RE: [Slightly OT] Building EAPI apache
Set this environment variable: CFLAGS=-DEAPI S. Shawn Syms | Systems Administrator Infinet Communications | [EMAIL PROTECTED] -Original Message- From: Colm McCartan [mailto:[EMAIL PROTECTED]] Sent: Friday, July 05, 2002 12:20 PM To: [EMAIL PROTECTED] Subject: [Slightly OT] Building EAPI apache Hello all, I know this isn't purely a mod_ssl issue but its pretty closely involved and since I imagine many people are doing the same thing just now (upgrading apache)... I have been trying to upgrade to 1.3.26 in the light of the chunked-encoding bug but have been unable to build it with the EAPI option. AFAICT this is not mentioned anywhere in the install docs or configuration. Without it, the most recent version of modssl won't compile complaining Installed Apache doesn't contain Extended API (EAPI) If I understand correctly, in earlier versions there was an apache configuration rule but with 1.3.26 --enable-rule=EAPI fails.. Am I missing something glaringly obvious? Many thanks for any lights, colm __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: how to add multiple SSL cert for each virtual host?
Multiple SSL certs for name-based virtual hosts aren't possible based upon the way SSL is designed. Each site requiring a separate cert must have it's own IP address. --- Shawn Syms | Systems Administrator Infinet Communications | [EMAIL PROTECTED] --- -Original Message- From: Thomas Sandor [mailto:[EMAIL PROTECTED]] Sent: Tuesday, December 03, 2002 1:20 PM To: [EMAIL PROTECTED] Subject: how to add multiple SSL cert for each virtual host? hi everyone, I have an apache 2.0.40 installed on a RedHat 7.2 box, complied with ssl (openssl 0.9.6g). Till now I had only one domain for which apache should use SSL cert files (crt, key), but for our next project I have to add another SSL cert file a specific domain. I have NameVirtualHost 12.34.56.78 and have a list of virtualhost/ for each of our domain, using ServerNamed base aliases, but for the ssl conf it ain't works. In my ssl.conf in short looks like this: NameVirtualHost 12.34.56.78:443 VirtualHost 12.34.56.78:443 ServerName domain1.com CustomLog ... ErrorLog ... SSLEngine on SSLCertificateFile /somewhere/ssl.crt/domain1.crt SSLCertificateKeyFile somewhere/ssl.key/domain1.key /VirtualHost VirtualHost 12.34.56.78:443 ServerName domain2.com CustomLog ... ErrorLog ... SSLEngine on SSLCertificateFile /somewhere/ssl.crt/domain2.crt SSLCertificateKeyFile somewhere/ssl.key/domain2.key /VirtualHost The problem is that apache does not serve domain2 cert files for domain2, it uses the first declaration for every https://domainX.com invoke. Does anyone know how to tell apache to uses specific SSL cert I'd like to define for each of my virtualhosts? Thanks in advance for any help. Regards, Thomas __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: how to add multiple SSL cert for each virtual host?
Hawk: Here is more info on why did doesn't work: http://www.ensim.com/support/sxc/faqs/4.10.html --- Shawn Syms | Systems Administrator Infinet Communications | [EMAIL PROTECTED] --- -Original Message- From: Hack Hawk [mailto:[EMAIL PROTECTED]] Sent: Tuesday, December 03, 2002 3:35 PM To: [EMAIL PROTECTED] Subject: RE: how to add multiple SSL cert for each virtual host? What?!?!?! Are you absolutely sure about this? SSL certs are based on the Domain Name,,, NOT the IP address. It stands to reason that it would be possible for virtual hosts/domains to have their own certs. Perhaps modssl doesn't support it, but I think that in theory it's possible. - hawk At 10:24 AM 12/03/2002, you wrote: Multiple SSL certs for name-based virtual hosts aren't possible based upon the way SSL is designed. Each site requiring a separate cert must have it's own IP address. --- Shawn Syms | Systems Administrator Infinet Communications | [EMAIL PROTECTED] --- -Original Message- From: Thomas Sandor [mailto:[EMAIL PROTECTED]] Sent: Tuesday, December 03, 2002 1:20 PM To: [EMAIL PROTECTED] Subject: how to add multiple SSL cert for each virtual host? hi everyone, I have an apache 2.0.40 installed on a RedHat 7.2 box, complied with ssl (openssl 0.9.6g). Till now I had only one domain for which apache should use SSL cert files (crt, key), but for our next project I have to add another SSL cert file a specific domain. I have NameVirtualHost 12.34.56.78 and have a list of virtualhost/ for each of our domain, using ServerNamed base aliases, but for the ssl conf it ain't works. In my ssl.conf in short looks like this: NameVirtualHost 12.34.56.78:443 VirtualHost 12.34.56.78:443 ServerName domain1.com CustomLog ... ErrorLog ... SSLEngine on SSLCertificateFile /somewhere/ssl.crt/domain1.crt SSLCertificateKeyFile somewhere/ssl.key/domain1.key /VirtualHost VirtualHost 12.34.56.78:443 ServerName domain2.com CustomLog ... ErrorLog ... SSLEngine on SSLCertificateFile /somewhere/ssl.crt/domain2.crt SSLCertificateKeyFile somewhere/ssl.key/domain2.key /VirtualHost The problem is that apache does not serve domain2 cert files for domain2, it uses the first declaration for every https://domainX.com invoke. Does anyone know how to tell apache to uses specific SSL cert I'd like to define for each of my virtualhosts? Thanks in advance for any help. Regards, Thomas __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: securing one area of a vhost in apache 2
So, bottom line, it is not possible to have a virtual host accessible via http and require SSL for a part of it. Is that correct? It's not really logical to want to segment out SSL-using and non-SSL-using sections of a site within the server config; do this on the site itself in the code. Here is what is commonly done, where I work anyway. In your apache config, specify the use of SSL for the entire site. The certificate applies to the entire site anyway, since a certificate applies to anything that falls under the fully qualified domain name (FQDN) on the certificate. In the ***code*** of your site, hardcode the URL for the sections that security to include https -- this sort of hardcoding (ie, using an absolute path for the links instead of a relative one) is not bad form since the URL should only be accessed using the FQDN anyway (ie, along as the value on the certificate doesn't change, neither would the single correct URL). In the links that lead *out* of the secured area of the site, use absolute links that specify http rather than https. Also in the code, if anyone tries to access those sections without SSL, rewrite the URL in their browser so that it includes the https. And finally, also in the code, for any sections that don't require SSL (and where you don't want the performance impact on needless SSL traffic), test to see if the URL entered by the user includes https -- if it does, rewrite it to remove the s. This works well for us and it pretty straight-forward to implement. Regards, S. --- Shawn Syms | Team Lead, Systems Administration Infinet Communications | [EMAIL PROTECTED] --- -Original Message- From: Nick Tonkin [mailto:[EMAIL PROTECTED] Sent: Thursday, February 27, 2003 3:58 PM To: R. DuFresne Cc: [EMAIL PROTECTED] Subject: Re: securing one area of a vhost in apache 2 On Thu, 27 Feb 2003, R. DuFresne wrote: You gave this site it's own IP address yes? No. It is using NameVirtualHost. Virtual hosting with non-ssl works in a 'software' aware mode, while virtual hosting with ssl is more 'hardware' in nature requireing specifici IP addressing to function properly. Hmm. I must have missed this in the docos. Rechecking ... Hm. Well, I see that I was on the wrong track with How can I authenticate my clients for a particular URL based on certificates but still allow arbitrary clients to access the remaining parts of the server? ... that appears on closer inspection to deal with certificate-wielding clients ... Hm. So, bottom line, it is not possible to have a virtual host accessible via http and require SSL for a part of it. Is that correct? Thanks, - nick -- ~ Nick Tonkin {|8^) __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]