httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andy Canfield <andycanfi...@yandex.com>
Subject Re: [users@httpd] https
Date Fri, 04 Apr 2014 04:55:21 GMT
There are several lines in places that read
    <IfModule mod_ssl.c>
There is no file on my hard disk named "mod_ssl.c". There is, however, a
file named
    /usr/lib/apache2/modules/mod_ssl.so
Is there some magic connection between "mod_ssl.c" and "mod_ssl.so"?
Like was the ssl module written in C?

On 04/03/2014 09:46 PM, Yehuda Katz wrote:
> Debian/Ubuntu have a slightly different default layout and include
> some tools to help you work with it. The tools just create the
> symlinks for you, but the major benefit is that all of them support
> tab-completion, so you know what is available.
>
> a2enmod / a2dismod: enable or disable apache modules
> a2ensite / a2dissite: enable or disable apache vhosts
> a2enconf / a2disconf: enable or disable apache configuration files
> (added in Ubuntu 13.10)
>
> The first this to check is that you have loaded mod_ssl, either by
> running `a2enmod ssl` or looking at the modules-enabled directory.
> You are probably not listening on 443 since it is inside the
> <ifmodule> and the module is not loaded.

Then as instructed by a2enmod I ran the command
  service apache2 restart
I normally use '/etc/init.d/apache2 restart' but I did it with 'service'
this time.

After some editing for fixing up things like DocumentRoot (changed to my
own) I got it to restart with no errors.

>
> You should have Ubuntu's default SSL vhost in
> sites-available/default-ssl.conf and you can enable it using the tool
> (or manual symlink).
There is no file extension on
"/etc/apache2/sites-available/default-ssl", I assume that file is
correct. It starts with these two lines:
<IfModule mod_ssl.c>
<VirtualHost _default_:443>

The above has they keyword "_default_" in the VirtualHost line. All of
my existing http config files read like this:
    <VirtualHost *:80>
There is no Virtual Host name in that line, so presumably they all share
the same virtual host, yes? Do I need multiple virtual hosts for https,
or will one virtual host be OK for all the sites?

Wonderful! I rebooted the computer just to make 100% sure of my
restarting EVERYTHING, and then ran 'nmap localhost' and it finally
showed me this line:
    443/tcp  open  https
Great! Now somebody is listening.

I sent Firefox to "https://localhost/" and after a bunch of crabbing
about the certificate I got to see the same site. So now I have to
figure out how to make a certificate (FYI I am an anarchist).

I went to one of my sites and followed a link and discovered that it
switched back to "http://" because that is what is in the HTML. Gotta
fix that.

> You can enable any vhost for SSL by adding a few directives to it (it
> will stop listening on non-ssl):
> - Change the vritualhost port to 443
> - SSLEngine on
> - SSLCertificateFile      /etc/apache2/ssl/example.com.crt
> - (SSLCertificateKeyFile /etc/apache2/ssl/example.com.key if the key
> is not in the same file)
>
> There are a few other default things in the default-ssl vhost to fix
> buggy browsers and provide more info to cgi-scripts.
"buggy browsers" as in Internet Explorer, right? These are intra-company
web sites, and we simply tell people not to use IE.
>
> - Y
Thank you very much Yehuda. I think I am launched and can follow on for
a while by myself.

