RE: Changing Apache
Hi! I guess what I'm asking is, in the httpd.conf can I have 1 entry for the same virtualhost - one for port 80 and the other for 443? Yes you can. -- Toomas Aas | [EMAIL PROTECTED] | http://www.raad.tartu.ee/~toomas/ * Top Secret! Burn before reading! ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Changing Apache
On Fri, Jan 02, 2004 at 11:10:56AM -0500, Marius Kirschner wrote: I currently have Apache 1.3.29 running and want to switch to the Apache mod-ssl version. My question is, do I need to deinstall the standard apache before building the mod-ssl one from the ports? And what would be the best procedure to minimize the downtime? Thank you, Yes, you should de-install apache13 before installing apache13-modssl. Although it's called mod_ssl, it is actually rather more than just a dynamically loadable module -- the main apache httpd binary gets patched to provide the 'EAPI' programming interface. Best way to minimize downtime is to a) build apache13-modssl on a scratch box and test your configuration there. Practice installing everything. Once you're pretty certain it's going to work smoothly, and you understand how to install certificates and so forth, then: b) build apache13-modssl -- if you do this on the server it will cause the port dependencies to be installed automatically (basically that's just the devel/mm port) c) Stop the apache13 server and pkg_deinstall it. d) Install the pre-built apache13-modssl port e) Apply your local customizations to your httpd.conf, install web content etc. d) Start the apache13-modssl server: remember it's apachectl startssl to have SSL enabled. If you don't want to build the httpd on the server machine, then build what packages you need off-line. Installation procedure will be much the same as above. If you have any other 3rd party apache loadable modules (mod_php4, mod_perl etc.) these will need to be recompiled against the new apache13-modssl server at stage (d) above. At some point running through a round or two of 'pkgdb -Fvu' to sort out package dependencies is a good idea. You can also put: APACHE_PORT=www/apache13-modssl into /etc/make.conf to make sure that all apache-related ports you install subsequently will have the correct dependencies. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK pgp0.pgp Description: PGP signature
RE: Changing Apache
Thanks, Matthew, much appreciated. I assume I'll be able to use my current httpd.conf file, but just rename it to httpsd.conf? Also, if I get a certificate for www.whatever.com will I be able to refer to it via http:// and https://? ---Marius -Original Message- From: Matthew Seaman [mailto:[EMAIL PROTECTED] Sent: Friday, January 02, 2004 12:20 PM To: Marius Kirschner Cc: 'FreeBSD Questions' Subject: Re: Changing Apache On Fri, Jan 02, 2004 at 11:10:56AM -0500, Marius Kirschner wrote: I currently have Apache 1.3.29 running and want to switch to the Apache mod-ssl version. My question is, do I need to deinstall the standard apache before building the mod-ssl one from the ports? And what would be the best procedure to minimize the downtime? Thank you, Yes, you should de-install apache13 before installing apache13-modssl. Although it's called mod_ssl, it is actually rather more than just a dynamically loadable module -- the main apache httpd binary gets patched to provide the 'EAPI' programming interface. Best way to minimize downtime is to a) build apache13-modssl on a scratch box and test your configuration there. Practice installing everything. Once you're pretty certain it's going to work smoothly, and you understand how to install certificates and so forth, then: b) build apache13-modssl -- if you do this on the server it will cause the port dependencies to be installed automatically (basically that's just the devel/mm port) c) Stop the apache13 server and pkg_deinstall it. d) Install the pre-built apache13-modssl port e) Apply your local customizations to your httpd.conf, install web content etc. d) Start the apache13-modssl server: remember it's apachectl startssl to have SSL enabled. If you don't want to build the httpd on the server machine, then build what packages you need off-line. Installation procedure will be much the same as above. If you have any other 3rd party apache loadable modules (mod_php4, mod_perl etc.) these will need to be recompiled against the new apache13-modssl server at stage (d) above. At some point running through a round or two of 'pkgdb -Fvu' to sort out package dependencies is a good idea. You can also put: APACHE_PORT=www/apache13-modssl into /etc/make.conf to make sure that all apache-related ports you install subsequently will have the correct dependencies. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Changing Apache
On Fri, Jan 02, 2004 at 01:09:17PM -0500, Marius Kirschner wrote: Thanks, Matthew, much appreciated. I assume I'll be able to use my current httpd.conf file, but just rename it to httpsd.conf? No, it's still called httpd.conf. There's a whole passel of extra configuration stuff to do with enabling SSL -- take a look at the default httpd.conf that gets installed by the apache13-modssl port. Also, if I get a certificate for www.whatever.com will I be able to refer to it via http:// and https://? Well, ish. When you compile the port, you will be given the option to generate several flavours of test key. These will permit the HTTPS server to work, but visitors will get pop-ups all the time warning that your site isn't trusted. You will have to generate a .csr (Certificate Signing Request) and send it off to one of the CAs to get it signed by a recognised key, and then everything will work smoothly. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK pgp0.pgp Description: PGP signature
RE: Changing Apache
Also, if I get a certificate for www.whatever.com will I be able to refer to it via http:// and https://? Well, ish. When you compile the port, you will be given the option to generate several flavours of test key. These will permit the HTTPS server to work, but visitors will get pop-ups all the time warning that your site isn't trusted. You will have to generate a .csr (Certificate Signing Request) and send it off to one of the CAs to get it signed by a recognised key, and then everything will work smoothly. Well, I realize I need to get an official certificate to avoid those annoying pop-ups, but what I'm not sure about is whether I can go with a cert for www.whatever.com and use that for my https pages, or if I need to get a cert for something like secure.whatever.com and use that for https while the www.whatever.com will remain strictly http? I guess what I'm asking is, in the httpd.conf can I have 1 entry for the same virtualhost - one for port 80 and the other for 443? ---Marius ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Changing Apache
On Fri, Jan 02, 2004 at 03:03:39PM -0500, Marius Kirschner wrote: Also, if I get a certificate for www.whatever.com will I be able to refer to it via http:// and https://? Well, ish. When you compile the port, you will be given the option to generate several flavours of test key. These will permit the HTTPS server to work, but visitors will get pop-ups all the time warning that your site isn't trusted. You will have to generate a .csr (Certificate Signing Request) and send it off to one of the CAs to get it signed by a recognised key, and then everything will work smoothly. Well, I realize I need to get an official certificate to avoid those annoying pop-ups, but what I'm not sure about is whether I can go with a cert for www.whatever.com and use that for my https pages, or if I need to get a cert for something like secure.whatever.com and use that for https while the www.whatever.com will remain strictly http? I guess what I'm asking is, in the httpd.conf can I have 1 entry for the same virtualhost - one for port 80 and the other for 443? Yes, you can have both http://www.example.com/ and https://www.example.com/ simultaneously on the same server -- these can have entirely separate content or can have exactly the same. Or you can have separate virtual hosts with distinct names for HTTP and HTTPS services. Just make sure that the DN (Distinguished Name) in the certificate you generate matches whatever you call your HTTPS server. Also, if you need more than one HTTPS virtual host on your machine, be aware that you will need separate IP for each HTTPS vhost. (It's a catch 22 -- with Name Virtual Hosts the appropriate virtual host name is selected using a field in the HTTP packet, but with HTTPS you need to know which vhost the packet is intended for so that you can decode it and work out which vhost the packet is for... Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK pgp0.pgp Description: PGP signature
