DirectoryIndex/Indexes with Client Auth not working
Apache/2.0.43 (Unix) mod_ssl/2.0.43 OpenSSL/0.9.6b When I configure a virtual SSL host with basic auth, I can access the following URLs without problem: https://server.name/ https://server.name/subdir/index.html Getting a directory index and/or trying https://server.name/subdir and wanting the index.html is impossible: I get an error 403 returned. There is no error_log entry, just an access_log entry. My configuration is currently in an .htaccess file: Limit GET HEAD SSLRequireSSL SSLOptions FakeBasicAuth +StrictRequire SSLVerifyClient require SSLVerifyDepth 10 SSLOptions +FakeBasicAuth +StrictRequire DirectoryIndex index.cgi index.html Options Indexes FollowSymLinks ExecCGI AuthNameRSC RA Authentication AuthTypeBasic AuthUserFile/etc/httpd/conf/httpd.passwd require valid-user /Limit If I leave out the `require' directive, the DirectoryIndex is processed (but I am of course not authenticated). I repeat: If I access a file directly, all is fine. What am I doing wrong ? Thanks regards, -JP __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Configuring a stand alone SSL enabled apache webserver
I think you're misunderstanding something about how apache and SSL work. It is not that you switch on SSL over all VHs like it was a Romulan Cloaking Device... Rather, SSL (more properly, HTTPS) is a protocol you define for a particular virtual host. This means the SSL directives *must* go inside a VH container. The only exception is if you don't use VHs at all and only have one site which is defined at server config level (i.e. there are no VH containers at all and only one DocumentRoot). Then the SSL directives can be at config level. To put it another way; - Listen directives tell apache which TCP/IP sockets to listen to. - DocumentRoot directives tell apache where to find the start each the site's content. - VHs map Listens to DocumentRoots, i.e. TCP/IP sockets to directories. - The protocol to be used (HTTP or HTTPS) is defined separately for each VH. Rgds, Owen Boyle -Original Message- From: Kent Perrier [mailto:[EMAIL PROTECTED]] Sent: Mittwoch, 20. November 2002 14:40 To: [EMAIL PROTECTED] Subject: Re: Configuring a stand alone SSL enabled apache webserver On Tue, 2002-11-19 at 15:53, R. DuFresne wrote: As far as I'm aware, and others can correct me if I'm saying something wrong here, the virtual server directives are optional. The key would be the server root for the ssl based pages to be served, tough enclosing a SERVERROOT directive within the virtual server directives would benefit you in seperation of pages being servered. don't be overly confused by the virtual server directives, they aren't just for VH hosting smile. The question is, how do I turn SSL on outside of a virtual server? The SSLEngine On directive gives me the Illegal attempt to re-initialize SSL for server error. I comment this out, the server starts, I see mod_ssl listed in the error_log when the server starts and the server is listening on port 443, but it will not accept SSL connections. I now have a standard web server running on port 443, not 80. FYI, I don't really want to seperate the pages being server, I need apache to be the front end for a Tomcat based e-commerce application and I am having problems with getting mod_jk working inside the virtual server that hosts the SSL enabled server. I decided to go this route as I thought it would be easer and server resources are not an issue. Kent __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. The sender's company reserves the right to monitor all e-mail communications through their networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of the sender's company. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Re[2]: SSL with multiple domains on same server
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] are you saying i can use the same ip and two different port to be able to have more than one vhs under ssl? Certainly. e.g. Listen 192.168.1.1:443 VirtualHost 192.168.1.1:443 ..etc Listen 192.168.1.1:444 VirtualHost 192.168.1.1:444 ..etc The rule is: SSL VHs must be distinct at TCP/IP level (i.e. ip addr and port pair must be distinct). Rgds, Owen Boyle This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. The sender's company reserves the right to monitor all e-mail communications through their networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of the sender's company. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re[4]: SSL with multiple domains on same server
Hello Boyle, Wednesday, November 20, 2002, 4:14:45 PM, you wrote: -Original Message- From: Ludovic Perard [mailto:[EMAIL PROTECTED]] I'm already using two different IP addresses BO Then it should work. Are you sure? BO Try defining the IP addresses explicity to reveal any DNS BO misconfigurations: BO Listen 192.168.1.1:443 BO VH 192.168.1.1:443 BO ... BO Listen 192.168.1.2:443 BO VH 192.168.1.2:443 BO ... I tried with your manner and it doesn't change anything... All sites take the same certificate... :/ Can the problem comes from the IP. We are using network adresse translation and all IP on the web server are 172.x.x.x, so, I tried with : VH 172.x.x.x:443 62.x.x.x:443 but no success. -- Best regards, Ludovic [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re[5]: SSL with multiple domains on same server
Hello Boyle, I found the solution : The line BindAddress * need to be uncomment. Now, all works fine :) -- Best regards, Ludovic [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Re[5]: SSL with multiple domains on same server
Great! But do you know why? BindAddress is a deprecated directive which is replaced by Listen. What you have done is said to apache, listen to all active IP addresses. I think the real problem is to do with your NAT (which you didn't mention on your original post). This meant that the IP addresses your browser was using were different from the incoming IP addresses on the apache box. If you had used Listen with the real IPs, it would've worked too. -Original Message- From: Ludovic Perard [mailto:[EMAIL PROTECTED]] Sent: Donnerstag, 21. November 2002 11:34 To: [EMAIL PROTECTED] Subject: Re[5]: SSL with multiple domains on same server Hello Boyle, I found the solution : The line BindAddress * need to be uncomment. Now, all works fine :) -- Best regards, Ludovic [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. The sender's company reserves the right to monitor all e-mail communications through their networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of the sender's company. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Configuring a stand alone SSL enabled apache webserver
Boyle Owen [EMAIL PROTECTED] wrote: Rather, SSL (more properly, HTTPS) is a protocol you define for a particular virtual host. This means the SSL directives *must* go inside a VH container. The only exception is if you don't use VHs at all and only have one site which is defined at server config level (i.e. there are no VH containers at all and only one DocumentRoot). Then the SSL directives can be at config level. To put it another way; - Listen directives tell apache which TCP/IP sockets to listen to. - DocumentRoot directives tell apache where to find the start each the site's content. - VHs map Listens to DocumentRoots, i.e. TCP/IP sockets to directories. - The protocol to be used (HTTP or HTTPS) is defined separately for each VH. When is some nice company gonna pay Owen to put all his highly original, succinct and illuminating explanations into a wee book? Cheers, cam - [EMAIL PROTECTED] __ The NEW Netscape 7.0 browser is now available. Upgrade now! http://channels.netscape.com/ns/browsers/download.jsp Get your own FREE, personal Netscape Mail account today at http://webmail.netscape.com/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Problem with... proxy? Module? Or what?