>
>
> On Thu, Apr 3, 2014 at 6:10 AM, Andy Canfield <andycanfield@yandex.com
> <mailto:andycanfield@yandex.com>> wrote:
>
>
>     Files:
>
>     -rw-r--r-- 1 root 859 Apr  3 11:45 /etc/apache2/ssl/crt/vhost1.crt
>
>     -rw-r--r-- 1 root 916 Apr  3 11:45 /etc/apache2/ssl/key/vhost1.key
>
>     So AFAIK I've got a certificate I've generated myself. Nobody
>     vouches for me but it shoud enable encryption and make my TCP/IP
>     packets hard to read.
>
>     Contents of /etc/apache2/ports.conf:
>     NameVirtualHost *:80
>     Listen 80
>
>     <IfModule mod_ssl.c>
>         Listen 443
>     </IfModule>
>     <IfModule mod_gnutls.c>
>         Listen 443
>     </IfModule>
>
>     Files:
>
>     -rw-r--r-- 1 andy 1439 Apr  3 14:48
>     /etc/apache2/sites-available/default
>     -rw-r--r-- 1 andy 7485 Jun 16  2011
>     /etc/apache2/sites-available/default-ssl
>     -rw-r--r-- 1 root 7469 Feb  7  2012
>     /etc/apache2/sites-available/default-ssl.original
>     -rw-r--r-- 1 root  950 Feb  7  2012
>     /etc/apache2/sites-available/default.original
>
>     I see here that /etc/apache2/sites-available has one symbolic link
>     to /etc/apache2/sites-available/default, and no symbolic links to
>     any of the other entries in the sites-available directory. Also
>     all the other entries in /etc/apache2/sites-available are symbolic
>     links to configuration files such as
>
>     lrwxrwxrwx 1 root 21 May  6  2012 /etc/apache2/sites-enabled/opal.conf -> /www/opal/apache.conf
>
>     These links have been working fine for years as links into the
>     site control directory and not into 'sites-available'. But perhaps
>     that is wrong.
>
>     Maybe what I need is a symbolic link from sites-enabled to
>     ../sites-available/default-ssl ? Nope, tested, did not solve the
>     problem....
>
>     When I give this command (as root) -
>
>         /etc/init.d/apache2 restart
>
>     I see only this output:
>
>     apache2: Could not reliably determine the server's fully qualified
>     domain name, using 192.168.1.112 for ServerName
>      ... waiting apache2: Could not reliably determine the server's
>     fully qualified domain name, using 192.168.1.112 for ServerName
>                                                                                
>     [ OK ]
>
>     But nmap still says that nothing is listening to port 443.
>
>     Thank you Oren.
>
>
>     On 04/03/2014 04:04 PM, Oren wrote:
>>     Hi Andy.
>>     Process basically include getting/creating a certificate, define
>>     it on your site and reload apache.
>>     here is a centos manual which is not exactly the same on ubuntu
>>     but pretty much explains the order of things
>>     http://wiki.centos.org/HowTos/Https
>>
>>     on ubuntu you will have to open the 443 port
>>     <IfModule mod_ssl.c>
>>         Listen 443
>>     </IfModule>
>>
>>     once the https is ready, you can do a redirect to the https site
>>     from http. (with mod_rewrite)
>>
>>     do you have logs or any information on what is not working?
>>
>>     Oren
>>
>>     On 04/03/2014 11:39 AM, Andy Canfield wrote:
>>>     I have been using apache for maybe ten years now, and maintain two
>>>     servers in addition to the apache on my notebook computer for
>>>     testing.
>>>     All using Ubuntu Linux *.04 LTS. It now appears that I ought to
>>>     convert
>>>     from http to https.
>>>
>>>     But the documentation is insane. A piece here, a piece there,
>>>     have to do
>>>     X (but first? and afterwards?). Assuming everything is else is
>>>     OK, this
>>>     is way you edit this line in VirtualHost file (there is no
>>>     "/etc/apache2/.../VirtualHost" file!)
>>>
>>>     I figure that I need to do it in two steps:
>>>     [1] Get the https version up and running, and
>>>     [2] Make the http version automatically switch to https.
>>>
>>>     But I can't get https working at all, for anything. There's a
>>>     "Listen
>>>     443" in /etc/apache2/ports.conf but 'nmap localhost' says 443 is a
>>>     closed port.
>>>
>>>     Has anybody else ever converted a hosted site from http to
>>>     https? What
>>>     did you have to do to get the secure one working?
>>>
>>>
>>>     ---------------------------------------------------------------------
>>>
>>>     To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>>     <mailto:users-unsubscribe@httpd.apache.org>
>>>     For additional commands, e-mail: users-help@httpd.apache.org
>>>     <mailto:users-help@httpd.apache.org>
>>>
>>
>>     ---------------------------------------------------------------------
>>
>>     To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>     <mailto:users-unsubscribe@httpd.apache.org>
>>     For additional commands, e-mail: users-help@httpd.apache.org
>>     <mailto:users-help@httpd.apache.org>
>>
>>
>>     .
>>
>
>


Mime
View raw message