Re: Dynamic apache config
Besides, most people pick lousy passphrases anyway. That's why I wrote my own passphrase generator to spit out random gibbersish such as (actual program output): [EMAIL PROTECTED]:~$ pgen 8T(U[TcY [EMAIL PROTECTED]:~$ pgen 12 mp{6$}9:_+\ [EMAIL PROTECTED]:~$ pgen 24 EQ;WcpgHbT\8pxJD.h_mOwe: [EMAIL PROTECTED]:~$ In a pinch, similar random glop can be generated thus: dd if=/dev/random bs=44 count=1 2/dev/null | uuencode fubar | sed -e 1d -e 2q ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Dynamic apache config
On Tue, 2003-06-03 at 17:12, [EMAIL PROTECTED] wrote: On 3 Jun 2003, at 4:16pm, [EMAIL PROTECTED] wrote: I'm looking for a little more magic with a little less regenerating httpd.conf. *grin* Question: Why? How often will your virtual host setup change? Potentially fairly frequently... The other concern I have (and perhaps you folks can allay them?) is the issue of ssl certs with passwords. If I'm restarting apache to have it reread the conf file, wouldn't I have to enter the certificate password each time? -- ... one of the main causes of the fall of the Roman Empire was that, lacking zero, they had no way to indicate successful termination of their C programs. -- Robert Firth Cole Tuininga Lead Developer Code Energy, Inc [EMAIL PROTECTED] PGP Key ID: 0x43E5755D ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Dynamic apache config
Cole Tuininga wrote: The other concern I have (and perhaps you folks can allay them?) is the issue of ssl certs with passwords. If I'm restarting apache to have it reread the conf file, wouldn't I have to enter the certificate password each time? In my experience, yes. I believe that you can add to whatever startup script you're using and pass it as an option to httpd. Of course you can always use an empty passphrase when you generate the certificate. This permits Apache to restart in SSL mode without needing a password. I've done this with self-signed certificates when experimenting with SSL and on a couple of test/development machines. When I'm feeling lazy, I also do this with my ssh keys so I can ssh without needing a password at all. Yes, I know it's considered bad security practice, but if the system is otherwise secure, then the risk of empty passphrases isn't that great. It's only a danger is someone breaks into the machine and steals the original keys, or if you do it on a machine where you aren't root, or at least not the only admin with root access and you can't trust the other admins. Anyway, I've never considered passphrases and passwords as a security mechanism. They're really more of an access mechanism. So, I have no qualms about using empty passphrases for my self-signed certs and ssh keys. If my machine was ever to be compromised, I'd probably generate all new keys for ssh, ssl and gpg anyway. (Yes, I use a rather long passphrase with gpg.) Besides, most people pick lousy passphrases anyway. That's why I wrote my own passphrase generator to spit out random gibbersish such as (actual program output): [EMAIL PROTECTED]:~$ pgen 8T(U[TcY [EMAIL PROTECTED]:~$ pgen 12 mp{6$}9:_+\ [EMAIL PROTECTED]:~$ pgen 24 EQ;WcpgHbT\8pxJD.h_mOwe: [EMAIL PROTECTED]:~$ Note that the first character of the 12-character passphrase is a blank space. Trouble with that is, you have to write them down or store them in a database, which just means there's one more thing you have to worry about guarding/losing. OK, so I veered off topic, but that's not unusual for me, or for this list. :-) ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Dynamic apache config
On 3 Jun 2003, at 4:16pm, [EMAIL PROTECTED] wrote: I'm looking for a little more magic with a little less regenerating httpd.conf. *grin* Question: Why? How often will your virtual host setup change? I agree that generating a config file is not as elegant as pulling it right from the database, but, from a strictly pragmatic point of view, it might be the best overall solution. I've found something that seemingly does what I want (http://www.synthemesc.com/mod_vdbh/) but is only available for Apache 2.0.x ... and I'm running 1.3.x right now. I think I remember reading that one of the goals with the Apache 2.x redesign was to make things like what you're talking about easier. -- Ben Scott [EMAIL PROTECTED] | The opinions expressed in this message are those of the author and do | | not represent the views or policy of any other person or organization. | | All information is provided without warranty of any kind. | ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss