Re: [freebsd-questions] Best way to add SSL to Apache 1.3.37

[Patrick Baldwin]

Olivier Nicole wrote:


[snip]


configuration?  If both options are possible, is one better than the
other?  I'd prefer not to have to re-do my apache install, but if
there's some compelling reason I should, I'm interested in knowing it.



You would have to modify the httpd.conf to activate SSL anyway.

Have you a lot of things in the config yet?


Just what I needed to get our webmail server running.  Initially
tried Horde, but ended up running into some problems with that,
now trying Squirrelmail.


Also, when I've got it, I want users to have the option to use it,
not be forced to (tinkering with a Squirrelmail webmail server here), so
any information on that would be more than welcome.



Any reason why you don't want to force your user to go SSL. They will
be exchanging password over the network, better it is crypted, don't
you think?



Yes, absolutely, that's why I want the option to use SSL.  However,
we have some users that travel a lot, and sometime they absolutely
need to be able to get to their email.   SSL introduces another layer
of complexity, and thus possibility for failure, into checking their
email.  While I prefer the security of SSL, if it's a choice between
no email access for our travellers and access without SSL, my boss
has been pretty clear that access, however it's achieved, is the key
issue.


If it is a matter of not purchasing a certificate, you can put up a
page on the way to install the certificate once for all so the users
are not requested again to accept the certificate.



While that's not really the issue for me, I'm interested in this idea
anyway, as it saves some money and keeps us a little more self 
sufficient.  If you'd care to explain this in further detail, or

just point me at a doc somewhere that does, it would be much
appreciated.


Usual configuration of Apache normally allows you to set-up two
servers, one on port 80 that is not crypted and one on port 443 that
is using SSL. Both services can share the same web pages, giving acces
both with and without SSL.


I guess now I need to hit Google and find out how to do this on FreeBSD,
as it sounds just like what I want, thanks!


Regards,

--
Patrick Baldwin
Systems Administrator
Studsvik Scandpower, Inc.
1087 Beacon St.
Newton, MA 02459
1-617-965-7455

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: [freebsd-questions] Best way to add SSL to Apache 1.3.37

[Patrick Baldwin]

Norberto Meijome wrote:


On Thu, 07 Jun 2007 12:03:31 -0400
Patrick Baldwin <[EMAIL PROTECTED]> wrote:



Hi, I'm running 6.2-RELEASE-p4, and Apache 1.3.37.  I'd like to
add SSL support, but I'm not sure of the best way to go about it.




may I ask why are you using Apache 1.3.x ? I think Apache 2 has shown itself to
be pretty good and reliable by now



Using 1.3.x because I'm trying to set up a webmail server, and most of 
the docs I could find were written with 1.3.x in mind.  Also, I'm more

familiar with 1.3.x


In:

http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/network-apache.html

Specifically section 27.7.5.1, it mentions you can add ssl support with 
mod_ssl, but I don't see it in my ports tree.


I also found this:
http://www.bsdguides.org/guides/freebsd/webserver/apache_ssl_php_mysql.php

Which seems to suggest that I'd need to have installed the apache
port /usr/ports/www/apache13-modssl instead of the package apache-1.3.37_3.



Indeed.




So, do I need to remove the apache-1.3.37_3 package (presumably with
pkg_delete, as I think that's the cleanest way, please correct me if I'm 
wrong),



pkg_deinstall apache-1.3*



Excellent, thanks.  I hadn't seen pkg_deinstall before, but checking
out the man page seems to suggest I really should have been using
it instead of pkg_delete; understanding wildcards and being able
to recurse through dependencies seems very helpful.


and re-install from the apache13-modssl port, or is there in
fact some way to just get mod_ssl and add to my existing Apache 
configuration?  



There may be, i haven't touched the 1.3 apache stuff for several years. If you
install www/apache22, it builds the SSL components by default.



If both options are possible, is one better than the
other?  



You cannot have, by default (ie, withouth tinkering and knowing what you are
doing) both apache13 and apache13-mod_ssl. they are listed conflicts.( in the
Makefile for the port, search for the CONFLICTS line)



OK, I saw that, and then went and checked it for apache2:

webmail# pwd
/usr/ports/www/apache22
webmail# cat Makefile | grep CONFLICTS
CONFLICTS=  apache+mod_ssl-1.* apache+mod_ssl+ipv6-1.* 
apache+mod_ssl+modsnmp-1.* \

CONFLICTS+= apr-1.*


This seems to me that I can have apache13 (without any SSL) and
apache22 both installed, which would be great for me as I could
work on building an SSL capable webmail server while users can
still use the old webmail while the new one is in progress.


I'd prefer not to have to re-do my apache install, but if
there's some compelling reason I should, I'm interested in knowing it.



if you want ssl... 




