----- Original Message -----
Sent: Friday, August 17, 2001 1:26
AM
Subject: RE: https on vs
OK
folks... I've got it working now. From what I found, others may (or may
not) be suffering from the same situation, so here's what I did to get https
working on a VS.
-Compiled new version of Apache on RedHat 6.2 'build
machine'. This version only had OpenSSL support compiled in 'statically'
-- and included DSO support. (Built with apachetoolbox v 1.5.35).
I also hand-modified the apache config file (when prompted by apachetoolbox)
and added a line to set the directory where config files were 'looked for' to
/etc/httpd/conf.
-Modified httpd.conf to include the following
section:
<IfDefine SSL>
AddModule
mod_ssl.c
</IfDefine>
-I
had to create the directory /usr/local/apache/logs and give the appropriate
permissions to the VS 'web' user -- I think I may fix this eventually to log
to wherever the hell RedHat points it. (I created this because apache
was complaining about not being able to write there -- and I thought it was
the quickest way to get around this).
-I
had to update the SSLCertificateFile, SSLCertificateKeyFile, and
SSLCACertificateFile directives in the VS's /etc/httpd/conf/httpd.conf to
point to my certificates and keys (of course).
-For
some reason, the httpd binary I produced above didn't like the entries in
httpd.conf that dealt with mod_rewrite or db_auth_module. I didn't need
them anyway (for now) -- so I commented them out, and I seem to be up and
running just fine.
TODO
still:
-The new httpd file needs to be added to my
skel.
-The
httpd.conf needs to be updated in my skel.
Otherwise -- the one vs that I tried this one appears to be working
just fine.
I
should note that if this was a completely dedicated box I would have had to go
through the same steps -- this really has nothing to do with FreeVSD, just the
configuration of the skel... you guys developing this stuff just
rock.
Dan
Your right. Specifying the 8443 port will bypass
any redirectors so that is not your problem. I have not done much with
setting up https myself, but presumably you must have your certifcates, crls
etc in place for it to work. Have you got them in place? I have a link to
info on Certs, CAs and https which I haven't gone thorugh myself yet, but do
intend to someday. Here it is if it is any use for you:
Tim
Is this a good test? Can I give you any other information
about my machine?
Thanks,
Dan
There are some possible issues here. The RH6.2
skel will be implementing vsdredirect (the 80:8080,443:8443 port
redirector) which for various unavoidable reasons drops the client IP
and may therefore be preventing any SSL authentication from taking
place. Because you are hosting on RH7.1 The port redirection should
already be being carried out by iptables, so you possibly have two
mechanisms attempting to do redirection. You should disable vsdredirect,
the unfortunately inferior redirector, by commenting out both
'vsdredirect' entries in /etc/rc within your virtual server and
rebooting the vs. That should ensure that only iptables is being
involved for any port redirection. It may even fix your
problem...
Tim
I apologize.
I should clarify: I do see this entry (and others that
are using IfModule syntax to see if SSL support is enabled).
What I don't see is a LoadModule statement or an AddModule statement
for ssl support. It seems that the <IfModule mod_ssl.c>
sections wouldn't get executed if this wasn't added -- am I smoking
crack? (Always a possibility...)
It also seems that the <IfDefine SSL> sections get
executed -- because there is one <IfDefine SSL> block that isn't
wrapped by a <IfModule mod_ssl.c> block -- this is the block
that tells apache to Listen on 8443. This appears to get
executed, because the vsdredirect works (it redirects 443 traffic to
8443), and the server is responding with normal http traffic on 443 --
which (it seems to me) would be expected if mod_ssl hasn't been
loaded.
Again, am I smoking crack (or perhaps something
stronger)? Would anyone be interested in smoking with me?
Are these questions baffling anyone yet? Would you like more of
an explanation?
Thanks,
Dan "Tim Sellar is my hero" Esparza
I am looking at the httpd.conf provided
with freeVSD and it contains the following
entries:
<IfModule mod_ssl.c>
SSLEngine
off
SSLPassPhraseDialog
builtin
SSLSessionCache
dbm:/home/web/log/ssl_scache
SSLSessionCacheTimeout
300
SSLMutex file:/home/web/log/ssl_mutex
SSLRandomSeed
startup builtin
SSLRandomSeed connect builtin
SSLLog
/home/web/log/ssl_engine_log
SSLLogLevel
error
</IfModule>
Are you saying such an entry is not present
in the httpd.conf provided within the
freevsd-skel-1.4.9-1rh6.tar.bz2?
You can check within your vs, or in the
skel itself
(/home/vsd/skel/skel/etc/httpd/conf/httpd.conf)
Tim
Is
there a special trick to getting https to work with a virtual
machine? I'm using freevsd-1.4.9-2rh71.i386.rpm on RedHat
7.1, with the freevsd-skel-1.4.9-1rh6.tar.bz2 skel. Yes, I
realize that this is a RedHat 6.2 skel on RedHat 7.1 (and let me
know if this is the culprit), and yes I realize that this is
1.4.9-2 using a 1.4.9-1 skel (also let me know if this is the
culprit).
I've
checked http, ftp, ssh (had to make a few small tweaks), and
telnet -- and they all seem to work fine for the VS. (Kudos,
folks -- this was a LOT easier than I thought it would be).
I notice that an ssl module reference doesn't appear anywhere
in httpd.conf -- is there documentation that talks about if this
needs to be added somewhere, or if there is something special I
need to do for https. If I do a ps -ef on the main host
machine I see there are vsdredirect's for ports 80 and 443 -- and
these appear to work -- but 443 is serving normal HTTP
content. (In other words, https://my.vsserver.com doesn't
work, but http://my.vsserver.com:443
actually brings up the page. I realize this shouldn't be the
case.)
Any
help would be appreciated.
Thanks,
Dan
