Re: More SSL hosts in one ssl.conf
On Sun, 2007-02-25 at 18:39 +0100, Julius Thyssen wrote: > On 2/25/07, Michael Pacey <[EMAIL PROTECTED]> wrote: > > By configuring the new IP address to the machine, > > That is already the case. I only have to open a port in iptables. > > > adding a Listen directive for the new IP address and port (443), and adding > > a new virtual host for that IP address and port. > > Yes, I found out about that, but in executing this there are > no real-life examples I could see, so how does that actually look > in ssl.conf and httpd.conf ? > Since httpd.conf has the "*:80" host entries, and ssl.conf has a > "_default_:443" entry, > what changes to them? Nothing? Can I just add those and not worry > about the rest? > So that I add > > Listen xxx.xxx.xxx.xx2:80 > > > > to httpd.conf and > > Listen xxx.xxx.xxx.xx2:443 > > > to ssl.conf? yes. > The other hosts it listens to are "_default_" and "*", so > how does the server know it's on the right IP-address > for the existing hosts ? Right, why do you have *:80 when you said it is only using one IP address just now? You should just change this to the first ip address: NameVirtualHost xxx.xxx.xxx.xx1:80 and then you won't have an issue. From the Apache documentation: "The special name _default_ can be specified in which case this virtual host will match any IP address that is not explicitly listed in another virtual host." So if you specify the new IP address in your new SSL virtual host, it won't conflict. -- Michael __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: More SSL hosts in one ssl.conf
On Sun, 2007-02-25 at 15:31 +0100, Julius Thyssen wrote: > HI, > > I have a VPS listening to 2 different public IP-adresses. > For ALL http and a https virtual host requests it currently listens to only 1 > IP > > The ssl.conf therefore has > > Listen xxx.xxx.xxx.xx1:443 > Listen xxx.xxx.xxx.xx1:81 > > > > in it. And httpd.conf therefore has > > Listen xxx.xxx.xxx.xx1:80 > > NameVirtualHost *:80 > > > > I'd like to run another SSL host, on the other IP-address, mainly > because I want to use a different name and document root for it. > This host has a name not existing for the other IP-hosts, and > the new/extra host needs only SSL, and will not need a port 80 one, > although auto-rewrite to the https would be nice for it. > (I have this for the existing hosts and aliases, so I know how to do that.) > > How does one best accomplish this? > By configuring the new IP address to the machine, adding a Listen directive for the new IP address and port (443), and adding a new virtual host for that IP address and port. A rewrite or redirect from http to https must be handled within a non-SSL virtual host so you would need to create another virtual host for the new IP address on port 80 and have the appropriate directives within that. > I've looked really hard, but could not find info on this, > my guess is not many servers *can* listen to 2 different IPs. Apache can and it is very common. > I've been considering to construct something where a different > document root would be used with a certain name request, through rewrite, > and then the other hostname would be an alias of the main ones, > but that seemed overly complex since I do have the other IP I can use. Don't really understand what you're getting at here... if you mean using name based virtual hosting with SSL, you can't do that because Apache selects the appropriate NBVH by looking at the Host header, but it can't see the Host header until it's decrypted the SSL traffic, and it can't decrypt the SSL traffic until it knows what SSL key to use, and it only knows that once it knows which virtual host to use because that's where it's configured. And it can't tell which virtual host to use until it reads the Host header. This is in the FAQ. > Thanks in advance for any advice on this. > > > Julius > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List modssl-users@modssl.org > Automated List Manager[EMAIL PROTECTED] > __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Howto "unload" the mod_ssl from memory?
This: module ssl_module is already loaded, skipping means you have LoadModule ssl_module specified twice in your apache configuration. This: _default_ VirtualHost overlap on port 443, the first has precedence means you have two virtual hosts defined in your configuration which conflict because they want to use the same socket (IP address/port pair). When you move ssl_conf out the way, SSL still works because you must have LoadModule ssl_module and an SSL virtual host defined in another config file. Look through your config files and find the offending duplicate entries. What's probably happening is your Apache distribution already has SSL configured, and when you've followed the SSL howto you've duplicated the steps required to enable SSL. That's my tuppence worth anyway. Hope it helps. -- Michael __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Having modssl run on different ports, is this even possible?
