Re: SSL Virtual hosts ?
The company I currently host through has SSL for each of the virtual hosts. There have thousands of accounts, hard to beleive they would have a certificate for each virtual domain. Yes, they must have separate certificates for each domain. That'll be why when you sign up for SSL hosting with them they'll charge you for a certificate and ask you for all sorts of identification (or ask you to do that direct with the certification authority). Why would they not have a certificate for each domain? Would one certificate work if the virtual hosts were IP-Based with (ip aliases) virtual ip? ( I beleive that is the term for using one IP to serve many. I'm still very new to linux) Using one IP to serve many is "name-based" virtual hosting. Using many IPs to serve many is "IP-based" virtual hosting. If you only have one IP then it's called name-based because you have to make the distinction between virtual hosts by looking at the domain name. Each of the possible domain names will resolve (be pointed) to the same one IP address. If you have many IPs then you call it IP-based virtual hosting because you make the distinction between different virtual hosts just by checking the destination IP address. You can do IP-based virtual hosting with any protocol, just by looking at the TCP packets. However, to do name-based virtual hosting the client has to tell the server which domain name it is using. The problem is, with TCP, the client looks up the domain name and communicates with the server using its IP address. The server has no idea what domain name the client looked up to get the server's IP address (analogy: if someone phones you up, you don't know how they found your phone number). But if the client says "I used xyz domain name" then the server can adjust its response accordingly (analogy: the person on the phone can say how they found your number). In HTTP, the client tells the server what domain name it's using by sending the "Host" header. E.g. "Host: xyz.abc.com". The server then knows it should be using the xyz.abc.com virtual host. This doesn't work with SSL, because before any HTTP headers are sent, the SSL handshake has to occur. In order for this to happen, the server has to know which certificate and key to use (otherwise a secure connection cannot be established). In order to know which cert to use, it has to know which virtual host to use. If you're using IP-based virtual hosting, it can just look at the TCP packets and see which IP address they're using (analogy: if you have multiple phone lines, and one phone rings, then you know which number the person dialled because you know the phone number associated with each line). So IP-based SSL virtual hosting is no problem. However, with name-based virtual hosting the Host header isn't sent until after the SSL handshake -- thus the server doesn't know which certificate to use for the handshake, so it uses the default server instead of the virtual host. Cheers, Simon Garner __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
configure
While already running OpenSLL, the next logical step for me would be to install mod_ssl. I have to admit, right off the bat, that the configure script is awful. It behaves unlike any other configure script I have encountered. Aside from patching and installing files, it has hardcoded paths for the location of items. I was always under the impression that configure scripts only configured the installation of the application you were about to install, rather than patching and installing files (wouldn't that be part of the make?). Also, the hardcoded paths make it rather difficults to supply paths other than the expected ones. For example, the --with-apache= directive actually takes the path supplied, and tacks on /src/include in order to find httpd.h. These problems with the configure script make it quite difficult to set up and make the necessary binaries before actually doing the installation and without impacting a currently running system. Is this a known problem that will be addressed, or is this particular problem not considered a problem after all? -Rich -- Richard West Wesmo Computer Services http://www.wesmo.com mailto:[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: SSL configuration advice
Hello Blair, Sunday, August 15, 1999, you wrote: BL I'm looking for some good advice as to how to put mod-ssl behind a BL firewall such as fwtk. BL I think squid could be used, but I am not sure how. Does anyone know BL of a standard type of configuration for an SSL server? BL The idea is that the users might use the main web server until they BL need to use SSL stuff, and then they would be forwarded to an https BL behind the firewall. I guess the hurdle I am trying to get over is BL that allowing sessions behind the firewall can sometimes be a bad BL idea. I've just done exactly this, though I guess just to "proof of concept" stage, 'cause the guy I was doing the experiment for was on a short fuse and ended up buying Netscape server (at $9000, because to act as a reverse proxy requires an unlimited user license...) The trick is to use reverse proxy using mod_rewrite and mod_proxy. Public web server is apache+mod_ssl, private web server (inside firewall) is apache+mod_ssl. If _all_ SSL traffic is to be proxied, just put .htaccess in your SSL virtual host DocumentRoot directory which has a rewrite rule like RewriteRule (.*) https://privatehost/$1 [P] (For some reason I've never been able to make proxy rewrite rules work in httpd.conf, only in .htaccess) Public server carries the certificate, I don't think it really matters what you use on the private server, because only the Apache proxy sees it. There are probably client authentication issues, but if you're only looking for encryption, that isn't a problem. Of course, you could just use apache+mod_ssl using the same mechanism to proxy traffic to an insecure server inside the firewall, especially if you have a two-level firewall, with the public server behind its own firewall but isolated from the internal network, but using SSL on both sides gives you the added security of encrypted traffic on the short path to the firewall, and protects you from malicious monitoring by your own employees... I think this whole mechanism is sufficiently useful it would warrant a mini-howto. - Iain mailto:[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
force ssl on certain pages?
