[plug] Apache SSL

James Bromberger james at rcpt.to
Fri Apr 27 17:47:10 WST 2001 

On Fri, Apr 27, 2001 at 01:58:45PM +0800, Brian Tombleson wrote:
> Ok, got that problem done .. now ontot the next one.
> Anyone know anything about mos_ssl configuration with Apache?
> 
> After that, I'm having trouble interpretting the docs I've read on how to
> set it up.  Can someone point me to a howto or doco that deals with 99% of a
> site under normal HTTP and a couple of forms/pages under HTTPS?


Look at some of the issues that Stronghold cover in their manual. www.c2.net.  
Stronghold is an Apache derivitive.

You cannot do Virtual Hosting of multiple sites on the same port on the same 
IP address (ie, NamedVirtualHost). You can do virtual hosting with multiple 
IP addresses all on the default port (443 for SSL).

You need to generate a private key and a public certificate. There should 
be scripts such as genkey, gencert, generq that handle most of this for you. 
Genreq will create a CSR (Cert Sign Request) which you send (normally 
paste into a form) to a Cert Authority.

SSL has several protocols, and several ciphers. The protocols are, in order:
	SSLv2, SSLv3, TLSv1.

Where the protocol version in the headers are 2, 3, 3.1 respectively. TLS is 
Transport Layer Security, a more standards based version that was developed 
from SSLv3 (originally developed by Netscape). MS has their own 
implementation, called PCT (Private Client Transport). By default, PCT and 
TLS are disabled in MSIE. Furthermoer, MSIE is braindead as far as 
its implmentation of SSLv3, and also has a broken keep-alive over SSL 
(see the docs on "unclean-shutdown".


Anyway, to have multiple SSL sites, you should set the host name in 
/etc/hosts (despite it being in DNS, because the webserver needs a fast and 
always available name resolution for itself):

	203.0.0.1 www1.domain.com  
	203.0.0.2 www2.newdomain.com

And ni your config:
	<Virtualhost www1.domain.com:443>
	ServerName www1.domain.com
	SSLRequire
	SSLCertificateFile <file>
	SSLKeyFile <file>
	</VirtualHost>
	<Virtualhost www2.newdomain.com:443>
	ServerName www2.newdomain.com
	SSLRequire
	SSLCertificateFile <file>
	SSLKeyFile
	</VirtualHost>

(check the above directives; its late on Friday and I am doing the whole 
'stream of consciousness' thing and not verifying my examples above.)

Hope this helps.

  James

-- 
 James Bromberger <james_AT_rcpt.to> www.rcpt.to/~james

       * *  C u in Bordeaux - 1st Debian Conference, July 2001 * * 
 Remainder moved to http://www.rcpt.to/~james/james/sig.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <http://lists.plug.org.au/pipermail/plug/attachments/20010427/87b7578c/attachment.pgp>

More information about the plug mailing list