Re: Failed uploading file to Appache HTTP Server after using SSL
FYI. We had to choose to test that by using other versions and we found that the problem is resolved if we downgrade to 2.0.50. Ken On 4/22/06, Ken Chen <[EMAIL PROTECTED]> wrote: > FYI. > > I have tried to test upload with Firefox. But it turns out that it > fails too. Then, it might not be only a MSIE issue. > > > > On 4/22/06, Ken Chen <[EMAIL PROTECTED]> wrote: > > Hi, > > > > My colleague has helped to deploy the patch and the ssl vhost has been > > configured as follow: > > > > DocumentRoot "/home/server/webpage" > > ServerName 192.168.2.130:443 > > LogLevel debug > > ErrorLog logs/ssl-error_log > > CustomLog logs/ssl-access_log common > > > > BrowserMatch ".*MSIE.*" \ > > nokeepalive ssl-unclean-shutdown \ > > downgrade-1.0 force-response-1.0 > > > > ProxyPass /eservices http://localhost:8855/eservices > > ProxyPassReverse /eservices http://localhost:8855/eservices > > > > Alias /eservices-webpage/ /home/server/webpage/ > > > > SSLEngine on > > SSLCipherSuite > > ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL > > SSLCertificateFile someCrt.crt > > SSLCertificateKeyFile someKey.key > > > > > > But seems the problem remains: Page can't be displayed. I found no > > error in log (maybe I was not able to found). Here attached the log > > when I press upload to upload file. > > > > > > Ken > > > > > > On 4/21/06, Ken Chen <[EMAIL PROTECTED]> wrote: > > > Joe, > > > > > > Do you mind telling me how to apply the patch? Type command as follow? > > > patch -s < .patch > > > > > > Do I need to stop the httpd server? or recompile or anything else? > > > > > > Thanks. > > > > > > > > > On 4/21/06, Ken Chen <[EMAIL PROTECTED]> wrote: > > > > ic. Thanks so much. I will apply that patch and see what is going on > > > > later. > > > > > > > > > > > > On 4/21/06, Joe Orton <[EMAIL PROTECTED]> wrote: > > > > > On Fri, Apr 21, 2006 at 03:19:35PM +0800, Ken Chen wrote: > > > > > > Hi Joe, > > > > > > > > > > > > We are using 2.0.55 already. Is it already include that patch? > > > > > > > > > > No, it will be in 2.0.56 and later. But note this only applies if you > > > > > are using a reverse proxy, and it only affects the application of the > > > > > BrowserMatch statement - if you don't have the BrowserMatch, it has no > > > > > effect. > > > > > > > > > > joe > > > > > __ > > > > > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > > > > > User Support Mailing List modssl-users@modssl.org > > > > > Automated List Manager[EMAIL PROTECTED] > > > > > > > > > > > > > > > > > -- > > > > -- > > > > Ken Chen > > > > > > > > > > > > > -- > > > -- > > > Ken Chen > > > > > > > > > -- > > -- > > Ken Chen > > > > > > > > > -- > -- > Ken Chen > -- -- Ken Chen __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: A SSL scenario (involving multiple SSL-servers)
remove now!BJ Swope <[EMAIL PROTECTED]> wrote: Every item the browser requests, such as images, comes from a unique/distinct connection.So the links to the other web servers will result in independent connections to the other web servers. So you should be good to go. On 4/24/06, Vishwas <[EMAIL PROTECTED]> wrote:Hello there,I have few doubts, the scenario goes as below.Scenario: There are 4 SSL-enabled Apache servers {A1, A2, A3, A4}, all of them independently controlled and have valid certificates. Now, a "user" on A1 designs an
HTML page ( index.html) that refers to images from all the 4 servers. The links to these images are specified in the HTML file using "https://A[1-4]/..."Questions:1. A request for https://A1/~user/index.html comes, The requestor is going to get a SSL connection from A1. And the content from A1 to the browser is flowing through the SSL-tunnel. I think only the files that reside on A1 are going to flow through this tunnel from A1 to the browser!? And the files from A2, A3, and A4 are flowing through separate SSL-tunnels to the browser!? Then the browser shows only one PADLOCK symbol, will it be for A1? YES. Then what about the SSL-connections from A2, A3, and A4? How does browser tells its user about these connections? 2. Or does A1 brings the files from A2, A3, and A4 that referred inside the "index.html" file by the "user" and serves
to the browser?Am confused. Because my understanding was SSL is Secure socket layer, and one cannot tamper with this tunnel. And I used to think, when I ask the browser to open some URL, it opens a connection (by obtaining a socket, say 56789, from underlying OS) to the port 80 of URL server. Now I feel, if the URL page has objects residing on other servers, my browser opens separate sockets (different from 56789) for these objects.!? Please clarify my doubts. Or point me to some guides et al. Thank you for your patience.-- Best Regards, Vishwas.