Then I'm going to need to re-do apache some way, whether it be
re-install and add SSL support to apache13, or move to apache22,
got it.


Also, when I've got it, I want users to have the option to use it,
not be forced to (tinkering with a Squirrelmail webmail server here), so
any information on that would be more than welcome.



Not sure what you mean by this. Your users will use HTTPS if they so request
it, or HTTP if they point it to http://yourserver/



I want my users to have the option to use SSL, but if they're having 
problems with it (browser issues, etc.) I still want them to be able

to read their email, as sometime it's absolutely essential that they
be able to keep up with email while on the road.

--
Patrick Baldwin
Systems Administrator
Studsvik Scandpower, Inc.
1087 Beacon St.
Newton, MA 02459
1-617-965-7455

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: [freebsd-questions] Best way to add SSL to Apache 1.3.37

[Olivier Nicole]

> Which seems to suggest that I'd need to have installed the apache
> port /usr/ports/www/apache13-modssl instead of the package apache-1.3.37_3.

Right.

> So, do I need to remove the apache-1.3.37_3 package (presumably with
> pkg_delete, as I think that's the cleanest way, please correct me if I'm 

You use the same/reverse way to remove that you use to install.

> wrong), and re-install from the apache13-modssl port, or is there in
> fact some way to just get mod_ssl and add to my existing Apache 

The you install apache-modssl from the ports.

Of course you can install mod-ssl from the source by hand.

> configuration?  If both options are possible, is one better than the
> other?  I'd prefer not to have to re-do my apache install, but if
> there's some compelling reason I should, I'm interested in knowing it.

You would have to modify the httpd.conf to activate SSL anyway.

Have you a lot of things in the config yet?

> Also, when I've got it, I want users to have the option to use it,
> not be forced to (tinkering with a Squirrelmail webmail server here), so
> any information on that would be more than welcome.

Any reason why you don't want to force your user to go SSL. They will
be exchanging password over the network, better it is crypted, don't
you think?

If it is a matter of not purchasing a certificate, you can put up a
page on the way to install the certificate once for all so the users
are not requested again to accept the certificate.

Usual configuration of Apache normally allows you to set-up two
servers, one on port 80 that is not crypted and one on port 443 that
is using SSL. Both services can share the same web pages, giving acces
both with and without SSL.

Bests,

olivier
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: [freebsd-questions] Best way to add SSL to Apache 1.3.37

[Norberto Meijome]

On Thu, 07 Jun 2007 12:03:31 -0400
Patrick Baldwin <[EMAIL PROTECTED]> wrote:

> Hi, I'm running 6.2-RELEASE-p4, and Apache 1.3.37.  I'd like to
> add SSL support, but I'm not sure of the best way to go about it.
> 

may I ask why are you using Apache 1.3.x ? I think Apache 2 has shown itself to
be pretty good and reliable by now

> In:
> 
> http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/network-apache.html
> 
> Specifically section 27.7.5.1, it mentions you can add ssl support with 
> mod_ssl, but I don't see it in my ports tree.
> 
> I also found this:
> http://www.bsdguides.org/guides/freebsd/webserver/apache_ssl_php_mysql.php
> 
> Which seems to suggest that I'd need to have installed the apache
> port /usr/ports/www/apache13-modssl instead of the package apache-1.3.37_3.

Indeed.

> 
> 
> So, do I need to remove the apache-1.3.37_3 package (presumably with
> pkg_delete, as I think that's the cleanest way, please correct me if I'm 
> wrong),

pkg_deinstall apache-1.3*

>  and re-install from the apache13-modssl port, or is there in
> fact some way to just get mod_ssl and add to my existing Apache 
> configuration?  

There may be, i haven't touched the 1.3 apache stuff for several years. If you
install www/apache22, it builds the SSL components by default.

> If both options are possible, is one better than the
> other?  

You cannot have, by default (ie, withouth tinkering and knowing what you are
doing) both apache13 and apache13-mod_ssl. they are listed conflicts.( in the
Makefile for the port, search for the CONFLICTS line)

> I'd prefer not to have to re-do my apache install, but if
> there's some compelling reason I should, I'm interested in knowing it.

if you want ssl... 

> Also, when I've got it, I want users to have the option to use it,
> not be forced to (tinkering with a Squirrelmail webmail server here), so
> any information on that would be more than welcome.

Not sure what you mean by this. Your users will use HTTPS if they so request
it, or HTTP if they point it to http://yourserver/



_
{Beto|Norberto|Numard} Meijome

"Throughout the centuries there were [people] who took first steps down new
paths armed only with their own vision." Ayn Rand

I speak for myself, not my employer. Contents may be hot. Slippery when wet.
Reading disclaimers makes you go blind. Writing them is worse. You have been
Warned.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"