Return-Path: X-Original-To: apmail-httpd-users-archive@www.apache.org Delivered-To: apmail-httpd-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 78E8311FCA for ; Fri, 4 Apr 2014 04:56:02 +0000 (UTC) Received: (qmail 16278 invoked by uid 500); 4 Apr 2014 04:56:00 -0000 Delivered-To: apmail-httpd-users-archive@httpd.apache.org Received: (qmail 15203 invoked by uid 500); 4 Apr 2014 04:55:57 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 15187 invoked by uid 99); 4 Apr 2014 04:55:55 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 04 Apr 2014 04:55:55 +0000 X-ASF-Spam-Status: No, hits=2.2 required=5.0 tests=HTML_MESSAGE,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of andycanfield@yandex.com designates 84.201.143.140 as permitted sender) Received: from [84.201.143.140] (HELO forward7l.mail.yandex.net) (84.201.143.140) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 04 Apr 2014 04:55:48 +0000 Received: from smtp2h.mail.yandex.net (smtp2h.mail.yandex.net [84.201.187.145]) by forward7l.mail.yandex.net (Yandex) with ESMTP id B0DE3BC0CD2 for ; Fri, 4 Apr 2014 08:55:26 +0400 (MSK) Received: from smtp2h.mail.yandex.net (localhost [127.0.0.1]) by smtp2h.mail.yandex.net (Yandex) with ESMTP id 6B0A31703F27 for ; Fri, 4 Apr 2014 08:55:26 +0400 (MSK) Received: from mx-ll-49.49.187-223.dynamic.3bb.co.th (mx-ll-49.49.187-223.dynamic.3bb.co.th [49.49.187.223]) by smtp2h.mail.yandex.net (nwsmtp/Yandex) with ESMTPSA id dZOyoFQqMO-tO0Glm7v; Fri, 4 Apr 2014 08:55:24 +0400 (using TLSv1 with cipher AES128-SHA (128/128 bits)) (Client certificate not present) X-Yandex-Uniq: 5aa88ebc-c82d-453b-ab0a-33e7ac4d7358 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.com; s=mail; t=1396587325; bh=Y6T+oj8rS5BxMsdixhv//McLMgkYfjyrfquHEKk/HcQ=; h=Message-ID:Date:From:User-Agent:MIME-Version:To:Subject: References:In-Reply-To:X-Enigmail-Version:Content-Type; b=H8HEjGjs00QjFuFFvXIal8JoqU4Zg3Rg50UHMdoeDQtCf8tudklAXksYOOrdo8ghG IiZLjjjK3Bx1Rp8hWTiE9DknYZKAKVcq0QmPj/n7wEqrnQR0p+iYXAsONQT7hipytB cxteVgM13KJuoWW7Up+wMjV/Sdh4i/p+2inH5d4A= Authentication-Results: smtp2h.mail.yandex.net; dkim=pass header.i=@yandex.com Message-ID: <533E3B39.9020103@yandex.com> Date: Fri, 04 Apr 2014 11:55:21 +0700 From: Andy Canfield User-Agent: Mozilla/5.0 (X11; Linux i686; rv:24.0) Gecko/20100101 Thunderbird/24.3.0 MIME-Version: 1.0 To: users@httpd.apache.org References: <533D1E2B.3080905@yandex.com> <533D2417.4090909@taykey.com> <533D338E.5020002@yandex.com> In-Reply-To: X-Enigmail-Version: 1.5.2 Content-Type: multipart/alternative; boundary="------------020403060100000505020300" X-Virus-Checked: Checked by ClamAV on apache.org Subject: Re: [users@httpd] https --------------020403060100000505020300 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit There are several lines in places that read There is no file on my hard disk named "mod_ssl.c". There is, however, a file named /usr/lib/apache2/modules/mod_ssl.so Is there some magic connection between "mod_ssl.c" and "mod_ssl.so"? Like was the ssl module written in C? On 04/03/2014 09:46 PM, Yehuda Katz wrote: > Debian/Ubuntu have a slightly different default layout and include > some tools to help you work with it. The tools just create the > symlinks for you, but the major benefit is that all of them support > tab-completion, so you know what is available. > > a2enmod / a2dismod: enable or disable apache modules > a2ensite / a2dissite: enable or disable apache vhosts > a2enconf / a2disconf: enable or disable apache configuration files > (added in Ubuntu 13.10) > > The first this to check is that you have loaded mod_ssl, either by > running `a2enmod ssl` or looking at the modules-enabled directory. > You are probably not listening on 443 since it is inside the > and the module is not loaded. Then as instructed by a2enmod I ran the command service apache2 restart I normally use '/etc/init.d/apache2 restart' but I did it with 'service' this time. After some editing for fixing up things like DocumentRoot (changed to my own) I got it to restart with no errors. > > You should have Ubuntu's default SSL vhost in > sites-available/default-ssl.conf and you can enable it using the tool > (or manual symlink). There is no file extension on "/etc/apache2/sites-available/default-ssl", I assume that file is correct. It starts with these two lines: The above has they keyword "_default_" in the VirtualHost line. All of my existing http config files read like this: There is no Virtual Host name in that line, so presumably they all share the same virtual host, yes? Do I need multiple virtual hosts for https, or will one virtual host be OK for all the sites? Wonderful! I rebooted the computer just to make 100% sure of my restarting EVERYTHING, and then ran 'nmap localhost' and it finally showed me this line: 443/tcp open https Great! Now somebody is listening. I sent Firefox to "https://localhost/" and after a bunch of crabbing about the certificate I got to see the same site. So now I have to figure out how to make a certificate (FYI I am an anarchist). I went to one of my sites and followed a link and discovered that it switched back to "http://" because that is what is in the HTML. Gotta fix that. > You can enable any vhost for SSL by adding a few directives to it (it > will stop listening on non-ssl): > - Change the vritualhost port to 443 > - SSLEngine on > - SSLCertificateFile /etc/apache2/ssl/example.com.crt > - (SSLCertificateKeyFile /etc/apache2/ssl/example.com.key if the key > is not in the same file) > > There are a few other default things in the default-ssl vhost to fix > buggy browsers and provide more info to cgi-scripts. "buggy browsers" as in Internet Explorer, right? These are intra-company web sites, and we simply tell people not to use IE. > > - Y Thank you very much Yehuda. I think I am launched and can follow on for a while by myself. > > > On Thu, Apr 3, 2014 at 6:10 AM, Andy Canfield > wrote: > > > Files: > > -rw-r--r-- 1 root 859 Apr 3 11:45 /etc/apache2/ssl/crt/vhost1.crt > > -rw-r--r-- 1 root 916 Apr 3 11:45 /etc/apache2/ssl/key/vhost1.key > > So AFAIK I've got a certificate I've generated myself. Nobody > vouches for me but it shoud enable encryption and make my TCP/IP > packets hard to read. > > Contents of /etc/apache2/ports.conf: > NameVirtualHost *:80 > Listen 80 > > > Listen 443 > > > Listen 443 > > > Files: > > -rw-r--r-- 1 andy 1439 Apr 3 14:48 > /etc/apache2/sites-available/default > -rw-r--r-- 1 andy 7485 Jun 16 2011 > /etc/apache2/sites-available/default-ssl > -rw-r--r-- 1 root 7469 Feb 7 2012 > /etc/apache2/sites-available/default-ssl.original > -rw-r--r-- 1 root 950 Feb 7 2012 > /etc/apache2/sites-available/default.original > > I see here that /etc/apache2/sites-available has one symbolic link > to /etc/apache2/sites-available/default, and no symbolic links to > any of the other entries in the sites-available directory. Also > all the other entries in /etc/apache2/sites-available are symbolic > links to configuration files such as > > lrwxrwxrwx 1 root 21 May 6 2012 /etc/apache2/sites-enabled/opal.conf -> /www/opal/apache.conf > > These links have been working fine for years as links into the > site control directory and not into 'sites-available'. But perhaps > that is wrong. > > Maybe what I need is a symbolic link from sites-enabled to > ../sites-available/default-ssl ? Nope, tested, did not solve the > problem.... > > When I give this command (as root) - > > /etc/init.d/apache2 restart > > I see only this output: > > apache2: Could not reliably determine the server's fully qualified > domain name, using 192.168.1.112 for ServerName > ... waiting apache2: Could not reliably determine the server's > fully qualified domain name, using 192.168.1.112 for ServerName > > [ OK ] > > But nmap still says that nothing is listening to port 443. > > Thank you Oren. > > > On 04/03/2014 04:04 PM, Oren wrote: >> Hi Andy. >> Process basically include getting/creating a certificate, define >> it on your site and reload apache. >> here is a centos manual which is not exactly the same on ubuntu >> but pretty much explains the order of things >> http://wiki.centos.org/HowTos/Https >> >> on ubuntu you will have to open the 443 port >> >> Listen 443 >> >> >> once the https is ready, you can do a redirect to the https site >> from http. (with mod_rewrite) >> >> do you have logs or any information on what is not working? >> >> Oren >> >> On 04/03/2014 11:39 AM, Andy Canfield wrote: >>> I have been using apache for maybe ten years now, and maintain two >>> servers in addition to the apache on my notebook computer for >>> testing. >>> All using Ubuntu Linux *.04 LTS. It now appears that I ought to >>> convert >>> from http to https. >>> >>> But the documentation is insane. A piece here, a piece there, >>> have to do >>> X (but first? and afterwards?). Assuming everything is else is >>> OK, this >>> is way you edit this line in VirtualHost file (there is no >>> "/etc/apache2/.../VirtualHost" file!) >>> >>> I figure that I need to do it in two steps: >>> [1] Get the https version up and running, and >>> [2] Make the http version automatically switch to https. >>> >>> But I can't get https working at all, for anything. There's a >>> "Listen >>> 443" in /etc/apache2/ports.conf but 'nmap localhost' says 443 is a >>> closed port. >>> >>> Has anybody else ever converted a hosted site from http to >>> https? What >>> did you have to do to get the secure one working? >>> >>> >>> --------------------------------------------------------------------- >>> >>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org >>> >>> For additional commands, e-mail: users-help@httpd.apache.org >>> >>> >> >> --------------------------------------------------------------------- >> >> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org >> >> For additional commands, e-mail: users-help@httpd.apache.org >> >> >> >> . >> > > --------------020403060100000505020300 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit There are several lines in places that read
    <IfModule mod_ssl.c>
There is no file on my hard disk named "mod_ssl.c". There is, however, a file named
    /usr/lib/apache2/modules/mod_ssl.so
Is there some magic connection between "mod_ssl.c" and "mod_ssl.so"? Like was the ssl module written in C?

