On Dec 17, 2009, at 3:06 PM, Chris McCann wrote: > Jason, > > Thanks for chiming in. This isn't rocket science, I just don't have > much experience setting up virtual hosts in Apache and assume that > there are some smart, experienced guys here who have and can explain > what I'm missing. My client's needs are not extreme, they just asked > if I could run the site via https instead of http. Simple enough.
Just that there are many different ways to do it, and each has its own potential security holes. Apache config is not really "simple enough" at all :) It's powerful, a bit old, and very easy to get wrong. > I don't need to pay an "expert" some silly hourly rate for something > that probably boils down to a few lines in a config file. Besides, if > I am to become an "expert", or more accurately "expert enough", the > only way is through doing it myself, wouldn't you agree? Absolutely, you just seemed to be headed off along a "tell me what to write" path - which always makes my hair stand on end. I may have been wrong, and if so no harm, I'm sure you were already aware of my recommendations. Definitely becoming an expert is easy - start here: http://httpd.apache.org/docs/ > But point taken: if this were no-kidding some high-security situation > (which it isn't) I'd do well by my client to hire a security expert. > Since that's not the case, I feel confident in figuring it out on my > own with a little help from some devs with more experience. I wasn't talking about a security expert - just an expert in apache configuration (or become one). There's a reason sites get hacked - and a big part of that are sites mis-configured by well-meaning people taking well-meaning advice :) It's really easy to get it wrong with apache. -- SD Ruby mailing list [email protected] http://groups.google.com/group/sdruby
