 bits)
[Sat Jun 02 22:09:55 2007] [info] Init: Generating temporary DH parameters 
(512/1024 bits)
[Sat Jun 02 22:09:55 2007] [warn] Init: Session Cache is not configured [hint: 
SSLSessionCache]
[Sat Jun 02 22:09:55 2007] [info] Init: Initializing (virtual) servers for SSL
[Sat Jun 02 22:09:55 2007] [info] Server: Apache/2.2.3, Interface: 
mod_ssl/2.2.3, Library: OpenSSL/0.9.8c
[Sat Jun 02 22:09:55 2007] [notice] suEXEC mechanism enabled (wrapper: 
/usr/lib/apache2/suexec)
[Sat Jun 02 22:09:55 2007] [info] mod_fcgid: Process manager 16591 started
[Sat Jun 02 22:09:55 2007] [info] Init: Seeding PRNG with 0 bytes of entropy
[Sat Jun 02 22:09:55 2007] [info] Init: Generating temporary RSA private keys 
(512/1024 bits)
[Sat Jun 02 22:09:55 2007] [info] Init: Generating temporary DH parameters 
(512/1024 bits)
[Sat Jun 02 22:09:55 2007] [info] Init: Initializing (virtual) servers for SSL
[Sat Jun 02 22:09:55 2007] [info] Server: Apache/2.2.3, Interface: 
mod_ssl/2.2.3, Library: OpenSSL/0.9.8c
[Sat Jun 02 22:09:55 2007] [notice] Apache/2.2.3 (Debian) mod_ssl/2.2.3 
OpenSSL/0.9.8c configured -- resuming normal operations
[Sat Jun 02 22:09:55 2007] [info] Server built: Mar 27 2007 14:54:26


The response from Firefox is some error called "has sent an incorrect or 
unexpected message. Error Code -12263"

I have Directives in apache.conf for:
Listen 443

Directives in ssl.conf
<IfModule mod_ssl.c>
#  added by me.
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/host.cert
SSLCertificateKeyFile /etc/apache2/ssl/host.key
NOTE: I also have SsLSessionCache called out even though the logs say I don't. 
It's the debian default so I'm kind of "wtf?" on this one.

Now, I have about 100 questions that I've been searching for all night long.
I'm either hitting the wrong keywords or just can't find anything.


First.  If I want to have both SSL and non-SSL Virtual Hosts:  It is my 
understanding that I can only have one HTTPS host but many HTTP hosts (chicken 
and egg).
For the most part, this is fine.  I'm primarily looking at a http+https host and 
perhaps smaller (static) http sites.

It's fairly obvious to me that I don't have any clue where to put the 
SSLEngine/SSLCertificate* directives becuase they just don't act like they are 
being considered at all.

So I'm asking if someone has some concise information on how this can be done....

I assume that no matter what I want to do I have to leave the 'Listen 443' 
directive in Section 1 of apache.conf.
true/false?

I suspect that the SSL Directives I want to use have to be entered into a 
VirtualHost Directive like:

<VirtualHost *:443/>
   SSLEngine on
   SSLCertificateFile ...
   SSLCertificateKeyFile ...
   /// And other stuff there with directories and cgi-bin directories...
</VirtualHost>

And so I have to write a *lot* of stuff for the HTTPS stuff to work.
Seems that for just about every directive out there (cgi, fcgi, ...) I have to 
darn near copy and repeat for HTTPS.
This seems incorrect because it's repetative, lengthy, and does nothing to 
restrict sections to only HTTPS.
I haven't any idea how to make certain areas HTTP only and others HTTPS only but 
it's probably related to SSLRequire.
Unfortunately, since I have no SSL working at all my ability to investigate this 
is slightly limited.. ;)

So, what's a good practice for doing this kind of stuff.
Am I even close?

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message