[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] Re: ssl on apache 2?



> I think, you have to include the ssl port when stating namevirtualhost.
> At me it wasn't working until::
>
> NameVirtualHost my.ip.add.res:80
> NameVirtualHost my.ip.add.res:443
>
> Csaba

What about telling howto correctly load needed modules instead of telling
him things he already knows :-)

> > Hi list,
> >
> > (long post, sorry)
> > I've decided that with my move to 9.1, it's time to move to apache2 as
> > well. But I can't seem to get the SSL connections working.
> >
> > I use a setup with multiple name based virtual hosts on port 80 and a
> > single SSL ip-based virtual host on port 443. Which worked without
> > problem on apache 1.x, but now I can't get the SSL part working (the
> > name based virtual hosts on port 80 work without problem)
> >
> > I've tried everything I can think of. httpd2 -S nicely displays the
> > name based virtual hosts without even a hint of the ssl one. It's as
> > if it never even reads the SSL virtual host .conf file. Apache starts
> > up without an error, but listens only to port 80.
> >
> > Any hints will be appreciated...
> >
> > TIA,
> > Stefan
> >
> >
> >
> > The setup is as follows:
> >
> > listen.conf:
> >
> > Listen my.ip.add.res:80
> >
> > <IfDefine SSL>
> >    <IfDefine !NOSSL>
> >        <IfModule mod_ssl.c>
> >
> >            Listen 443
> >
> >        </IfModule>
> >    </IfDefine>
> > </IfDefine>
> >
> > NameVirtualHost my.ip.add.res:80
> >
> > and under /etc/apache2/vhosts.d I have three .conf files:
> >
> > www.mydomain.tld.conf
> >
> > <VirtualHost my.ip.add.res:80>
> >    ServerAdmin webmaster@xxxxxxxxxxxx
> >    ServerName www.mydomain.tld
> >    DocumentRoot /some/where
> >    HostnameLookups Off
> >    UseCanonicalName Off
> >    ServerSignature On
> >
> > <Directory "/some/where">
> >        Options None
> >        AllowOverride None
> >        Order allow,deny
> >        Allow from all
> > </Directory>
> >
> >
> > www.myvirtualdomain.tld.conf
> >
> > <VirtualHost my.ip.add.res:80>
> >    ServerAdmin webmaster@xxxxxxxxxxxxxxxxxxx
> >    ServerName www.myvirtualdomain.tld
> >    DocumentRoot /some/where/else
> >    HostnameLookups Off
> >    UseCanonicalName Off
> >    ServerSignature On
> >
> > <Directory "/some/where/else">
> >        Options None
> >        AllowOverride None
> >        Order allow,deny
> >        Allow from all
> > </Directory>
> >
> > www.myssldomain.tld.conf:
> >
> > <IfDefine SSL>
> > <IfDefine !NOSSL>
> >
> > <VirtualHost 129.125.3.52:443>
> >
> >        DocumentRoot "/some/where/secure"
> >        ServerName www.myssldomain.tld
> >        ServerAdmin webmaster@xxxxxxxxxxxxxxx
> >        ErrorLog /var/log/apache2/error_log
> >        TransferLog /var/log/apache2/access_log
> >        Alias /horde "/home/www-ssl/horde"
> >        SSLEngine on
> >        SSLCipherSuite
> > ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
> >        SSLCertificateFile /etc/apache2/ssl.crt/cert.pem
> >        SSLCertificateKeyFile /etc/apache2/ssl.key/server-key.pem
> >        SSLVerifyClient none
> >        <Files ~ "\.(cgi|shtml|phtml|php3?)$">
> >            SSLOptions +StdEnvVars
> >        </Files>
> >        <Directory "/srv/www/cgi-bin">
> >            SSLOptions +StdEnvVars
> >        </Directory>
> >        #SSLSessionCache        none
> >        #SSLSessionCache         dbm:/var/lib/apache2/ssl_scache
> >        #SSLSessionCache        shmht:/var/lib/apache2/ssl_scache(512000)
> >        SSLSessionCache         shmcb:/var/lib/apache2/ssl_scache
> >        SSLSessionCacheTimeout  600
> >        SetEnvIf User-Agent ".*MSIE.*" \
> >                 nokeepalive ssl-unclean-shutdown \
> >                 downgrade-1.0 force-response-1.0        <Directory
> > "/home/www-ssl/horde/imp">
> >              <Directory "/some/where/secure">
> >        Options Includes FollowSymLinks
> >        AllowOverride None
> >        Order allow,deny
> >        Allow from all
> >        SSLRequireSSL
> >        </Directory>
> >
> >        ScriptAlias /cgi-bin/ "/some/where/secure/cgi-bin/"
> >        <Directory "/some/where/secure/cgi-bin">
> >        AllowOverride None
> >        order allow,deny
> >        allow from all
> >        SSLRequireSSL
> >        </Directory>
> >
> > </VirtualHost>

Hi!

Soe forewords:

1) ssl only works on one single ip per hostname.
2) virtual hosts work unlimited on one ip

My working config:

/etc/sysconfig/apache2

APACHE_START_TIMEOUT="5"
APACHE_MODULES="[...] ssl" #[..] means the other modules there
APACHE_SERVER_FLAGS="-D SSL"

There's a minor change in 9.1, you dont put the config in
/etc/apache2/httpd.conf, you put it into vhosts-definitions:

/etc/apache2/vhosts.d

copy vhost-ssl.template to e.g. your-server-ssl.conf
edit the file, setup correct hostname, admin-email, document-root and
generate server-certificates with gensslcert.

Maybe you have to rename the certificates, they are located in:

/etc/apache2/ssl.crt
/etc/apache2/ssl.csr
/etc/apache2/ssl.key

For self signing certificates look with google how to work out.

After all files lay on the correct location do a rcapache2 restart and
enjoy.
Maybe you have to configure your firewall to open tcp port 443 for incoming
connections, if you use a firewall.

Philippe


-- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here