Hello! I'm running FreeBSD, and apache/mod_ssl with virtual hosts in jailed environment. Jail means that I can have only one IP address for apache, ipfilter's ipnat is used to multiplex several external IPs. I also need to support https virtual hosts, and here my troubles begins. Of course, I could not use pure name-based virtual hosts, and I even understand, why. What's a bit worse, that I seems to be unable to obtain data from /dev/ipl from inside the jail. Maybe someone can guide me towards proper proxy? Things like mod_real_ip should not help much, and I'm still trying to make pound (http://www.apsis.ch/pound/) to work. Having received https connection via some proxy, how can I pass SSL variables by the easiest way? -- Alex. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Problem with... proxy? Module? Or what?
On Thu, 21 Nov 2002, Alex Povolotsky wrote: Hello! I'm running FreeBSD, and apache/mod_ssl with virtual hosts in jailed environment. Jail means that I can have only one IP address for apache, ipfilter's ipnat is used to multiplex several external IPs. I also need to support https virtual hosts, and here my troubles begins. Of course, I could not use pure name-based virtual hosts, and I even understand, why. What's a bit worse, that I seems to be unable to obtain data from /dev/ipl from inside the jail. It sounds like yer jail is lacking the libs and devices for this access. Now, whether or not your jail will be safe if you move what's required to get this to function within the jail is another matter you will have to determine after setting up a working jailed testbed with those items. lsof and various other tools are you friend in this endeavor. One of the recent system admin editions had a good article on how to work through the process of setting up jailed applications I think it was the last months or two months back edition. Maybe someone can guide me towards proper proxy? Things like mod_real_ip should not help much, and I'm still trying to make pound (http://www.apsis.ch/pound/) to work. Having received https connection via some proxy, how can I pass SSL variables by the easiest way? Thanks, Ron DuFresne -- ~~ admin senior security consultant: sysinfo.com http://sysinfo.com Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart testing, only testing, and damn good at it too! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Problem with... proxy? Module? Or what?
On Thu, 21 Nov 2002 15:25:20 -0500 (EST) R. DuFresne [EMAIL PROTECTED] wrote: RD I'm running FreeBSD, and apache/mod_ssl with virtual hosts in RD It sounds like yer jail is lacking the libs and devices for this access. libs exists; device exists. I'm getting IOCTL error trying to access /dev/ipl. Nov 21 20:11:01 class-a tproxy[52225]: ioctl(SIOCGNATL): Bad address Maybe, ipfilter requires kmem or mem; in this case, I'm surely helpless. RD recent system admin editions had a good article on how to work through the RD process of setting up jailed applications I think it was the last months RD or two months back edition. URL? I don't think I'll be able to get hold on it in reasonable time... -- Alex. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Problem with... proxy? Module? Or what?
On Fri, 22 Nov 2002, Alex Povolotsky wrote: On Thu, 21 Nov 2002 15:25:20 -0500 (EST) R. DuFresne [EMAIL PROTECTED] wrote: RD I'm running FreeBSD, and apache/mod_ssl with virtual hosts in RD It sounds like yer jail is lacking the libs and devices for this access. libs exists; device exists. I'm getting IOCTL error trying to access /dev/ipl. Nov 21 20:11:01 class-a tproxy[52225]: ioctl(SIOCGNATL): Bad address Maybe, ipfilter requires kmem or mem; in this case, I'm surely helpless. RD recent system admin editions had a good article on how to work through the RD process of setting up jailed applications I think it was the last months RD or two months back edition. URL? I don't think I'll be able to get hold on it in reasonable time... If you're in that much of a time pinch hopefully you googled for it yourself, rather then waiting on me smile: http://www.sysadminmag.com/ Look at the past couple of issues, the article should be in there on jailing deamons. Which I did not locate with a quick search on the site with the term 'jail' yet there were at least 5 articles found with that term relating to this, at least one specific to freebsd. Searching with the term chroot produces more results and between the two, should locate information to help you here. Thanks, Ron DuFresne -- ~~ admin senior security consultant: sysinfo.com http://sysinfo.com Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart testing, only testing, and damn good at it too! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]