On Wed, 2006-10-11 at 14:31 -0700, Yvo van Doorn wrote: > I am running Apache2 with the included mod_ssl module, I figure this a > good place to start, but if it belongs on the apache httpd mailing > list you can bluntly tell me. > > The servers I administer run in an environment that is pretty painful, > but common i hear. Another team at corporate headquarters administer > the firewall and what they are planning to do is as follows. I have no > control over the firewall what so ever. > > Any port 80 (http) request sent to the firewall for domain > www.example.com will be then rerouted to an internal IP, such as > 172.16.15.102 (behind the firewall), on port 8000. Thus I have apache > listening on port 8000. > > Any port 443 (https) request sent to the firewall for domain > www.example.com will be then rerouted to to an internal IP, such as > 172.16.15.102 (behind the firewall), on port 9000. I want to have > mod_ssl listening on port 9000, is this possible? > > Should a virtualhost entry just work such 172.16.15.102:9000> and have the usual items such as SSLEngine, > SSLCertificateFile, SSLCertificateKeyFile, etc? Yes that should work. Make sure you have your ports in the Listen directive. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Encripted page would not load into IE
Hmmm, sorry I'm not an IE expert but it sounds like you are at least on the right track. Maybe check on an IE list or forum? BB said: > Sorry, my mistake. The CA shows up in the list, but I get still the same > error. > >> I tried also to install the certificate of the CA in the Trusted Root >> Certification Authorities folder. It says Import Successfull, but my CA >> doesn't show up in the list. >> >> Any hints? >> >>> Apparently, it's someting wrong with the certificates, as IE Watch >>> gets: >>> >>> ERROR_INTERNET_SEC_INVALID_CERT >>> >>> What could this be? Firefox works just fine with these certs. >>> Additionaly, >>> pop3s and imaps from Dovecot work fine with the same certs, even with >>> MS >>> Outlook and Outlook Express clients. >>> >>> It's a self created CA, with self signed certificates. >>> >>> Any suggestions for what should I check further? >>> >>> Thank you in advance! >>> >>> BBR >>> >>> >>>> BB said: >>>>> I made the tests with IE from at least 4 different computers, located >>>>> in >>>>> networks from 3 different ISP's. >>>>> >>>>> Yes, the connection is done, because ith shows up instantly with >>>>> tail -f /var/log/apache/ssl_engine_log >>>>> >>>>> >>>> >>>> Sounds weird. You could try installing an HTTP capture tool like IE >>>> Watch >>>> and seeing if that gives any useful info. >>>> >>>> -- >>>> Michael Pacey >>>> >>>> __ >>>> Apache Interface to OpenSSL (mod_ssl) www.modssl.org >>>> User Support Mailing List modssl-users@modssl.org >>>> Automated List Manager[EMAIL PROTECTED] >>>> >>> >>> >>> __ >>> Apache Interface to OpenSSL (mod_ssl) www.modssl.org >>> User Support Mailing List modssl-users@modssl.org >>> Automated List Manager[EMAIL PROTECTED] >>> >> >> >> __ >> Apache Interface to OpenSSL (mod_ssl) www.modssl.org >> User Support Mailing List modssl-users@modssl.org >> Automated List Manager[EMAIL PROTECTED] >> > > > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List modssl-users@modssl.org > Automated List Manager[EMAIL PROTECTED] > > -- Michael Pacey __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Encripted page would not load into IE
BB said: > I made the tests with IE from at least 4 different computers, located in > networks from 3 different ISP's. > > Yes, the connection is done, because ith shows up instantly with > tail -f /var/log/apache/ssl_engine_log > > Sounds weird. You could try installing an HTTP capture tool like IE Watch and seeing if that gives any useful info. -- Michael Pacey __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Encripted page would not load into IE
BB said: > Hello, > > I am running Apache 1.3.37 and openssl 0.9.8b from Slackware-current > packages. I set up a https virtual host that listens on the default > address. > > My problem is that the encrypted pages don't load in IE 6. They are > working just fine in Firefox. I've never seen anything like this. Apologies if I'm insulting your intelligence but have you checked you don't have some strange proxy settings in IE that could be causing this? Have you tried doing a netstat on the server (or client) to prove that you are in fact making a TCP connection? If you're not, it's not an Apache or mod_ssl issue. -- Michael Pacey __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Detecting if https is used from within a .conf file
Toomas Aas said: > I was thinking of putting this large block of directives into separate > file and Include it in both vhost sections, to tidy up my main config > file. But in order to do that, I would need to define some logic in this > file for those cases where http and https need to be handled separately. > I was certain that such possibility exists, but I'm starting to have > some doubts now. Any advice? > > Using Apache 2.0.53. I don't think you can put runtime logic into the configuration but why not just put the common stuff in the included file and the protocol specific stuff in the virtual host sections? -- Michael Pacey __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
