Hi, Phil et al., > > To clarify: I want to serve my own ZAP Group certificate when HTTPS > > queries come to keyserver.zap.org.au, and the sks-keyservers.net > > certificate when queries come to *.sks-keyservers.net. Can I do > > this with ONE <VirtualHost> block in Apache, or must I use two? > > I can't definitively say that one block might not be made to work: > never discount human ingenuity. I can say that it would be > "interesting" to see.
In the end, I ended up with TWO <VirtualHost> blocks in the Apache config after all. All works now, as long as you remember to add "NameVirtualHost *:443"! For reference, the following is my full Apache config for HTTPS on keyserver.zap.org.au: # /etc/apache2/sites-available/zapgroup-keyserver-ssl: Keyserver website server configuration # [JNZ] Modified 02-Jun-2014 for keyserver.zap.org.au Listen *:11372 Listen *:443 NameVirtualHost *:11372 NameVirtualHost *:443 <VirtualHost *:11372 *:443> ServerAdmin keymas...@zap.org.au ServerName keyserver.zap.org.au SSLEngine on # Only allow secure ciphers and protocols: SSLv3 and TLSv1 SSLCipherSuite HIGH:MEDIUM:!ADH SSLProtocol all -SSLv2 SSLCertificateFile /etc/ssl/certs/keyserver.pem SSLCertificateKeyFile /etc/ssl/private/keyserver.pem SSLCACertificateFile /etc/ssl/certs/ZAP_Group_CA_Root.pem <Proxy *> Order allow,deny Allow from all </Proxy> ProxyPass / http://127.0.0.1:11371/ ProxyPassReverse / http://127.0.0.1:11371/ ProxyVia On SetEnv proxy-nokeepalive 1 #RequestHeader unset Expect early ErrorLog ${APACHE_LOG_DIR}/hosted/keyserver.zap.org.au-ssl--error.log # Possible values include: debug, info, notice, warn, error, crit, # alert, emerg. LogLevel warn CustomLog ${APACHE_LOG_DIR}/hosted/keyserver.zap.org.au-ssl--access.log combined_ssl ServerSignature On # Work around SSL (and other) problems in Microsoft Internet Explorer # (see default-ssl and /usr/share/doc/apache2.2-common/README.Debian.gz # for more information). BrowserMatch "MSIE [2-6]" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 # MSIE 7 and newer should be able to use keepalive BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown </VirtualHost> <VirtualHost *:11372 *:443> ServerAdmin keymas...@zap.org.au ServerName hkps.pool.sks-keyservers.net ServerAlias *.pool.sks-keyservers.net *.sks-keyservers.net SSLEngine on # Only allow secure ciphers and protocols: SSLv3 and TLSv1 SSLCipherSuite HIGH:MEDIUM:!ADH SSLProtocol all -SSLv2 SSLCertificateFile /etc/ssl/certs/keyserver-sks.pem SSLCertificateKeyFile /etc/ssl/private/keyserver.pem SSLCACertificateFile /etc/ssl/certs/sks-keyservers.netCA.pem <Proxy *> Order allow,deny Allow from all </Proxy> ProxyPass / http://127.0.0.1:11371/ ProxyPassReverse / http://127.0.0.1:11371/ ProxyVia On SetEnv proxy-nokeepalive 1 #RequestHeader unset Expect early ErrorLog ${APACHE_LOG_DIR}/hosted/keyserver.zap.org.au-ssl-hkps--error.log # Possible values include: debug, info, notice, warn, error, crit, # alert, emerg. LogLevel warn CustomLog ${APACHE_LOG_DIR}/hosted/keyserver.zap.org.au-ssl-hkps--access.log combined_ssl ServerSignature On # Work around SSL (and other) problems in Microsoft Internet Explorer # (see default-ssl and /usr/share/doc/apache2.2-common/README.Debian.gz # for more information). BrowserMatch "MSIE [2-6]" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 # MSIE 7 and newer should be able to use keepalive BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown </VirtualHost> Yours truly, John Zaitseff -- John Zaitseff ,--_|\ The ZAP Group Phone: +61 2 9643 7737 / \ Sydney, Australia E-mail: j.zaits...@zap.org.au \_,--._* http://www.zap.org.au/ v _______________________________________________ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel