Re: [users@httpd] How to auto-select SSL certificate by hostname
There is no built-in way to handle this. You would need to list every
domain name as a server alias for HTTPD to select the correct certificate.
You could look at mod_macro so you don't need to rewrite the same
configuration multiple times or a configuration management tool like
Puppet/Chef/etc that can just take a list and create the config.
Alternatively, you could set up haproxy in front of HTTPD since it searches
a directory for all certificates.
- Y
Sent from a device with a very small keyboard and hyperactive autocorrect.
On Wed, Sep 12, 2018, 2:51 PM wrote:
> I am trying to configure a server that has the singular purpose of
> redirecting https://anyhost.com to https://www.anyhost.com. Without SSL,
> this is trivial: create a single configuration that uses Rewrite to
> redirect to www.{%HOST}.
>
>
>
> Bringing SSL into it complicates things however. We’ll be doing redirects
> for 1000+ domains, so managing hostname --> certificate mappings with
> VHosts is a challenge. We can fit 100 names on each certificate, so we’ll
> need to handle at minimum 10 certificates.
>
>
>
> From my reading of the documentation, each VHost can only be configured
> for a single certificate. Is there any method, with or without the use of a
> module, for having a single configuration that can serve the appropriate
> certificate automatically?
>
>
>
> The behavior I’m attempting to emulate is available on Amazon Application
> Load Balancers. Multiple certificates can be added to a single ALB, and it
> examines the Host header to determine which certificate is appropriate with
> zero configuration of any domain-certificate mapping.
>
>
>
>
> *Craig Menning*BubbleUp.net
> cr...@bubbleup.net
> O: (832) 585-0709
> C: (713) 568-5355
>
>
>
[users@httpd] How to auto-select SSL certificate by hostname
I am trying to configure a server that has the singular purpose of
redirecting https://anyhost.com to https://www.anyhost.com. Without SSL,
this is trivial: create a single configuration that uses Rewrite to redirect
to www.{%HOST}.
Bringing SSL into it complicates things however. We'll be doing redirects
for 1000+ domains, so managing hostname --> certificate mappings with VHosts
is a challenge. We can fit 100 names on each certificate, so we'll need to
handle at minimum 10 certificates.
>From my reading of the documentation, each VHost can only be configured for
a single certificate. Is there any method, with or without the use of a
module, for having a single configuration that can serve the appropriate
certificate automatically?
The behavior I'm attempting to emulate is available on Amazon Application
Load Balancers. Multiple certificates can be added to a single ALB, and it
examines the Host header to determine which certificate is appropriate with
zero configuration of any domain-certificate mapping.
Craig Menning
BubbleUp.net
cr...@bubbleup.net
O: (832) 585-0709
C: (713) 568-5355
Re: [users@httpd] Re: Non Blocking write in apache
On Wed, Sep 12, 2018 at 12:48 PM Hemant Chaudhary wrote: > > Actually it is setting sock->timeout to 0 in writev_nonblocking() in > core_filters.c. > arv = apr_socket_timeout_set(s, 0); > > Why does the default timeout is changed and set to 0 ?? Because writev_nonblocking() is really non-blocking and should return EAGAIN/EWOULDBLOCK when things start to block. But writev_nonblocking() is a local function, called (indirectly) by the core output filter which deals with EAGAIN appropriately. Why is it an issue for mod_proxy_http? EAGAIN remains local to the core filtering, but however mod_proxy_http always passes a FLUSH bucket at the end of the body, so everything should be fine at the core filter level... Regards, Yann. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] How to avoid plain password in mod_ldap
The documentation states that you can use an executable to return the password. Since the password is read on server startup, you could make that script owned by root and give it rx permissions for root only. That should make sure no one (except root) can read your password. https://httpd.apache.org/docs/2.4/mod/mod_authnz_ldap.html#authldapbindpassword On Wed, Sep 12, 2018 at 2:00 PM, Rathore, Rajendra wrote: > There are a plain password store in mod_ldap. Is there any way to encrypt > the password? > > Like: *AuthLDAPBindPassword password* > > > > Thanks and Regards, > > Rajendra Rathore > > 9922701491 > > >
[users@httpd] How to avoid plain password in mod_ldap
There are a plain password store in mod_ldap. Is there any way to encrypt the password? Like: AuthLDAPBindPassword password Thanks and Regards, Rajendra Rathore 9922701491
[users@httpd] Re: Non Blocking write in apache
Hi All,
Actually it is setting sock->timeout to 0 in writev_nonblocking() in
core_filters.c.
arv = apr_socket_timeout_set(s, 0);
Why does the default timeout is changed and set to 0 ??
Thanks
Hemant
On Wed, Sep 12, 2018 at 4:03 PM Hemant Chaudhary <
hemantdude.chaudh...@gmail.com> wrote:
> Hi All,
>
> I am using proxy_http to proxy my request to tomcat from apache. But in
> non-blocking call it is not working properly(timeout issue). I am using the
> default timeout i:e 60 sec.
>
> When writev returns -1 with errorno==4101, it should wait and then again
> try for write.
> while ((rv == -1) && (errno == EAGAIN || errno == EWOULDBLOCK)
> && (sock->timeout > 0)) _ code snippet from
> sendrecv.c
>
> In debugging I have checked that sock->timeout is equal to 0. Therefore
> this condition is failed and request failed.
>
> When default timeout is 60sec then why does sock->timeout becomes 0 ??
>
> On further debugging, I came to know the reqtimeout_eor function is
> setting timeout to 0.
>
> static apr_status_t reqtimeout_eor(ap_filter_t *f, apr_bucket_brigade *bb)
> {
> if (!APR_BRIGADE_EMPTY(bb) && AP_BUCKET_IS_EOR(APR_BRIGADE_LAST(bb))) {
> reqtimeout_con_cfg *ccfg = f->ctx;
> ccfg->timeout_at = 0;
> }
> return ap_pass_brigade(f->next, bb);
> }
>
> I am not able to understand why this function is setting to 0.
>
> Can somebody help me to understand the issue ?
>
> Thanks
> Hemant
>
>
>
[users@httpd] Non Blocking write in apache
Hi All,
I am using proxy_http to proxy my request to tomcat from apache. But in
non-blocking call it is not working properly(timeout issue). I am using the
default timeout i:e 60 sec.
When writev returns -1 with errorno==4101, it should wait and then again
try for write.
while ((rv == -1) && (errno == EAGAIN || errno == EWOULDBLOCK)
&& (sock->timeout > 0)) _ code snippet from
sendrecv.c
In debugging I have checked that sock->timeout is equal to 0. Therefore
this condition is failed and request failed.
When default timeout is 60sec then why does sock->timeout becomes 0 ??
On further debugging, I came to know the reqtimeout_eor function is setting
timeout to 0.
static apr_status_t reqtimeout_eor(ap_filter_t *f, apr_bucket_brigade *bb)
{
if (!APR_BRIGADE_EMPTY(bb) && AP_BUCKET_IS_EOR(APR_BRIGADE_LAST(bb))) {
reqtimeout_con_cfg *ccfg = f->ctx;
ccfg->timeout_at = 0;
}
return ap_pass_brigade(f->next, bb);
}
I am not able to understand why this function is setting to 0.
Can somebody help me to understand the issue ?
Thanks
Hemant