RE: http to https forward
Quoting David Iungerich <[EMAIL PROTECTED]>: > yes, that is correct. I meant http to https. So, there is no way to > do > this with existing mods? I have to use something else? Java or > Python > program? Anyone already have anything? > I couldn't find anything to do this besides the two proprietary programs I mentioned before. My impression is this is a big hole in the open-source toolkit, and proprietary software is going to fill it if someone more capable than me doesn't fix things... I see this sort of thing being a requirement for more and more big companies who have established functional ecommerce infrastructures but need to start worrying about security for all sorts of reasons including regulatory requirements (especially secure comms between internal networks and DMZ). I'm not saying there's any law requiring specifically this but big financial companies are legally bound to protect data and they like to cover their bottoms. I searched Freshmeat and Sourceforge. I found things that you can wrap http servers in to make them look like https servers to the outside world but that is the opposite of what you (and I) want to achieve. -- Web: http://sydb.dyndns.org ICQ: 152392113 (New to ICQ? http://www.mirabilis.com) IRC: #sydb on EFnet (New to IRC? http://www.irchelp.org) __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: http to https forward
Quoting David Iungerich <[EMAIL PROTECTED]>: > I need to implement Apache as an https to http forwarder. I belive I > need > to use > ProxyPass or Redirect, but am having difficulty figuring out the > correct > configuration. Just to clarify, I think you mean http to https forwarder, as in your subject; Apache forwards https to http without any problems. But for http to https, your problem isn't configuration; Apache+mod_ssl doesn't have the code for initiation of HTTPS connections. I've looked! Everybody told me it wouldn't work, I didn't believe them, I couldn't make it work, I read the code, it's not there! The only product I know of that might be able to do this is IBM EdgeServer, and possibly Netscape. Have to say I don't like EdgeServer and I have no experience of Netscape. Is there no-one around who'd like to code this? There are quite a few people who want to use Apache to initiate HTTPS connections. I don't have the time / coding skills. -- Web: http://sydb.dyndns.org ICQ: 152392113 (New to ICQ? http://www.mirabilis.com) IRC: #sydb on EFnet (New to IRC? http://www.irchelp.org) __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Reverse Proxy https question
Quoting Michael Pacey <[EMAIL PROTECTED]>: > Furthermore Apache cannot act as in initiator of SSL connections; I've > spent > many many hours testing this and everybody I've asked has said the same. > I'd > look at the code but I have no reason to believe there's any there to do > this. I've looked at the code. I couldn't find any SSL client code. -- Web: http://sydb.dyndns.org ICQ: 152392113 (New to ICQ? http://www.mirabilis.com) IRC: #sydb on EFnet (New to IRC? http://www.irchelp.org) __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Reverse Proxy https question
Quoting David Marshall <[EMAIL PROTECTED]>: > I did not believe that the packet headers had enough information for > Apache > to determine what to do. So, it must decrpyt the message with the > certificate. That's right. For Apache to accept an SSL connection as a reverse proxy it must decode it. What Michael wants is a generic TCP proxy. Think of it this way. When you configure Apache to accept SSL you have to have configure it with an SSL certificate. Why? So it can authenticate and subsequently decrypt the packets. Furthermore Apache cannot act as in initiator of SSL connections; I've spent many many hours testing this and everybody I've asked has said the same. I'd look at the code but I have no reason to believe there's any there to do this. The only way Apache can act as an SSL proxy is using the CONNECT method as a forward proxy. This is not what he is looking for. Squid can't do this either. Nor can Apache derived servers like IBM HTTPServer or Stronghold. I shouldn't think it would be all that hard to modify Apache to do it. However I don't see the point when what you are doing is emulating a TCP proxy. Unless you want caching or content based routing. There are many generic TCP proxies. Look on Freshmeat or Sourceforge; or your average firewall like Firewall-1 can do this. IBM Edgeserver (the Caching Proxy component) has this capability too. But there are many possible scenarios and requirements; for some there is no one product to do the job. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
