httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tom Browder <tom.brow...@gmail.com>
Subject [users@httpd] Question on Configuring a Site for SSL Only
Date Mon, 09 Jul 2012 17:05:29 GMT
I have a working site on a single server with multiple virtual hosts
and a commercial SSL certificate that serves them all okay.

When setting up my site originally I was following examples from
several places and now I wonder if I might simplify my configuration
without compromising current security.  Note that I am not interested
is serving non-ssl pages at all.

Here is my current config for one of the virtual hosts:

#==== BEGIN CURRENT ====
<VirtualHost *:80>
  ServerAdmin webmaster@localhost

  ServerName  tb.com
  ServerAlias *.tb.com

  DocumentRoot /home/tom/public_html/tb.com/public

  # for SSI
  <Directory /home/tom/public_html/tb.com/public/>
    Options +Includes
  </Directory>

  # try ssl
  Redirect / https://tb.com/

  # special restrictions are now in a separate file
  Include /etc/apache2/sites-available/tb.com.conf

  # site boiler plate
  Include /etc/apache2/sites-available/vhost-boilerplate.conf

</VirtualHost>

# SSL OPERATIONS #
<IfModule mod_ssl.c>
<VirtualHost *:443>
  SSLEngine on

  SSLCertificateFile
/home/tom/ssl-cert-data/fortuna-ssl-cert-no-36283-2011-02-23-tb.com.crt
  SSLCertificateKeyFile
/home/tom/ssl-cert-data/server-2011-02-23-36283.key.unsecure
  SSLCertificateChainFile /home/tom/ssl-cert-data/sub.class2.server.ca.pem
  SSLCACertificateFile    /home/tom/ssl-cert-data/ca.pem

  ServerName  tb.com
  ServerAlias *.tb.com

  DocumentRoot /home/tom/public_html/tb.com/public

  # for SSL
  Include /etc/apache2/sites-available/tb.com.conf

  # site boiler plate
  Include /etc/apache2/sites-available/vhost-boilerplate.conf

</VirtualHost>
#==== END CURRENT ====

Here are the boiler plate file contents:

#==== BEGIN BOILER PLATE ====
  <Directory />
    Options FollowSymLinks
    AllowOverride None
  </Directory>

  <Directory /var/www/>
    Options Indexes FollowSymLinks MultiViews
    AllowOverride None
    Order allow,deny
    allow from all
  </Directory>

  <Directory "/usr/lib/cgi-bin">
    AllowOverride None
    Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
    Order allow,deny
    Allow from all
  </Directory>

  ErrorLog /var/log/apache2/error.log

  # Possible values include: debug, info, notice, warn, error, crit,
  # alert, emerg.
  LogLevel warn

  CustomLog /var/log/apache2/access.log vhost_combined

  Alias /doc/ "/usr/share/doc/"
  <Directory "/usr/share/doc/">
    Options Indexes MultiViews FollowSymLinks
    AllowOverride None
    Order deny,allow
    Deny from all
    Allow from 127.0.0.0/255.0.0.0 ::1/128
  </Directory>
#==== END BOILER PLATE ====

And here is what I would like to have (and simpler, if possible):

#==== BEGIN PROPOSED ====
<VirtualHost *:80>
  ServerAdmin webmaster@localhost

  ServerName  tb.com
  ServerAlias *.tb.com

  # try ssl
  Redirect / https://tb.com/

</VirtualHost>

# SSL OPERATIONS #
<IfModule mod_ssl.c>
<VirtualHost *:443>
  SSLEngine on

  SSLCertificateFile
/home/tom/ssl-cert-data/fortuna-ssl-cert-no-36283-2011-02-23-tb.com.crt
  SSLCertificateKeyFile
/home/tom/ssl-cert-data/server-2011-02-23-36283.key.unsecure
  SSLCertificateChainFile /home/tom/ssl-cert-data/sub.class2.server.ca.pem
  SSLCACertificateFile    /home/tom/ssl-cert-data/ca.pem

  ServerName  tb.com
  ServerAlias *.tb.com

  DocumentRoot /home/tom/public_html/tb.com/public

  # for SSL
  Include /etc/apache2/sites-available/tb.com.conf


  # site boiler plate
  Include /etc/apache2/sites-available/vhost-boilerplate.conf

</VirtualHost>
#==== END PROPOSED ====

Any suggestions or comments are appreciated (particularly with regards
to security).

Best regards,

-Tom

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message