On 04/03/2014 09:46 PM, Yehuda Katz wrote:
Debian/Ubuntu have a slightly different default layout and include some tools to help you work with it. The tools just create the symlinks for you, but the major benefit is that all of them support tab-completion, so you know what is available.

a2enmod / a2dismod: enable or disable apache modules
a2ensite / a2dissite: enable or disable apache vhosts
a2enconf / a2disconf: enable or disable apache configuration files (added in Ubuntu 13.10)

The first this to check is that you have loaded mod_ssl, either by running `a2enmod ssl` or looking at the modules-enabled directory.
You are probably not listening on 443 since it is inside the <ifmodule> and the module is not loaded.

Then as instructed by a2enmod I ran the command
  service apache2 restart
I normally use '/etc/init.d/apache2 restart' but I did it with 'service' this time.

After some editing for fixing up things like DocumentRoot (changed to my own) I got it to restart with no errors.


You should have Ubuntu's default SSL vhost in sites-available/default-ssl.conf and you can enable it using the tool (or manual symlink).
There is no file extension on "/etc/apache2/sites-available/default-ssl", I assume that file is correct. It starts with these two lines:
<IfModule mod_ssl.c>
<VirtualHost _default_:443>

The above has they keyword "_default_" in the VirtualHost line. All of my existing http config files read like this:
    <VirtualHost *:80>
There is no Virtual Host name in that line, so presumably they all share the same virtual host, yes? Do I need multiple virtual hosts for https, or will one virtual host be OK for all the sites?

Wonderful! I rebooted the computer just to make 100% sure of my restarting EVERYTHING, and then ran 'nmap localhost' and it finally showed me this line:
    443/tcp  open  https
Great! Now somebody is listening.

I sent Firefox to "https://localhost/" and after a bunch of crabbing about the certificate I got to see the same site. So now I have to figure out how to make a certificate (FYI I am an anarchist).

I went to one of my sites and followed a link and discovered that it switched back to "http://" because that is what is in the HTML. Gotta fix that.