Ive got the mod_ssl working fine with my apache.. now my question is How do I cause certain web pages or directories that the web pages are on to be served up with ssl? I could type https://my.web.page/secure/index.html but how do I make it so that when a user hits http://my.web.page/secure/index.html his browser will automagically go into https mode? regards, Jason -- === | Jason Welsh [EMAIL PROTECTED] | If you think there's | || good in everybody, you | | http://welsh.dynip.com/ | haven't met everybody. | === __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: configure
On Sun, Aug 15, 1999, Rich West wrote: [...] I have to admit, right off the bat, that the configure script is awful. Then feel free to contribute a better one ;) It behaves unlike any other configure script I have encountered. Aside from patching and installing files, it has hardcoded paths for the location of items. I was always under the impression that configure scripts only configured the installation of the application you were about to install, rather than patching and installing files (wouldn't that be part of the make?). Yeah, ok: mod_ssl's configure script is a special one, that's correct. But mod_ssl has to apply itself to the Apache source tree and so it does a little bit of patching, too. Also, the hardcoded paths make it rather difficults to supply paths other than the expected ones. For example, the --with-apache= directive actually takes the path supplied, and tacks on /src/include in order to find httpd.h. Errr... where is the real problem? You need an original Apache source tree and there always is the src/include subdir. So why shouldn't configure use this "hard-coded path"? What do you want to specify with --with-apache? Hmmm... you confuse me, I've to admit. These problems with the configure script make it quite difficult to set up and make the necessary binaries before actually doing the installation and without impacting a currently running system. Is this a known problem that will be addressed, or is this particular problem not considered a problem after all? It's neither a known problem AFAIK nor are there any plans from my side to make this different (I would like to make it different to not require anything from Apache, but for this I would need a different Apache - and that doesn't exist). I think your problem is just that you assumed that mod_ssl's configure script is like a standard Autoconf-generated one. That's not the case, correct. But unless you make this assumption it should work fine for you and certainly will help you a lot in setting up an SSL-aware Apache server. Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: force ssl on certain pages?
On Mon, Aug 16, 1999, jason wrote: Ive got the mod_ssl working fine with my apache.. now my question is How do I cause certain web pages or directories that the web pages are on to be served up with ssl? I could type https://my.web.page/secure/index.html but how do I make it so that when a user hits http://my.web.page/secure/index.html his browser will automagically go into https mode? Add a redirection for this page to the VirtualHost of the HTTP server. For instance something like RewriteEngine on RewriteRule ^(/secure/.*)$ https://%{SERVER_NAME}/$1 [R,L] Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: force ssl on certain pages?