Yahoo! Messenger with Voice. Make PC-to-Phone Calls to the US (and 30+ countries) for 2¢/min or less.
Re: A SSL scenario (involving multiple SSL-servers)
The first hit is going to be pretty expensive on the client, since it has
to negotiate four different sets of keys. Subsequent requests will be
better, but still take a bit of overhead on the client to decrypt each
connction pseduo-simultaneously.
Perhaps a better plan would have been to create a single (or
high-availability pair using "keepalived") SSL-terminating reverse proxy
that map requests for certain images to standard (http, not https)
webservers on a privately addressed network. This would cut down the
client workload by 75% if you've got four SSL servers. Pound (
http://www.apsis.ch/pound/ ) is a great SSL-terminating reverse proxy
that's very lightweight and fast. I've deployed it often and found it to
be very stable, flexible, and responsive. Even on oldish hardware, it can
terminate upwards of 400 SSL sessions per second... newer hardware would
obviously push that number higher. Additionally, it has a FAR smaller
footprint than say using Apache as proxy.
Kind Regards,
-dsp
> Every item the browser requests, such as images, comes from a
> unique/distinct connection.
>
> So the links to the other web servers will result in independent
> connections
> to the other web servers. So you should be good to go.
>
>
>
> On 4/24/06, Vishwas <[EMAIL PROTECTED]> wrote:
>>
>> Hello there,
>>
>> I have few doubts, the scenario goes as below.
>>
>> Scenario: There are 4 SSL-enabled Apache servers {A1, A2, A3, A4}, all
>> of
>> them independently controlled and have valid certificates. Now, a "user"
>> on
>> A1 designs an HTML page ( index.html) that refers to images from all the
>> 4
>> servers. The links to these images are specified in the HTML file using
>> "
>> https://A[1-4]/...";
>>
>> Questions:
>> 1. A request for
>> https://A1/~user/index.htmlcomes, The
>> requestor is going to get a SSL connection from A1. And the
>> content from A1 to the browser is flowing through the SSL-tunnel. I
>> think
>> only the files that reside on A1 are going to flow through this tunnel
>> from
>> A1 to the browser!? And the files from A2, A3, and A4 are flowing
>> through
>> separate SSL-tunnels to the browser!? Then the browser shows only one
>> PADLOCK symbol, will it be for A1? YES. Then what about the
>> SSL-connections
>> from A2, A3, and A4? How does browser tells its user about these
>> connections?
>>
>> 2. Or does A1 brings the files from A2, A3, and A4 that referred inside
>> the "index.html" file by the "user" and serves to the browser?
>>
>> Am confused. Because my understanding was SSL is Secure socket layer,
>> and
>> one cannot tamper with this tunnel. And I used to think, when I ask the
>> browser to open some URL, it opens a connection (by obtaining a socket,
>> say
>> 56789, from underlying OS) to the port 80 of URL server. Now I feel, if
>> the
>> URL page has objects residing on other servers, my browser opens
>> separate
>> sockets (different from 56789) for these objects.!? Please clarify my
>> doubts. Or point me to some guides et al.
>>
>> Thank you for your patience.
>>
>> --
>> Best Regards,
>> Vishwas.
>>
>
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]
Re: A SSL scenario (involving multiple SSL-servers)
Every item the browser requests, such as images, comes from a unique/distinct connection.
So the links to the other web servers will result in independent
connections to the other web servers. So you should be good to go.
On 4/24/06, Vishwas <[EMAIL PROTECTED]> wrote:
Hello there,I have few doubts, the scenario goes as below.Scenario:
There are 4 SSL-enabled Apache servers {A1, A2, A3, A4}, all of them
independently controlled and have valid certificates. Now, a "user" on
A1 designs an HTML page (
index.html) that refers to images from all the 4 servers. The links to
these images are specified in the HTML file using "https://A[1-4]/..."Questions:1. A request for
https://A1/~user/index.html
comes, The requestor is going to get a SSL connection from A1. And the
content from A1 to the browser is flowing through the SSL-tunnel. I
think only the files that reside on A1 are going to flow through this
tunnel from A1 to the browser!? And the files from A2, A3, and A4 are
flowing through separate SSL-tunnels to the browser!? Then the browser
shows only one PADLOCK symbol, will it be for A1? YES. Then what about
the SSL-connections from A2, A3, and A4? How does browser tells its
user about these connections?
2. Or does A1 brings the files from A2, A3, and A4 that
referred inside the "index.html" file by the "user" and serves to the
browser?Am confused. Because my understanding was SSL is Secure
socket layer, and one cannot tamper with this tunnel. And I used to
think, when I ask the browser to open some URL, it opens a connection
(by obtaining a socket, say 56789, from underlying OS) to the port 80
of URL server. Now I feel, if the URL page has objects residing on
other servers, my browser opens separate sockets (different from 56789)
for these objects.!? Please clarify my doubts. Or point me to some
guides et al.
Thank you for your patience.-- Best Regards,Vishwas.