You can enable any vhost for SSL by adding a few directives to it (it will stop listening on non-ssl):
- Change the vritualhost port to 443
- SSLEngine on
- SSLCertificateFile      /etc/apache2/ssl/example.com.crt
- (SSLCertificateKeyFile /etc/apache2/ssl/example.com.key if the key is not in the same file)

There are a few other default things in the default-ssl vhost to fix buggy browsers and provide more info to cgi-scripts.
"buggy browsers" as in Internet Explorer, right? These are intra-company web sites, and we simply tell people not to use IE.

- Y
Thank you very much Yehuda. I think I am launched and can follow on for a while by myself.



On Thu, Apr 3, 2014 at 6:10 AM, Andy Canfield <andycanfield@yandex.com> wrote:

Files:
-rw-r--r-- 1 root 859 Apr  3 11:45 /etc/apache2/ssl/crt/vhost1.crt
-rw-r--r-- 1 root 916 Apr  3 11:45 /etc/apache2/ssl/key/vhost1.key
So AFAIK I've got a certificate I've generated myself. Nobody vouches for me but it shoud enable encryption and make my TCP/IP packets hard to read.

Contents of /etc/apache2/ports.conf:
NameVirtualHost *:80
Listen 80

<IfModule mod_ssl.c>
    Listen 443
</IfModule>
<IfModule mod_gnutls.c>
    Listen 443
</IfModule>

Files:

-rw-r--r-- 1 andy 1439 Apr  3 14:48 /etc/apache2/sites-available/default
-rw-r--r-- 1 andy 7485 Jun 16  2011 /etc/apache2/sites-available/default-ssl
-rw-r--r-- 1 root 7469 Feb  7  2012 /etc/apache2/sites-available/default-ssl.original
-rw-r--r-- 1 root  950 Feb  7  2012 /etc/apache2/sites-available/default.original

I see here that /etc/apache2/sites-available has one symbolic link to /etc/apache2/sites-available/default, and no symbolic links to any of the other entries in the sites-available directory. Also all the other entries in /etc/apache2/sites-available are symbolic links to configuration files such as

lrwxrwxrwx 1 root 21 May  6  2012 /etc/apache2/sites-enabled/opal.conf -> /www/opal/apache.conf
These links have been working fine for years as links into the site control directory and not into 'sites-available'. But perhaps that is wrong.

Maybe what I need is a symbolic link from sites-enabled to ../sites-available/default-ssl ? Nope, tested, did not solve the problem....

When I give this command (as root) -
    /etc/init.d/apache2 restart
I see only this output:

apache2: Could not reliably determine the server's fully qualified domain name, using 192.168.1.112 for ServerName
 ... waiting apache2: Could not reliably determine the server's fully qualified domain name, using 192.168.1.112 for ServerName
                                                                            [ OK ]

But nmap still says that nothing is listening to port 443.

Thank you Oren.


On 04/03/2014 04:04 PM, Oren wrote:
Hi Andy.
Process basically include getting/creating a certificate, define it on your site and reload apache.
here is a centos manual which is not exactly the same on ubuntu but pretty much explains the order of things
http://wiki.centos.org/HowTos/Https

on ubuntu you will have to open the 443 port
<IfModule mod_ssl.c>
    Listen 443
</IfModule>

once the https is ready, you can do a redirect to the https site from http. (with mod_rewrite)

do you have logs or any information on what is not working?

Oren

On 04/03/2014 11:39 AM, Andy Canfield wrote:
I have been using apache for maybe ten years now, and maintain two
servers in addition to the apache on my notebook computer for testing.
All using Ubuntu Linux *.04 LTS. It now appears that I ought to convert
from http to https.

But the documentation is insane. A piece here, a piece there, have to do
X (but first? and afterwards?). Assuming everything is else is OK, this
is way you edit this line in VirtualHost file (there is no
"/etc/apache2/.../VirtualHost" file!)

I figure that I need to do it in two steps:
[1] Get the https version up and running, and
[2] Make the http version automatically switch to https.

But I can't get https working at all, for anything. There's a "Listen
443" in /etc/apache2/ports.conf but 'nmap localhost' says 443 is a
closed port.

Has anybody else ever converted a hosted site from http to https? What
did you have to do to get the secure one working?


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


.




--------------020403060100000505020300--