mod_ssl / mod_proxy interaction
in effort to eventually setup a secure apache reverse proxy for exchange 2000's OWA, i've run into the following dilemma per the mod-ssl docs, i had the following declared globally: SetEnvIf User-Agent .*MSIE.* nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0 and realised after much wailing and gnashing of teeth that that line caused the following (non-ssl) virtual host failed to operate correctly under IE: Listen 10.10.10.99:80 VirtualHost 10.10.10.99:80 ServerName webmail.gactr.uga.edu UseCanonicalNameOff CustomLog /tmp/webmail-trans.log combined ErrorLog/tmp/webmail-error.log RedirectPermanent / http://webmail.gactr.uga.edu/exchange/ ProxyRequests Off ProxyVia Full ProxyPass /exchange/ http://webmail.gactr.uga.edu/exchange/ ProxyPassReverse /exchange/ http://webmail.gactr.uga.edu/exchange/ ProxyPass /public/ http://webmail.gactr.uga.edu/public/ ProxyPassReverse /public/ http://webmail.gactr.uga.edu/public/ ProxyPass /ex2k/ http://webmail.gactr.uga.edu/ex2k/ ProxyPassReverse /ex2k/ http://webmail.gactr.uga.edu/ex2k/ ProxyPass /exchweb/ http://webmail.gactr.uga.edu/exchweb/ ProxyPassReverse /exchweb/ http://webmail.gactr.uga.edu/exchweb/ /VirtualHost So, I placed User-Agent config out of the global config and into each SSL config. Now, the exchange 2000 proxy (currently non-SSL) is correctly handled by IE. Obviously, though, I will be wanting to put this proxy behind SSL, which I've already determined will not work (using the mod_ssl recommended settings). Has anyone else run into a similar situation? Is there a reasonable work-around for this? -- Robin P. Blanchard Systems Integration Specialist Georgia Center for Continuing Education fon: 706.542.2404 | fax: 706.542.6546 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: mod_ssl / mod_proxy interaction
-Authenticate: Basic realm=webmail.gactr.uga.edu 7 Content-Length: 24 8 Content-Type: text/html 9 Via: 1.1 webmail.gactr.uga.edu (Apache/1.3.26) 10 X-Cache: MISS from webmail.gactr.uga.edu 11 X-Cache: MISS from proxy.gactr.uga.edu 12 Proxy-Connection: close Unknown authentication scheme. -- Robin P. Blanchard Systems Integration Specialist Georgia Center for Continuing Education fon: 706.542.2404 | fax: 706.542.6546 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: OpenSSL I/O error causing Page cannot be displayed in browser
Here is the combination that did the trick for us: SSLSessionCache shmcb:/usr/local/apache/logs/ssl_scache(1024000) SSLSessionCacheTimeout 600 SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP SetEnvIf .*MSIE.* nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0 Aaron Gee wrote: We tried that also. Below is a short list of the combinations and variations we have tried Notice some lines from the conf file do the same as others, just trying all possibilities the comments (#) in front are my addition. I have tried almost every iteration of the following to get SOMETHING to work. Tried all of the following. #SSLProtocol SSLv2 #SSLProtocol all -SSLv3 #SSLProtocol all #SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL #SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP Tried both of these: #SetEnvIf User-Agent .*MSIE.* nokeepalive ssl-unclean-shutdown #SetEnvIf User-Agent .*MSIE.* nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0 Also tried these in various combinations with above: #SSLSessionCachenone #SSLSessionCacheshmht:logs/ssl_scache(512000) #SSLSessionCacheshmcb:logs/ssl_scache(512000) #SSLSessionCache shm:logs/ssl_scache(512000) #SSLSessionCacheshmht:logs/ssl_scache #SSLSessionCacheshmcb:logs/ssl_scache #SSLSessionCache shm:logs/ssl_scache #SSLSessionCacheTimeout 300 #SSLMutex file:logs/ssl_mutex AG -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Bryan Field-Elliot Sent: Tuesday, December 18, 2001 12:57 To: [EMAIL PROTECTED] Subject: RE: OpenSSL I/O error causing Page cannot be displayed in browser Sorry you already gave up, but I believe the lines below should fix your problem (in addition to the SetEnvIf line you already added): SSLSessionCache dbm:/var/ssl_cache SSLSessionCacheTimeout 300 (change the path in the first line to one which makes sense on your server) __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] -- Robin P. Blanchard IT Program Specialist Georgia Center for Continuing Ed. fon: 706.542.2404 fax: 706.542.6546 email: [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
CNAME question/problem
the scenario: old webserver (www.blahblahblah.edu) had a verisign cert. our organization recently purchased www.blahblahblah.org and a corresponding thawte cert. we want to phase out www.blahblahblah.edu, entirely. i've setup mod_rewrite to rewrite www.blahblahblah.edu - www.blahblahblah.org ; but users can still access www.blahblahblah.edu as it points to the same IP address. they therefore get a broswer warning that the cert (www.blahblahblah.org) doesn't match the machine name they've requested (www.blahblahblah.edu). is there a way to force a canonical name? ie, listen on an ip address and force use of a machine name? -- Robin P. Blanchard IT Program Specialist Georgia Center for Continuing Ed. fon: 706.542.2404 fax: 706.542.6546 email: [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: mod_ssl + mod_php4 segmentation faults