Apache's mod_rewrite module should work well for that sort of thing. hth --mark -Original Message- From: jason To: [EMAIL PROTECTED] Sent: 8/16/99 8:23 AM Subject: force ssl on certain pages? Ive got the mod_ssl working fine with my apache.. now my question is How do I cause certain web pages or directories that the web pages are on to be served up with ssl? I could type https://my.web.page/secure/index.html but how do I make it so that when a user hits http://my.web.page/secure/index.html his browser will automagically go into https mode? regards, Jason -- === | Jason Welsh [EMAIL PROTECTED] | If you think there's | || good in everybody, you | | http://welsh.dynip.com/ | haven't met everybody. | === __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: force ssl on certain pages?
Hello jason, Monday, August 16, 1999, you wrote: j I could type https://my.web.page/secure/index.html j but how do I make it so that when a user hits j http://my.web.page/secure/index.html his browser will automagically go j into https mode? Make sure the virtual hosts for ports 80 and 443 are in different directories. In the /secure subdirectory on the non-SSL virtual host, in your .htaccess file, use RewriteEngine On RewriteRule (.*) https://my.web.page/secure/$1 [R] Requires mod_rewrite, of course. - Iain mailto:[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
SSL and the new Apache 1.3.7 mod_vhost_alias?
Has anyone looked into implementing this? We currently support thousands and thousands of virtual hosts and have (literally) megabytes of configruation files with complex IfDefine and Include directives that take Apache minutes to process, so moving to mod_virtualhost will be the biggest lifesaver for us, however, how would be the best way to support SSL? We don't want to have to use a old-style 1.3.6 VirtualHost entry for SSL enabled sites. mod_virtualhost documentation for Apache 1.3.7 is available at http://www.apache.org/docs/mod/mod_vhost_alias.html. Suggestions would be great! Thanks. -- Jeffrey H. Johnson, [EMAIL PROTECTED] The Web Site Factory, http://www.websitefactory.net __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: SSL and the new Apache 1.3.7 mod_vhost_alias?
David Harris wrote: Has anyone looked into implementing this? We currently support thousands and thousands of virtual hosts and have (literally) megabytes of configruation files with complex IfDefine and Include directives that take Apache minutes to process, so moving to mod_virtualhost will be the biggest lifesaver for us, however, how would be the best way to support SSL? We don't want to have to use a old-style 1.3.6 VirtualHost entry for SSL enabled sites. mod_virtualhost documentation for Apache 1.3.7 is available at http://www.apache.org/docs/mod/mod_vhost_alias.html. Suggestions would be great! Thanks. When the mass virtual hosting patch was first contributed to Apache, I started a discussion of how to implement SSL mass virtual hosting on the [EMAIL PROTECTED] list. This thread started with my message entitled "SSL mass-vhosting" on 6/11/99 with message-id 001d01beb408$6dbb92e0$0500a8c0@delf. In that thread, I tossed out a few ideas for how one might go about implementing mass virtual hosting for mod_ssl. I've checked through your ideas and it seems to me that they could be made to work with Apache-SSL (and hence, probably, mod_ssl), so long as the keys don't have passphrases. The point of the preload of keys/certs its to get passphrases while you still have a tty, nothing else. Cheers, Ben. -- http://www.apache-ssl.org/ben.html "My grandfather once told me that there are two kinds of people: those who work and those who take the credit. He told me to try to be in the first group; there was less competition there." - Indira Gandhi __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Session reuse inconsistant?
I'm building a custom SSL app and want to use session reuse for the obvious reasons. I've hacked up cli.c (attached below) to more easily learn openssl etc. The program connects to a server running apache and the most recent mod_ssl. The interesting thing is that the session isn't always reused. When the expiry log entry is made, the server gets a cache miss even though the session id is correct. My sample size is obviously small, but the behavior is concerning. When I run s_time, the sessions are mostly reused (240/255) with only a few misses. I've attached the session cache entries from using cli.c. The entries I deleted were all normal, i.e. the SSL protocol looked fine. Any ideas on this odd behavior? Am I missing something in cli.c? Thanks, Bill [16/Aug/1999 15:49:10] [info] Init: Created hash-table (250 buckets) in shared memory (512000 bytes) for SSL session cache [16/Aug/1999 15:49:10] [trace] Inter-Process Session Cache (SHM) Expiry: old: 0, new: 0, removed: 0 [16/Aug/1999 15:49:31] [trace] Inter-Process Session Cache: request=SET status=OK id=8214945D194564BC5101B8B012BDC0751FC639C27FE686C2518AF12E15002848 timeout=300s (session caching) [16/Aug/1999 15:49:31] [trace] Inter-Process Session Cache: request=GET status=FOUND id=8214945D194564BC5101B8B012BDC0751FC639C27FE686C2518AF12E15002848 (session reuse) [16/Aug/1999 15:49:35] [trace] Inter-Process Session Cache: request=SET status=OK id=4032AC17060B837D42FC3ED537EBC5498096CA45BE6F3615E9AC4132AF071FD2 timeout=299s (session caching) [16/Aug/1999 15:49:35] [trace] Inter-Process Session Cache: request=GET status=FOUND id=4032AC17060B837D42FC3ED537EBC5498096CA45BE6F3615E9AC4132AF071FD2 (session reuse) [16/Aug/1999 15:50:20] [trace] Inter-Process Session Cache: request=SET status=OK id=5FA040F98CE97E5E88B524CD7F91CCBD610E1D21720EDB0F0EB905F26621ADB5 timeout=300s (session caching) [16/Aug/1999 15:50:20] [trace] Inter-Process Session Cache: request=GET status=FOUND id=5FA040F98CE97E5E88B524CD7F91CCBD610E1D21720EDB0F0EB905F26621ADB5 (session reuse) [16/Aug/1999 15:52:06] [trace] Inter-Process Session Cache: request=SET status=OK id=357587AD769B6E0A5D0FE5BAD590F2E36E80ECB3A5A67C985B3AA2C77BF5B1D3 timeout=300s (session caching) [16/Aug/1999 15:52:06] [trace] Inter-Process Session Cache: request=GET status=FOUND id=357587AD769B6E0A5D0FE5BAD590F2E36E80ECB3A5A67C985B3AA2C77BF5B1D3 (session reuse) [16/Aug/1999 15:52:09] [trace] Inter-Process Session Cache: request=SET status=OK id=2C7D6FFA46CC9F57F5E93C59AF2004308C31587F9D0582181957113018D6EF14 timeout=300s (session caching) [16/Aug/1999 15:52:09] [trace] Inter-Process Session Cache: request=GET status=FOUND id=2C7D6FFA46CC9F57F5E93C59AF2004308C31587F9D0582181957113018D6EF14 (session reuse) [16/Aug/1999 16:02:55] [trace] Inter-Process Session Cache (SHM) Expiry: old: 5, new: 4, removed: 1 [16/Aug/1999 16:02:55] [trace] Inter-Process Session Cache: request=SET status=OK id=BFA93C41699520A907B4C604A1A2AABE93220FE28D2ED1B6FB75428877645C8C timeout=299s (session caching) [16/Aug/1999 16:02:55] [trace] Inter-Process Session Cache (SHM) Expiry: old: 5, new: 5, removed: 0 [16/Aug/1999 16:02:55] [trace] Inter-Process Session Cache: request=GET status=MISSED id=BFA93C41699520A907B4C604A1A2AABE93220FE28D2ED1B6FB75428877645C8C (session renewal) [16/Aug/1999 16:02:55] [trace] Inter-Process Session Cache: request=SET status=OK id=3DFEB1F293010D97D93A02E39433133CAE4872510C5DDC361408C756C00095DD timeout=300s (session caching) [16/Aug/1999 16:03:19] [trace] Inter-Process Session Cache (SHM) Expiry: old: 7, new: 5, removed: 2 [16/Aug/1999 16:03:19] [trace] Inter-Process Session Cache: request=SET status=OK id=CFB37682C2CCA86551360F0E01CA83ABC4655A09690026281CB0E24A5C99946A