Ralf S. Engelschall wrote: > > On Fri, Oct 02, 1998, James H.G. Redekop wrote: > > > I am attempting to compile & run Apache 1.3.1 with mod_ssl, and > > I'm running into a serious problem. The httpd halts immediately on > > being run with a "required SSLCacheServerPort not supplied" error, > > even though I *do* supply an SSLCacheServerPort -- in fact, I lifted > > the configuration directly from httpd.conf-dist. > > > > Has anyone else run into it? Any suggestions? > > Yes, someone else run into this problem, too. Nice to know it's not all in my head. Provided, of course, that that someone else isn't me when I mailed you about the problems I had subscribing to the list... > I've already looked at the code > and tried to verify it myself. No chance, it always worked fine. Hmmmm... a > confusing error. Can you send me your excat httpd.conf file, too. There has to > be a subtle difference in your files. Or this is some sort of platform error > as we had recently for Apache with the "</Directory> found, </Directory>" > expected thing. What platform do you using? UltraSparc5 running Solaris 2.6 Note that the Apache *also* has another add-on module called JRun, which I don't know. A customer of ours is using it, and insisted that it be included. It may or may not be affecting things. Every time I run the httpd binary, I get this: >[Thu Oct 1 14:24:59 1998] [notice] mod_jrun: JRun Connector v2.2 Apache - Oct 1 >1998 12:48:20 >[Thu Oct 1 14:24:59 1998] [error] mod_ssl: Required SSLCacheServerPort missing -- James H.G. Redekop | [EMAIL PROTECTED] Web Programmer | http://www.residents.com/ The Residents UUNET Canada | http://www.residents.com/Goons/ The Goon Show [EMAIL PROTECTED] | http://www.residents.com/Tzoq/ Home Page
# This is the main server configuration file. See URL http://www.apache.org/ # for instructions. # Do NOT simply read the instructions in here without understanding # what they do, if you are unsure consult the online docs. You have been # warned. # Originally by Rob McCool # Dynamic Shared Object (DSO) Support # # To be able to use the functionality of a module which was built as a DSO you # have to place corresponding `LoadModule' lines at this location so the # directives contained in it are actually available _before_ they are used. # Please read the file README.DSO in the Apache 1.3 distribution for more # details about the DSO mechanism and run `httpd -l' for the list of already # built-in (statically linked and thus always available) modules in your httpd # binary. # # Example: # LoadModule foo_module libexec/mod_foo.so # ServerType is either inetd, or standalone. ServerType standalone # If you are running from inetd, go to "ServerAdmin". # Port: The port the standalone listens to. For ports < 1023, you will # need httpd to be run as root initially. Port 8080 ## ## SSL Support ## ## When we also provide SSL we have to listen to the ## standard HTTP port (see above) and to the HTTPS port ## <IfDefine SSL> Listen 8080 Listen 443 </IfDefine> # HostnameLookups: Log the names of clients or just their IP numbers # e.g. www.apache.org (on) or 204.62.129.132 (off) # The default is off because it'd be overall better for the net if people # had to knowingly turn this feature on. HostnameLookups off # If you wish httpd to run as a different user or group, you must run # httpd as root initially and it will switch. # User/Group: The name (or #number) of the user/group to run httpd as. # On SCO (ODT 3) use User nouser and Group nogroup # On HPUX you may not be able to use shared memory as nobody, and the # suggested workaround is to create a user www and use that user. # NOTE that some kernels refuse to setgid(Group) or semctl(IPC_SET) # when the value of (unsigned)Group is above 60000; # don't use Group #-1 on these systems! User nobody Group nobody # ServerAdmin: Your address, where problems with the server should be # e-mailed. ServerAdmin [EMAIL PROTECTED] # ServerRoot: The directory the server's config, error, and log files # are kept in. # NOTE! If you intend to place this on a NFS (or otherwise network) # mounted filesystem then please read the LockFile documentation, # you will save yourself a lot of trouble. ServerRoot /usr/local/apache-ssl/ # BindAddress: You can support virtual hosts with this option. This option # is used to tell the server which IP address to listen to. It can either # contain "*", an IP address, or a fully qualified Internet domain name. # See also the VirtualHost directive. #BindAddress * # ErrorLog: The location of the error log file. If this does not start # with /, ServerRoot is prepended to it. ErrorLog logs/error_log # LogLevel: Control the number of messages logged to the error_log. # Possible values include: debug, info, notice, warn, error, crit, # alert, emerg. LogLevel warn # The following directives define some format nicknames for use with # a