hey john -- off the top of my head, i believe that your php4 probably picked up on your system threads by default and was thus built with threads. you'll have to enable threads in apache also. rebuild apache with LDFLAGS="-lpthread" that *should* fix your problem (i had the same problem a while back) John Sutton wrote: Hi there After many days of grief... kernel 2.2.10 apache 1.3.14 mod_php4-4.0.3pl1 mod_ssl-2.7.1_1.3.14 The build proceeds fine (everything is built -DEAPI), and on a redhat 6.0 system (glibc-2.1.1) it kinda works. But I keep getting segfaults and the attempt to syntax check even a trivial apache conf file *always* segfaults: # httpd -T -f /etc/httpd/conf/try.conf Syntax OK Segmentation fault (core dumped) try.conf is: ServerRoot /etc/httpd LoadModule php4_module modules/libphp4.so ClearModuleList AddModule mod_php4.c ServerType standalone accessconfig /dev/null resourceconfig /dev/null (it doesn't get much simpler, huh!) If I rebuild apache without applying the mod_ssl patches and then rebuild php4 (i.e. without the EAPI), then everything is fine (except that then I've got no secure server!) On a redhat 5.2 sytem (kernel 2.2.3, glibc glibc-2.0.7) - which as Sod's Law would have it, is my live server - the situation is much worse. If I include php4 in the conf file, apache refuses to start at all. It just hangs, no output anywhere... mod_ssl + mod_php3-3.0.17 builds and runs fine on both platforms. Here is the build procedure I'm using with some detail: # Apply patches to apache cd mod_ssl-2.7.1-1.3.14 ./configure --with-apache=.. --with-eapi-only # Build and install apache cd .. ./configure --prefix=/usr \ --enable-module=all \ --enable-shared=max \ --enable-rule=EAPI \ --disable-rule=WANTHSREGEX make make install # Build mod_ssl, php3 and php4 cd mod_ssl-2.7.1-1.3.14 ./configure \ --with-apxs=/usr/sbin/apxs \ --with-ssleay=/usr/local/ssl cd php4-4.0.3pl1 ./configure --prefix=/usr \ --with-apxs=/usr/sbin/apxs \ --with-config-file-path=/usr/lib \ --enable-debug=no \ --enable-safe-mode \ --with-exec-dir=/usr/bin \ --with-mysql=/usr \ --with-regex=system \ --enable-versioning cd php3-3.0.17 ./configure --prefix=/usr \ --with-apxs=/usr/sbin/apxs \ --with-config-file-path=/usr/lib \ --enable-debug=no \ --enable-safe-mode \ --with-exec-dir=/usr/bin \ --with-mysql=/usr \ --with-system-regex \ --enable-versioning Getting desperate. Any help much appreciated! *** John Sutton SCL Computer Services URL http://www.scl.co.uk/ Tel. +44 (0) 1239 621021 *** __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] -- -------- Robin P. Blanchard Network Engineering Support Georgia Center for Continuing Ed. fon: 706.542.2404 fax: 706.542.6546 email: [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
load-balancing question
could someone please point me to some information on how to setup mod_ssl to work in a hardware load-balanced configuration? meaning, how to allow mod_ssl to be installed across serveral servers with private IPs, that are load balanced by a device handling all http/https for a single real IP? -- Robin P. Blanchard Network Engineering Support Georgia Center for Continuing Ed. fon: 706.542.2404 fax: 706.542.6546 email: [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
vitural hosting dilemma
here's the basic scenario: www.somedomain.com www.otherdomain.com (CNAME for www.somedoamin.com) www.anotherdomain.com (CNAME for www.somedomain.com) in my httpd.conf i have VirtualHost www.somedomain.com:80 VirtualHost www.somedomain.com:443 VirtualHost www.otherdomain.com VirtualHost www.anotherdomain.com all, of course, have individual document roots. thus, http://www.somedomain.com works perfectly, as well as https://www.somedomain.com. http://www.otherdomain.com and http://www.anotherdomain.com also work fine. however, https://www.otherdomain.com and https://www.anotherdomain.com respond as https://www.somedomain.com. i don't want these two to respond at all to https requests. is there a way to accomplish this? -- Robin P. Blanchard Network Specialist IV Georgia Center Computer Services fon: +1 706.542.2404 fax: +1 706.542.6546 net: [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
vitural hosting dilemma
here's the basic scenario: www.somedomain.com www.otherdomain.com (CNAME for www.somedoamin.com) www.anotherdomain.com (CNAME for www.somedomain.com) in my httpd.conf i have VirtualHost www.somedomain.com:80 VirtualHost www.somedomain.com:443 VirtualHost www.otherdomain.com VirtualHost www.anotherdomain.com all, of course, have individual document roots. thus, http://www.somedomain.com works perfectly, as well as https://www.somedomain.com. http://www.otherdomain.com and http://www.anotherdomain.com also work fine. however, https://www.otherdomain.com and https://www.anotherdomain.com respond as https://www.somedomain.com. i don't want these two to respond at all to https requests. is there a way to accomplish this? -- Robin P. Blanchard Network Specialist IV Georgia Center Computer Services fon: +1 706.542.2404 fax: +1 706.542.6546 net: [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]