timeout=300s (session caching) [16/Aug/1999 16:03:19] [trace] Inter-Process Session Cache (SHM) Expiry: old: 5, new: 5, removed: 0 [16/Aug/1999 16:03:19] [trace] Inter-Process Session Cache: request=GET status=MISSED id=CFB37682C2CCA86551360F0E01CA83ABC4655A09690026281CB0E24A5C99946A (session renewal) [16/Aug/1999 16:03:19] [trace] Inter-Process Session Cache: request=SET status=OK id=CF9AD819FA474ECEF09FA1CE74F0112781188BB042AFB2DF626EC5953F0CE30C timeout=300s (session caching) [16/Aug/1999 16:03:20] [trace] Inter-Process Session Cache (SHM) Expiry: old: 7, new: 5, removed: 2 [16/Aug/1999 16:03:20] [trace] Inter-Process Session Cache: request=SET status=OK id=B4C9319C1F50A00A2E92F296AF75393C247F3A037A47CC1E6BC6A42434B3C790 timeout=300s (session caching) [16/Aug/1999 16:03:20] [trace] Inter-Process Session Cache: request=GET status=MISSED id=B4C9319C1F50A00A2E92F296AF75393C247F3A037A47CC1E6BC6A42434B3C790 (session renewal) [16/Aug/1999 16:03:21] [trace] Inter-Process Session Cache: request=SET status=OK id=D5190B883D65214EE31777E78DD0A7DC9850543EF183D5A9EC97956112155095 timeout=299s (session caching) [16/Aug/1999 16:03:21] [trace] Inter-Process Session Cache: request=SET status=OK
RE: force ssl on certain pages?
Here's an easy way to redirect to another page/directory, secure or whatever: Link to a page you want to be secure, but put a meta refresh in the head/head area to push to the "new" copy of page or URL; META httpd-equiv="Refresh" CONTENT="0; URL="https:www.mysite.com/secure/mysecurepage.html" Hope this is useful... K. Dunn sounds kinda complicated as well as requiring me to recompile apache.. cant you do it with some Directory /some/directoy SSL stuff here /Directory type of trickery? regards, Jason -- === | Jason Welsh [EMAIL PROTECTED] | If you think there's | || good in everybody, you | | http://welsh.dynip.com/ | haven't met everybody. | === On Mon, 16 Aug 1999, Cantrell, Mark wrote: Apache's mod_rewrite module should work well for that sort of thing. hth --mark -Original Message- From: jason To: [EMAIL PROTECTED] Sent: 8/16/99 8:23 AM Subject: force ssl on certain pages? Ive got the mod_ssl working fine with my apache.. now my question is How do I cause certain web pages or directories that the web pages are on to be served up with ssl? I could type https://my.web.page/secure/index.html but how do I make it so that when a user hits http://my.web.page/secure/index.html his browser will automagically go into https mode? regards, Jason -- === | Jason Welsh [EMAIL PROTECTED] | If you think there's | || good in everybody, you | | http://welsh.dynip.com/ | haven't met everybody. | === __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] ArialNet, Inc. - Arial Electronic Commerce and Fulfillment 1167 Annie Court, Minden NV 89423 Ph: 775.267.0220 FAX: 775.267.4979 http://www.arialnet.net --- __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: SSL and the new Apache 1.3.7 mod_vhost_alias?
Ben Laurie schrieb: I've checked through your ideas and it seems to me that they could be made to work with Apache-SSL (and hence, probably, mod_ssl), so long as the keys don't have passphrases. The point of the preload of keys/certs its to get passphrases while you still have a tty, nothing else. If this is really the case then you can even go with passphrase protected keys. At least mod_ssl has pass phrase caching, so you only need to load them once completely to get the passphrases and then load them whenever you need them. -- Holger Reif Tel.: +49 361 74707-0 SmartRing GmbH Fax.: +49 361 7470720 Europaplatz 5 [EMAIL PROTECTED] D-99091 ErfurtWWW.SmartRing.de __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]