CustomLog directive (see below). LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined LogFormat "%h %l %u %t \"%r\" %>s %b" common LogFormat "%{Referer}i -> %U" referer LogFormat "%{User-agent}i" agent # The location of the access logfile (Common Logfile Format). # If this does not start with /, ServerRoot is prepended to it. CustomLog logs/access_log common # If you would like to have an agent and referer logfile uncomment the # following directives. #CustomLog logs/referer_log referer #CustomLog logs/agent_log agent # If you prefer a single logfile with access, agent and referer information # (Combined Logfile Format) you can use the following directive. #CustomLog logs/access_log combined # PidFile: The file the server should log its pid to PidFile logs/httpd.pid # ScoreBoardFile: File used to store internal server process information. # Not all architectures require this. But if yours does (you'll know because # this file is created when you run Apache) then you *must* ensure that # no two invocations of Apache share the same scoreboard file. ScoreBoardFile logs/apache_runtime_status # The LockFile directive sets the path to the lockfile used when Apache # is compiled with either USE_FCNTL_SERIALIZED_ACCEPT or # USE_FLOCK_SERIALIZED_ACCEPT. This directive should normally be left at # its default value. The main reason for changing it is if the logs # directory is NFS mounted, since the lockfile MUST BE STORED ON A LOCAL # DISK. The PID of the main server process is automatically appended to # the filename. # #LockFile logs/accept.lock # ServerName allows you to set a host name which is sent back to clients for # your server if it's different than the one the program would get (i.e. use # "www" instead of the host's real name). # # Note: You cannot just invent host names and hope they work. The name you # define here must be a valid DNS name for your host. If you don't understand # this, ask your network administrator. #ServerName new.host.name # UseCanonicalName: (new for 1.3) With this setting turned on, whenever # Apache needs to construct a self-referencing URL (a url that refers back # to the server the response is coming from) it will use ServerName and # Port to form a "canonical" name. With this setting off, Apache will # use the hostname:port that the client supplied, when possible. This # also affects SERVER_NAME and SERVER_PORT in CGIs. UseCanonicalName on # CacheNegotiatedDocs: By default, Apache sends Pragma: no-cache with each # document that was negotiated on the basis of content. This asks proxy # servers not to cache the document. Uncommenting the following line disables # this behavior, and proxies will be allowed to cache the documents. #CacheNegotiatedDocs # Timeout: The number of seconds before receives and sends time out Timeout 300 # KeepAlive: Whether or not to allow persistent connections (more than # one request per connection). Set to "Off" to deactivate. KeepAlive On # MaxKeepAliveRequests: The maximum number of requests to allow # during a persistent connection. Set to 0 to allow an unlimited amount. # We reccomend you leave this number high, for maximum performance. MaxKeepAliveRequests 100 # KeepAliveTimeout: Number of seconds to wait for the next request KeepAliveTimeout 15 # Server-pool size regulation. Rather than making you guess how many # server processes you need, Apache dynamically adapts to the load it # sees --- that is, it tries to maintain enough server processes to # handle the current load, plus a few spare servers to handle transient # load spikes (e.g., multiple simultaneous requests from a single # Netscape browser). # It does this by periodically checking how many servers are waiting # for a request. If there are fewer than MinSpareServers, it creates # a new spare. If there are more than MaxSpareServers, some of the # spares die off. These values are probably OK for most sites --- MinSpareServers 5 MaxSpareServers 10 # Number of servers to start --- should be a reasonable ballpark figure. StartServers 5 # Limit on total number of servers running, i.e., limit on the number # of clients who can simultaneously connect --- if this limit is ever # reached, clients will be LOCKED OUT, so it should NOT BE SET TOO LOW. # It is intended mainly as a brake to keep a runaway server from taking # Unix with it as it spirals down... MaxClients 150 # MaxRequestsPerChild: the number of requests each child process is # allowed to process before the child dies. # The child will exit so as to avoid problems after prolonged use when # Apache (and maybe the libraries it uses) leak. On most systems, this # isn't really needed, but a few (such as Solaris) do have notable leaks # in the libraries. MaxRequestsPerChild 30 # Proxy Server directives. Uncomment the following line to # enable the proxy server: #ProxyRequests On # To enable the cache as well, edit and uncomment the following lines: #CacheRoot /usr/local/apache-ssl/proxy #CacheSize 5 #CacheGcInterval 4 #CacheMaxExpire 24 #CacheLastModifiedFactor 0.1 #CacheDefaultExpire 1 #NoCache a_domain.com another_domain.edu joes.garage_sale.com # Listen: Allows you to bind Apache to specific IP addresses and/or # ports, in addition to the default. See also the VirtualHost command #Listen 3000 #Listen 12.34.56.78:80 # VirtualHost: Allows the daemon to respond to requests for more than one # server address, if your server machine is configured to accept IP packets # for multiple addresses. This can be accomplished with the ifconfig # alias flag, or through kernel patches like VIF. # Any httpd.conf or srm.conf directive may go into a VirtualHost command. # See also the BindAddress entry. #<VirtualHost host.some_domain.com> #ServerAdmin [EMAIL PROTECTED] #DocumentRoot /www/docs/host.some_domain.com #ServerName host.some_domain.com #ErrorLog logs/host.some_domain.com-error_log #TransferLog logs/host.some_domain.com-access_log #</VirtualHost> ## ## SSL Support ## ## Note that all SSL options can apply to virtual hosts, which ## is where we are going to put them now. We disable SSL globally ## and enable only inside a virtual host only. ## <IfModule mod_ssl.c> # we disable SSL globally SSLDisable # configure the path/port for the SSL session cache server [RECOMMENDED]. # Additionally sets the session cache timeout, in seconds (set to 15 for # testing, use a higher value in real life) [RECOMMENDED] SSLCacheServerPath /usr/local/apache-ssl/sbin/ssl_gcache SSLCacheServerPort /tmp/gcache_port SSLSessionCacheTimeout 300 <IfDefine SSL> <VirtualHost _default_:443> # setup the general virtual server configuration DocumentRoot /usr/local/apache-ssl/share/htdocs #ServerName new.host.name #ServerAdmin [EMAIL PROTECTED] ErrorLog logs/error_log-ssl TransferLog logs/access_log-ssl # enable SSL for this virtual host SSLEnable # this forbids access except when SSL is in use. Very handy for defending # against configuration errors that expose stuff that should be protected SSLRequireSSL # point SSLCertificateFile at a PEM encoded certificate. If # the certificate is encrypted, then you will be prompted for a # pass phrase. Note that a kill -HUP will prompt again. A test # certificate can be generated with `make certificate' under # built time. [RECOMMENDED] SSLCertificateFile /usr/local/apache-ssl/conf/ssl.crt/www.husky.on.ca.crt # if the key is not combined with the certificate, use this # directive to point at the key file. [OPTIONAL] SSLCertificateKeyFile /usr/local/apache-ssl/conf/ssl.key/www.husky.on.ca.key # set the CA certificate verification path where # to find CA certificates for client authentication or # alternatively one huge file containing all of them # (file must be PEM encoded) [OPTIONAL] # Note: Inside SSLCACertificatePath you need hash symlinks # to point to the certificate files. Use the provided # Makefile to update the hash symlinks after changes. #SSLCACertificatePath /usr/local/apache-ssl/conf/ssl.crt #SSLCACertificateFile /usr/local/apache-ssl/conf/ssl.crt/ca-bundle.crt # set client verification level: [RECOMMENDED] # 0|none: no certificate is required # 1|optional: the client may present a valid certificate # 2|require: the client must present a valid certificate # 3|optional_no_ca: the client may present a valid certificate # but it is not required to have a valid CA SSLVerifyClient none # set how deeply to verify the certificate issuer chain # before deciding the certificate is not valid. [OPTIONAL] #SSLVerifyDepth 10 # list the ciphers that the client is permitted to negotiate. # See the mod_ssl documentation for a complete list. [OPTIONAL] #SSLRequiredCiphers RC4-MD5:RC4-SHA:IDEA-CBC-MD5:DES-CBC3-SHA # these two can be used on a per-directory basis to require or # ban specific ciphers. Note that (at least in the current version) # SSL will not attempt to renegotiate if a cipher is banned # (or not required). [OPTIONAL] #SSLRequireCipher RC4-MD5 #SSLBanCipher RC4-MD5 # translate the client X.509 into a Basic Authorisation. # This means that the standard Auth/DBMAuth methods can be used for # access control. The user name is the `one line' version of # the client's X.509 certificate. Note that no password is # obtained from the user. Every entry in the user file needs # this password: `xxj31ZMTZzkVA'. [OPTIONAL] #SSLFakeBasicAuth # a home for miscellaneous rubbish generated by SSL. Much of it # is duplicated in the error log file. Put this somewhere where # it cannot be used for symlink attacks on a real server (i.e. # somewhere where only root can write). [RECOMMENDED] SSLLogFile /usr/local/apache-ssl/logs/ssl_misc_log # define custom SSL logging [RECOMMENDED] CustomLog logs/ssl_log "%t %h %{version}c %{cipher}c %{subjectdn}c %{issuerdn}c \"%r\" %b" </VirtualHost> </IfDefine> </IfModule>
