Re: How to redirect http to https on same server?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Bernard Barton wrote: I'm trying to redirect users from http://vhost.mydomain.com to https://vhost.mydomain.com using this RewriteRule: I just use: RedirectPermanent / https://my.host.com - -- Aaron Dalton | Super Duper Games [EMAIL PROTECTED] | http://superdupergames.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (MingW32) Comment: My Key: http://biglumber.com/x/web?qs=8811d2a4 Comment: My Website: http://superdupergames.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkcOKiMACgkQvlYKTYgR0qTEtgCgwLPuqyWQAVhzzW1HqMlmINsT 8nMAn3YFo0IXz26eVTMmpWgQERT2jADQ =lPRb -END PGP SIGNATURE- __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: How to redirect http to https on same server?
Bernard Barton wrote: I'm trying to redirect users from http://vhost.mydomain.com to https://vhost.mydomain.com using this RewriteRule: RewriteCond %{SERVER_PORT} !^443$ RewriteRule ^/(.*)$ https://cj-mydomain.choicepoint.net/$1 [L,R] This does not seem to work. I have the following defined as a virtual host, and the ssl.include is listed below that. What do I need to do to redirect http to https on the same server? -Thanks IfDefine SSL VirtualHost 178.45.221.41:443 #See file below Include conf/conf.d/ssl.include ErrorLog /usr/local/apache/logs/ssl_mydomain_error_log CustomLog /usr/local/apache/logs/ssl_mydomain_access_log combined IfModule mod_proxy.c ProxyRequests On ProxyPass/ http://vhost.mydomain.net:80/ ProxyPassReverse / http://vhost.mydomain.net:80/ /IfModule /VirtualHost /IfDefine ### ssl.include SSLEngine on SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLCertificateFile /usr/local/apache-1.3.37/conf/ssl.crt/star_mydomain_net.crt SSLCertificateKeyFile /usr/local/apache-1.3.37/conf/ssl.key/star_mydomain_net.key SSLCertificateChainFile /usr/local/apache-1.3.37/conf/ssl.crt/DigiCertCA.crt Files ~ \.(cgi|shtml|phtml|php3|roc|rock?)$ SSLOptions +StdEnvVars /Files SetEnvIf User-Agent .*MSIE.* \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED] This is what I use (from internal documentation): 1. Redirect all HTTP requests to HTTPS a. Load mod_rewrite (see: http://httpd.apache.org/docs/1.3/mod/mod_rewrite.html ) b. Add the following rule to your non-HTTPS server configuration (httpd.conf): # Require HTTPS RewriteEngine on RewriteRule ^/(.*) https://${SERVER_NAME}/$1 [redirect=permanent] Yours should work, too, though since it is only substantially different in two (2) ways: 1. You don't have RewriteEngine on in the snippet, I assume you have it somewhere though 2. You check SERVER_PORT against !^443$ (it would probably be better to check the environment variable HTTPS, though) -- that should work. -- Roy Keene (Contractor) Office of Network Management (Code 7030.8) Naval Research Laboratory Stennis Space Center, MS 39529 DSN 828-4827 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
RE: How to redirect http to https on same server?
I use this in the port 80 virtual host (or main section) to refer any http request to https. The DocumentRoots should be the same or at least point to a similar file system structure in the http and ssl virtualhosts. It also informs proxies that it should cache the https version and not the http due to the 301 response code. Location / RedirectMatch 301 (.*)$ https://servername.comain$1 /Location -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roy Keene (Contractor) Sent: Thursday, October 11, 2007 8:00 AM To: modssl-users@modssl.org Subject: Re: How to redirect http to https on same server? Bernard Barton wrote: I'm trying to redirect users from http://vhost.mydomain.com to https://vhost.mydomain.com using this RewriteRule: RewriteCond %{SERVER_PORT} !^443$ RewriteRule ^/(.*)$ https://cj-mydomain.choicepoint.net/$1 [L,R] This does not seem to work. I have the following defined as a virtual host, and the ssl.include is listed below that. What do I need to do to redirect http to https on the same server? -Thanks IfDefine SSL VirtualHost 178.45.221.41:443 #See file below Include conf/conf.d/ssl.include ErrorLog /usr/local/apache/logs/ssl_mydomain_error_log CustomLog /usr/local/apache/logs/ssl_mydomain_access_log combined IfModule mod_proxy.c ProxyRequests On ProxyPass/ http://vhost.mydomain.net:80/ ProxyPassReverse / http://vhost.mydomain.net:80/ /IfModule /VirtualHost /IfDefine ### ssl.include SSLEngine on SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLCertificateFile /usr/local/apache-1.3.37/conf/ssl.crt/star_mydomain_net.crt SSLCertificateKeyFile /usr/local/apache-1.3.37/conf/ssl.key/star_mydomain_net.key SSLCertificateChainFile /usr/local/apache-1.3.37/conf/ssl.crt/DigiCertCA.crt Files ~ \.(cgi|shtml|phtml|php3|roc|rock?)$ SSLOptions +StdEnvVars /Files SetEnvIf User-Agent .*MSIE.* \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED] This is what I use (from internal documentation): 1. Redirect all HTTP requests to HTTPS a. Load mod_rewrite (see: http://httpd.apache.org/docs/1.3/mod/mod_rewrite.html ) b. Add the following rule to your non-HTTPS server configuration (httpd.conf): # Require HTTPS RewriteEngine on RewriteRule ^/(.*) https://${SERVER_NAME}/$1 [redirect=permanent] Yours should work, too, though since it is only substantially different in two (2) ways: 1. You don't have RewriteEngine on in the snippet, I assume you have it somewhere though 2. You check SERVER_PORT against !^443$ (it would probably be better to check the environment variable HTTPS, though) -- that should work. -- Roy Keene (Contractor) Office of Network Management (Code 7030.8) Naval Research Laboratory Stennis Space Center, MS 39529 DSN 828-4827 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: How to redirect http to https on same server?
Thanks for all the responses. But no matter what I do or where I place a Rewrite or Redirect, I get the following error in Firefox: (((The page isn't redirecting properly Firefox has detected that the server is redirecting the request for this address in a way that will never complete. This problem can sometimes be caused by disabling or refusing to accept cookies.))) The page is redirected from http://myserver to https://myserver, but I get the above message. I do have Firefox configured to accept cookies. When I try to access the site using IE, it just hangs. Any suggestions would be greatly appreciated. Roy Keene (Contractor) wrote: Bernard Barton wrote: I'm trying to redirect users from http://vhost.mydomain.com to https://vhost.mydomain.com using this RewriteRule: RewriteCond %{SERVER_PORT} !^443$ RewriteRule ^/(.*)$ https://cj-mydomain.choicepoint.net/$1 [L,R] This does not seem to work. I have the following defined as a virtual host, and the ssl.include is listed below that. What do I need to do to redirect http to https on the same server? -Thanks IfDefine SSL VirtualHost 178.45.221.41:443 #See file below Include conf/conf.d/ssl.include ErrorLog /usr/local/apache/logs/ssl_mydomain_error_log CustomLog /usr/local/apache/logs/ssl_mydomain_access_log combined IfModule mod_proxy.c ProxyRequests On ProxyPass/ http://vhost.mydomain.net:80/ ProxyPassReverse / http://vhost.mydomain.net:80/ /IfModule /VirtualHost /IfDefine ### ssl.include SSLEngine on SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLCertificateFile /usr/local/apache-1.3.37/conf/ssl.crt/star_mydomain_net.crt SSLCertificateKeyFile /usr/local/apache-1.3.37/conf/ssl.key/star_mydomain_net.key SSLCertificateChainFile /usr/local/apache-1.3.37/conf/ssl.crt/DigiCertCA.crt Files ~ \.(cgi|shtml|phtml|php3|roc|rock?)$ SSLOptions +StdEnvVars /Files SetEnvIf User-Agent .*MSIE.* \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED] This is what I use (from internal documentation): 1. Redirect all HTTP requests to HTTPS a. Load mod_rewrite (see: http://httpd.apache.org/docs/1.3/mod/mod_rewrite.html ) b. Add the following rule to your non-HTTPS server configuration (httpd.conf): # Require HTTPS RewriteEngine on RewriteRule ^/(.*) https://${SERVER_NAME}/$1 [redirect=permanent] Yours should work, too, though since it is only substantially different in two (2) ways: 1. You don't have RewriteEngine on in the snippet, I assume you have it somewhere though 2. You check SERVER_PORT against !^443$ (it would probably be better to check the environment variable HTTPS, though) -- that should work. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: How to redirect http to https on same server?
On Thu, 11 Oct 2007, Bernard Barton wrote: Thanks for all the responses. But no matter what I do or where I place a Rewrite or Redirect, I get the following error in Firefox: (((The page isn't redirecting properly Firefox has detected that the server is redirecting the request for this address in a way that will never complete. Where are you attempting to put the RedirectPermanent directive? I assume you have a plain virtual host entry for http://myhost. In that VirtualHost container you put the RedirectPermanent / https://myhost (which is of course in it's own VirtualHost container with all the ssl stuff). Can you copy your http://myhost config? -- Aaron Dalton Super Duper Games http://superdupergames.org __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
How to redirect http to https on same server?
I'm trying to redirect users from http://vhost.mydomain.com to https://vhost.mydomain.com using this RewriteRule: RewriteCond %{SERVER_PORT} !^443$ RewriteRule ^/(.*)$ https://cj-mydomain.choicepoint.net/$1 [L,R] This does not seem to work. I have the following defined as a virtual host, and the ssl.include is listed below that. What do I need to do to redirect http to https on the same server? -Thanks IfDefine SSL VirtualHost 178.45.221.41:443 #See file below Include conf/conf.d/ssl.include ErrorLog /usr/local/apache/logs/ssl_mydomain_error_log CustomLog /usr/local/apache/logs/ssl_mydomain_access_log combined IfModule mod_proxy.c ProxyRequests On ProxyPass/ http://vhost.mydomain.net:80/ ProxyPassReverse / http://vhost.mydomain.net:80/ /IfModule /VirtualHost /IfDefine ### ssl.include SSLEngine on SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLCertificateFile /usr/local/apache-1.3.37/conf/ssl.crt/star_mydomain_net.crt SSLCertificateKeyFile /usr/local/apache-1.3.37/conf/ssl.key/star_mydomain_net.key SSLCertificateChainFile /usr/local/apache-1.3.37/conf/ssl.crt/DigiCertCA.crt Files ~ \.(cgi|shtml|phtml|php3|roc|rock?)$ SSLOptions +StdEnvVars /Files SetEnvIf User-Agent .*MSIE.* \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: HTTP to HTTPS redirect on virtual host on port 8080
--- Christopher McClan [EMAIL PROTECTED] wrote: Hi, I'm currently running an Apache web server with Mod_SSL, and have the following virtual host statement: VirtualHost mywebserver:8080 IfModule mod_ssl.c SSLEngine on SSLCertificateFile /xx/xxx/xxx.crt SSLCertificateKeyFile /xx/xxx/xxx.key SetEnvIf User-Agent .*MSIE.* nokeepalive ssl-unclean-shutdown /IfModule ServerName mywebserver DocumentRoot /xxx/xxx/xxx/xxx Directory /xxx/xxx/xxx/xxx Options Indexes FollowSymLinks MultiViews +ExecCGI Allow from all /Directory /VirtualHost If I connect using http, I get an Apache error stating that this an SSL enabled server, and I should use https. My question is, how do I get it to redirect from http to https? This seems easy enough if you aren't running a virtual server on a specific port and just want to redirect to https for certain directories, but in this configuration I've not been able to achieve this. You'll have to run another virtual server on another port. Then redirect to your https server. You can't run http/https on the same port. Suggest 8080 as http and 8443 as https. Then ... RewriteEngine On RewriteLog logs/rewrite.log RewriteLogLevel 0 RewriteRule ^/(.*) https://:8443/$1 [R=301,L] __ Do you Yahoo!? Yahoo! Mail - 50x more storage than other providers! http://promotions.yahoo.com/new_mail __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
http to https
Hello, Im sure this has been asked but I cant find the answer. I have Apache/1.3.27 (Unix)mod_ssl/2.8.12 OpenSSL/0.9.6e. In the httpd.conf can I make an http link go to (redirect) an https link. So if they click on this link: http://system.company.com/ it will direct to https://system/ or https://system.company.com/ Thanks upfront Ron __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: http to https
On Tue, Oct 29, 2002 at 10:32:53AM -0800, rmckee wrote: Hello, Im sure this has been asked but I cant find the answer. I have Apache/1.3.27 (Unix)mod_ssl/2.8.12 OpenSSL/0.9.6e. In the httpd.conf can I make an http link go to (redirect) an https link. So if they click on this link: http://system.company.com/ it will direct to https://system/ or https://system.company.com/ In your http vhost put: Redirect / https://system.company.com/ vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: http or https but not both?
It sounds like you have misunderstood how to set up the SSL and HTTP sites. Basically, they are two separate port-based virtual hosts... I wrote up some notes on this a few days ago - check out: http://marc.theaimsgroup.com/?l=apache-modsslm=102922483406071w=2 Rgds, Owen Boyle -Original Message- From: Paul F [mailto:[EMAIL PROTECTED]] Sent: Mittwoch, 14. August 2002 17:56 To: [EMAIL PROTECTED] Subject: http or https but not both? I have a fresh linux installation with apache + mod_ssl. With the mod_ssl module and AddModule uncommented, I can access https://mysite. BUT NOT http://mysite. Any help appreciated! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
http or https but not both?
I have a fresh linux installation with apache + mod_ssl. With the mod_ssl module and AddModule uncommented, I can access https://mysite. BUT NOT http://mysite. Any help appreciated! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: http or https but not both?
Hello, Which version of apache and OpenSSL are you using ? Would you mind to post your httpd.conf in here for help ? Paul F wrote: I have a fresh linux installation with apache + mod_ssl. With the mod_ssl module and AddModule uncommented, I can access https://mysite. BUT NOT http://mysite. Any help appreciated! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: http and https from same config
From: Svein E. Seldal [mailto:[EMAIL PROTECTED]] Hi guys, I want to run a http server on port 81 which should only be available to the localnet, say 192.168.0.x/24 *and* on https with client certificates from the whole world. No passwords should be used in neither methodes. Now I've got SSL working with the certs, so that's not my question, but how do I configure the virtual host to enforce these access rights? Today I've hacked the problem by running two separate (yet identical) virtual hosts. I want to run http(81) and https from the same virtual host config. Is this possible? I can't think how you would do this. IMHO, what you have already done (far from being a hack) is the correct way to proceed - two virtualhosts with the same DocumentRoot (hence same content) but with different ports. The trouble is the SSLEngine on directive - this has only context in a VH, i.e. you can't make it conditional on an IP range, for instance. Rgds, Owen Boyle __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: http to https forward
I am away from the office until the Monday 5th August 2002 I will get back to you as soon as i can on my return. If it's an urgent Online Learning Support Unit / Web/ MUBSWEB/ MUBS Online matter that requires urgent attention then please contact either Sanjay1 or Jeff1 who should be able to help. All the best Alex __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: http to https forward
Daniel, Does your book or somewhere else give the specifics of what all I need to do to get this done. If so I'll go buy it, or wherever I need to look. I've got to get this thing implemented today. At this point, I'm thinking I'll strip off the Apache 1.3.23 that came with Suse and install Apache 2.0. Bear in mind with all of this, that I'm new to Apache and Linux, so any specifics you can provide on what ALL is need to implment this would be greatly appreciated. Thanks again, David -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Daniel Lopez Sent: Wednesday, July 24, 2002 5:49 PM To: [EMAIL PROTECTED] Subject: Re: http to https forward On Wed, Jul 24, 2002 at 05:45:15PM -0500, David Iungerich wrote: Thanks Daniel. What all is needed as adjustments to my conf file? As I understood it, there was an issue with Apach taking an http POST reqest and encrypting it with a given cert, then sending it along via https. If you could tell me exactly what I need version-wise and what to add/change in a standard conf file, I'd greatly appreciate it. I am not sure I understand what you mean with encrypting it with a given cert. I am guessing it means that your client must present a specific client certificate to the remote server. This SSL functionality was present in mod_ssl versions for 1.3 if you compiled with SSL_EXPERIMENTAL flag, but was not working very well. Apache 2.0 includes robust support for that functionality (thanks to Doug MacEachern of mod_perl fame) and I recommend you use that. The directive you want is SSLProxyMachineCertificateFile, for specifying the client certificate(s) to present to the remote server. It is not documented currently on the Apache project, but take a look at : http://www.covalent.net/support/docs/faststart/2.0.0/userguide/html/sslconfi gure.php#1138492 Hope it helps Daniel -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Daniel Lopez Sent: Wednesday, July 24, 2002 4:30 PM To: [EMAIL PROTECTED] Subject: Re: http to https forward yes, that is correct. I meant http to https. So, there is no way to do this with existing mods? I have to use something else? Java or Python program? Anyone already have anything? You can already do it with Apache 2, and I am pretty sure you can do it with Apache 1.3 too. The directives are just not documented, I am working on a patch for the docs. But you are able to do SSLProxyEngine on ProxyPass / https://some.host.com And you can also use other SSLProxy* directives like SSLProxyVerify, etc. Daniel -- Teach Yourself Apache 2 -- http://apacheworld.org/ty24/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: http to https forward
On Thu, Jul 25, 2002 at 10:14:22AM -0500, David Iungerich wrote: Daniel, Does your book or somewhere else give the specifics of what all I need to do When the book was released, Doug (who sits 2 cubicles next to me :) had not yet cleaned up and ported that functionality, so I mention it but could not give any specifics. to get this done. If so I'll go buy it, or wherever I need to look. I've got to get this thing implemented today. At this point, I'm thinking I'll strip off the Apache 1.3.23 that came with Suse and install Apache 2.0. Bear in mind with all of this, that I'm new to Apache and Linux, so any specifics you can provide on what ALL is need to implment this would be greatly appreciated. Yesterday I submitted a patch to the Apache docs@ mailing list documenting those directives. I can try and help you with the setup, first step is to get Apache compiled with SSL support and understand how to generate certificates: http://www.apacheworld.org/ty24/site.chapter17.html and the mod_ssl docs/tutorial at apache.org For the SSLProxy* directives these docs are old and for raven ssl, but apply for the most part http://www.covalent.net/support/docs/faststart/2.0.0/userguide/html/sslconfigure.php#1138492 Cheers Daniel Thanks again, David -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Daniel Lopez Sent: Wednesday, July 24, 2002 5:49 PM To: [EMAIL PROTECTED] Subject: Re: http to https forward On Wed, Jul 24, 2002 at 05:45:15PM -0500, David Iungerich wrote: Thanks Daniel. What all is needed as adjustments to my conf file? As I understood it, there was an issue with Apach taking an http POST reqest and encrypting it with a given cert, then sending it along via https. If you could tell me exactly what I need version-wise and what to add/change in a standard conf file, I'd greatly appreciate it. I am not sure I understand what you mean with encrypting it with a given cert. I am guessing it means that your client must present a specific client certificate to the remote server. This SSL functionality was present in mod_ssl versions for 1.3 if you compiled with SSL_EXPERIMENTAL flag, but was not working very well. Apache 2.0 includes robust support for that functionality (thanks to Doug MacEachern of mod_perl fame) and I recommend you use that. The directive you want is SSLProxyMachineCertificateFile, for specifying the client certificate(s) to present to the remote server. It is not documented currently on the Apache project, but take a look at : http://www.covalent.net/support/docs/faststart/2.0.0/userguide/html/sslconfi gure.php#1138492 Hope it helps Daniel -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Daniel Lopez Sent: Wednesday, July 24, 2002 4:30 PM To: [EMAIL PROTECTED] Subject: Re: http to https forward yes, that is correct. I meant http to https. So, there is no way to do this with existing mods? I have to use something else? Java or Python program? Anyone already have anything? You can already do it with Apache 2, and I am pretty sure you can do it with Apache 1.3 too. The directives are just not documented, I am working on a patch for the docs. But you are able to do SSLProxyEngine on ProxyPass / https://some.host.com And you can also use other SSLProxy* directives like SSLProxyVerify, etc. Daniel -- Teach Yourself Apache 2 -- http://apacheworld.org/ty24/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: http to https forward
On Wed, Jul 24, 2002 at 05:45:15PM -0500, David Iungerich wrote: Thanks Daniel. What all is needed as adjustments to my conf file? As I understood it, there was an issue with Apach taking an http POST reqest and encrypting it with a given cert, then sending it along via https. If you could tell me exactly what I need version-wise and what to add/change in a standard conf file, I'd greatly appreciate it. I am not sure I understand what you mean with encrypting it with a given cert. I am guessing it means that your client must present a specific client certificate to the remote server. This SSL functionality was present in mod_ssl versions for 1.3 if you compiled with SSL_EXPERIMENTAL flag, but was not working very well. Apache 2.0 includes robust support for that functionality (thanks to Doug MacEachern of mod_perl fame) and I recommend you use that. The directive you want is SSLProxyMachineCertificateFile, for specifying the client certificate(s) to present to the remote server. It is not documented currently on the Apache project, but take a look at : http://www.covalent.net/support/docs/faststart/2.0.0/userguide/html/sslconfigure.php#1138492 Hope it helps Daniel -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Daniel Lopez Sent: Wednesday, July 24, 2002 4:30 PM To: [EMAIL PROTECTED] Subject: Re: http to https forward yes, that is correct. I meant http to https. So, there is no way to do this with existing mods? I have to use something else? Java or Python program? Anyone already have anything? You can already do it with Apache 2, and I am pretty sure you can do it with Apache 1.3 too. The directives are just not documented, I am working on a patch for the docs. But you are able to do SSLProxyEngine on ProxyPass / https://some.host.com And you can also use other SSLProxy* directives like SSLProxyVerify, etc. Daniel -- Teach Yourself Apache 2 -- http://apacheworld.org/ty24/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: http to https forward
Quoting David Iungerich [EMAIL PROTECTED]: I need to implement Apache as an https to http forwarder. I belive I need to use ProxyPass or Redirect, but am having difficulty figuring out the correct configuration. Just to clarify, I think you mean http to https forwarder, as in your subject; Apache forwards https to http without any problems. But for http to https, your problem isn't configuration; Apache+mod_ssl doesn't have the code for initiation of HTTPS connections. I've looked! Everybody told me it wouldn't work, I didn't believe them, I couldn't make it work, I read the code, it's not there! The only product I know of that might be able to do this is IBM EdgeServer, and possibly Netscape. Have to say I don't like EdgeServer and I have no experience of Netscape. Is there no-one around who'd like to code this? There are quite a few people who want to use Apache to initiate HTTPS connections. I don't have the time / coding skills. Um, no, you can already do it SSLProxyEngine on ProxyPass / https://some.other.host Daniel -- Teach Yourself Apache 2 -- http://apacheworld.org/ty24/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: http to https forward
Quoting David Iungerich [EMAIL PROTECTED]: yes, that is correct. I meant http to https. So, there is no way to do this with existing mods? I have to use something else? Java or Python program? Anyone already have anything? I couldn't find anything to do this besides the two proprietary programs I mentioned before. My impression is this is a big hole in the open-source toolkit, and proprietary software is going to fill it if someone more capable than me doesn't fix things... I see this sort of thing being a requirement for more and more big companies who have established functional ecommerce infrastructures but need to start worrying about security for all sorts of reasons including regulatory requirements (especially secure comms between internal networks and DMZ). I'm not saying there's any law requiring specifically this but big financial companies are legally bound to protect data and they like to cover their bottoms. I searched Freshmeat and Sourceforge. I found things that you can wrap http servers in to make them look like https servers to the outside world but that is the opposite of what you (and I) want to achieve. -- Web: http://sydb.dyndns.org ICQ: 152392113 (New to ICQ? http://www.mirabilis.com) IRC: #sydb on EFnet (New to IRC? http://www.irchelp.org) __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
http and https
Hello, I have the following config: Apache/1.3.23 (Unix) mod_ssl/2.8.7 OpenSSL/0.9.6 I notice that if i enter: https://server/www/index.php it works great. Now if if I enter this http://server/www/index.php I get to the same location and it is not SSL secured So my question is can you turn off access to http? Thanks, Ron -- Pop3Now Personal, Get quick remote access to your email accounts! Sign Up Now! Visit http://www.pop3now.com/personal __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: http and https
On Thu, 18 Apr 2002 [EMAIL PROTECTED] wrote: Now if if I enter this http://server/www/index.php I get to the same location and it is not SSL secured So my question is can you turn off access to http? See the SSLRequireSSL directive. Or you might want to set up a Redirect so that the client is automatically sent over to the https side. --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: http and https
yes, remove and directives in http.conf for port 80 and just keep the port 443 stuff. Thanks, Ron Dufresne On Thu, 18 Apr 2002 [EMAIL PROTECTED] wrote: Hello, I have the following config: Apache/1.3.23 (Unix) mod_ssl/2.8.7 OpenSSL/0.9.6 I notice that if i enter: https://server/www/index.php it works great. Now if if I enter this http://server/www/index.php I get to the same location and it is not SSL secured So my question is can you turn off access to http? Thanks, Ron -- Pop3Now Personal, Get quick remote access to your email accounts! Sign Up Now! Visit http://www.pop3now.com/personal __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] -- ~~ admin senior security consultant: sysinfo.com http://sysinfo.com Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart testing, only testing, and damn good at it too! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: http and https
Would this not still leave port 80 open and bound? Is not just removing the port delcarations for 80 and only having 443 set better and perhaps more secure? Thanks, Ron DuFresne On Thu, 18 Apr 2002, Cliff Woolley wrote: On Thu, 18 Apr 2002 [EMAIL PROTECTED] wrote: Now if if I enter this http://server/www/index.php I get to the same location and it is not SSL secured So my question is can you turn off access to http? See the SSLRequireSSL directive. Or you might want to set up a Redirect so that the client is automatically sent over to the https side. --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] -- ~~ admin senior security consultant: sysinfo.com http://sysinfo.com Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart testing, only testing, and damn good at it too! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: http and https
On Thu, 18 Apr 2002, R. DuFresne wrote: Would this not still leave port 80 open and bound? It would, yes. Is not just removing the port delcarations for 80 and only having 443 set better and perhaps more secure? That's a case-by-case decision. In some cases, it would be insufficiently secure to leave open port 80 (as when the initial request contains privileged information). In other cases, it's only the response or subsequent requests that are privileged, so it's okay to let the initial request come in on port 80 as long as you immediately bounce them over to https. In that situation, leaving port 80 open is just a convenience for your users (in case they type http: by mistake), if you deem it safe to provide that convenience. --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: the same virtualhost with http and https?
- - I'd like to know, how does modssl decide which port is ssl and which one is - - non-ssl? if I bind apache to two ports, how to tell which one should be used - - for ssl connects and which one for non-ssl connects? - - - - Apache is the process - mod_ssl is just a module. Only port 80 is - - listened to by default by apache so to get SSL to work you must - - explicitly say Listen 443. - - Yes i know that :) The question is - how will mod_ssl know that it - should process connections on port 443 and not on port 80. - - For one, it's a standard well known port: - - darkstar:~# grep 443 /etc/services - https 443/tcp https # http protocol over - TLS/SSL Does mod_ssl walk through /etc/services ? By compile time or by runtime? - for two, it would most likely be part of your httpd.conf, with the listen - directive. How do I define that apache should accept only non-encrypted connections on port 80 and only encrypted on 443? What if I would use other two ports? 81 and 444 for example. Would apache crash? or will it tell it doesn't know what kind of connections should wait on those ports? or will it expect http connections everywhere? - hmmm. I think I can put genric SSL directives into server's config and - none special are _required_ for virtualhosts. I just have some - virtualhosts and wish to give access to all of them without - reconfiguring them. And that ebout sslengine was exactly hat i - wanteddo know. couls i turnon SSLEngine on for all connections to one - port and turn it off for all connections on other port? - - Have you actually parsed through the defult httpd.conf file that is - installed when you compile the openssl/mod-ssl/apache combo some folks - will ass in MM in that combo It's pretty well documented, and reading - through it as one parses the FAQ and other documentation included is - always a good starting point. I didn't install anything yet. I am deciding between apache-ssl and mod-ssl; I did search the docs on the web. But i could not find answer to my questions. That's why I subscribed here. Maybe you could point me to exact answer of my question; VirtualHost 192.168.0.1 ServerName blabla1 /VirtualHost VirtualHost 192.168.0.1 ServerName blabla2 /VirtualHost will both servers, blabla1 and blabla2 be available on port 80 w/o SSL and on port 443 with SSL? should I use this to define behaviour of ports? VirtualHost *:80 SSLEngine Off /VirtualHost VirtualHost *:443 SSLEngine On /VirtualHost -- Matus fantomas Uhlar, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I don't wish to receive spam to this address. Varovanie: Nezelam si na tuto adresu dostavat akukolvek reklamnu postu. I drive way too fast to worry about cholesterol. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: the same virtualhost with http and https?
How do I define that apache should accept only non-encrypted connections on port 80 and only encrypted on 443? This is only decided by the SSLEngine on statement, without that it doesnt matter what port number is what it will still be standard http. What if I would use other two ports? 81 and 444 for example. Would apache crash? or will it tell it doesn't know what kind of connections should wait on those ports? or will it expect http connections everywhere? You can use any port you like pretty much, as long as its not already used. I did search the docs on the web. But i could not find answer to my questions. That's why I subscribed here. Maybe you could point me to exact answer of my question; VirtualHost 192.168.0.1 ServerName blabla1 /VirtualHost VirtualHost 192.168.0.1 ServerName blabla2 /VirtualHost will both servers, blabla1 and blabla2 be available on port 80 w/o SSL and on port 443 with SSL? should I use this to define behaviour of ports? As you have them there it is simply going to be two http servers. VirtualHost *:80 SSLEngine Off /VirtualHost VirtualHost *:443 SSLEngine On /VirtualHost As you have it here, ONLY because of the sslengine directive will the second one be SSL enabled, otherwise it would be http on port 443 To recap: VirtualHost 192.168.0.1:443 SSLEngine On /VirtualHost Will be https://192.168.0.1/ VirtualHost 192.168.0.1:443 /VirtualHost Will be http://192.168.0.1:443/ VirtualHost 192.168.0.1:80 SSLEngine On /VirtualHost Will be https://192.168.0.1:80/ Nick __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
the same virtualhost with http and https?
Hello, I'd like to know, how does modssl decide which port is ssl and which one is non-ssl? if I bind apache to two ports, how to tell which one should be used for ssl connects and which one for non-ssl connects? Another question. if I run http on port 80 and httpd on port 443, and I define only one virtualhost: VirtualHost ip.address ServerName blablabla /VirtualHost will that virtualhost be available via both ports/protocols? Or, do I need to define two virtualhosts, one on port 80 without ssl and one on 443 with ssl? -- Matus fantomas Uhlar, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I don't wish to receive spam to this address. Varovanie: Nezelam si na tuto adresu dostavat akukolvek reklamnu postu. Depression is merely anger without enthusiasm. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: the same virtualhost with http and https?
Matus \fantomas\ Uhlar wrote: Hello, I'd like to know, how does modssl decide which port is ssl and which one is non-ssl? if I bind apache to two ports, how to tell which one should be used for ssl connects and which one for non-ssl connects? Apache is the process - mod_ssl is just a module. Only port 80 is listened to by default by apache so to get SSL to work you must explicitly say Listen 443. Another question. if I run http on port 80 and httpd on port 443, and I define only one virtualhost: VirtualHost ip.address ServerName blablabla /VirtualHost will that virtualhost be available via both ports/protocols? I guess so... but this not a good idea since SSL requires lots of extra directives (like SSLEngine on - how they would interact with the HTTP host is not obvious... Or, do I need to define two virtualhosts, one on port 80 without ssl and one on 443 with ssl? This is a much better idea - keep the SSL and HTTP hosts completely separate, you will sleep better. Warning: I don't wish to receive spam to this address. You'll be lucky! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: the same virtualhost with http and https?
- I'd like to know, how does modssl decide which port is ssl and which one is - non-ssl? if I bind apache to two ports, how to tell which one should be used - for ssl connects and which one for non-ssl connects? - - Apache is the process - mod_ssl is just a module. Only port 80 is - listened to by default by apache so to get SSL to work you must - explicitly say Listen 443. Yes i know that :) The question is - how will mod_ssl know that it should process connections on port 443 and not on port 80. - Another question. if I run http on port 80 and httpd on port 443, and I - define only one virtualhost: - - VirtualHost ip.address - ServerName blablabla - /VirtualHost - - will that virtualhost be available via both ports/protocols? - - I guess so... but this not a good idea since SSL requires lots of extra - directives (like SSLEngine on - how they would interact with the HTTP - host is not obvious... hmmm. I think I can put genric SSL directives into server's config and none special are _required_ for virtualhosts. I just have some virtualhosts and wish to give access to all of them without reconfiguring them. And that ebout sslengine was exactly hat i wanteddo know. couls i turnon SSLEngine on for all connections to one port and turn it off for all connections on other port? - Or, do I need to define two virtualhosts, one on port 80 without ssl and one - on 443 with ssl? - - This is a much better idea - keep the SSL and HTTP hosts completely - separate, you will sleep better. -- Matus fantomas Uhlar, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I don't wish to receive spam to this address. Varovanie: Nezelam si na tuto adresu dostavat akukolvek reklamnu postu. Eagles may soar, but weasels don't get sucked into jet engines. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: the same virtualhost with http and https?
On Fri, 15 Feb 2002, Matus fantomas Uhlar wrote: - I'd like to know, how does modssl decide which port is ssl and which one is - non-ssl? if I bind apache to two ports, how to tell which one should be used - for ssl connects and which one for non-ssl connects? - - Apache is the process - mod_ssl is just a module. Only port 80 is - listened to by default by apache so to get SSL to work you must - explicitly say Listen 443. Yes i know that :) The question is - how will mod_ssl know that it should process connections on port 443 and not on port 80. For one, it's a standard well known port: darkstar:~# grep 443 /etc/services https 443/tcp https # http protocol over TLS/SSL for two, it would most likely be part of your httpd.conf, with the listen directive. Get to know your /etc/services file and know it well, and if you have one not, or a sparse one, do a google search, the well know port/protocol combos are well documented on various url's out there... - Another question. if I run http on port 80 and httpd on port 443, and I - define only one virtualhost: - - VirtualHost ip.address - ServerName blablabla - /VirtualHost - - will that virtualhost be available via both ports/protocols? - - I guess so... but this not a good idea since SSL requires lots of extra - directives (like SSLEngine on - how they would interact with the HTTP - host is not obvious... hmmm. I think I can put genric SSL directives into server's config and none special are _required_ for virtualhosts. I just have some virtualhosts and wish to give access to all of them without reconfiguring them. And that ebout sslengine was exactly hat i wanteddo know. couls i turnon SSLEngine on for all connections to one port and turn it off for all connections on other port? Have you actually parsed through the defult httpd.conf file that is installed when you compile the openssl/mod-ssl/apache combo some folks will ass in MM in that combo It's pretty well documented, and reading through it as one parses the FAQ and other documentation included is always a good starting point. - Or, do I need to define two virtualhosts, one on port 80 without ssl and one - on 443 with ssl? - - This is a much better idea - keep the SSL and HTTP hosts completely - separate, you will sleep better. Thanks, Ron DuFresne -- ~~ admin senior security consultant: sysinfo.com http://sysinfo.com Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart testing, only testing, and damn good at it too! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
http to https redirect configuration question
I am having a difficult time solving the following: I want our apache non-secure http:// server to redirect to the secure https:// server whenever the non-secure server encounters a .htaccess file in any directory? I do not want to redirect entire directories or the server itself, only those that contain a .htaccess file. The standard apache Redirect or RedirctMatch cannot do this because the .htaccess file is not typically specified by the user. You run into a looping problem if you specify a redirect in the .htaccess file itself. I was hoping there is some switch at the server level to do this. I of course searched all the docs and mailing archives for a solution. There is a solution using javascript in the index.html file that can do a redirect but this would have to be placed in everyone's .index file and there is no guarantee users will do this. Any solutions would be appreciated. Thanks. -- John W. Sopko Jr. University of North Carolina email: [EMAIL PROTECTED] Computer Science Dept., CB 3175 Phone: 919-962-1844 Sitterson Hall; Room 135 Fax: 919-962-1799 Chapel Hill, NC 27599-3175 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: http to https redirect configuration question
We have from time to time the following traces in our Apache logs : [Mon Feb 4 08:17:24 2002] [error] mod_ssl: SSL handshake interrupted by system [Hint: Stop button pressed in browser?!] (System error follows) [Mon Feb 4 08:17:24 2002] [error] System: Connection reset by peer (errno: 104) Can anyone help us finding what can the problem be related to ? Our apache is 1.3.20 mod_ssl 2.8.4 OpenSSL 0.9.6b. Part of our configuration is : IfModule mod_ssl.c # Pass Phrase Dialog: # Configure the pass phrase gathering process. # The filtering dialog program (`builtin' is a internal # terminal dialog) has to provide the pass phrase on stdout. SSLPassPhraseDialog builtin # Adding that line because of info from mod_ssl mailing list to # make more stable Apache SSL. # To my understanding (and anyone who can correct me if I am wrong, please do), # some versions of Microsoft Internet Explorer (MSIE) have problems with using the # HTTP/1.1 protocol with SSL. What this command does is to turn off keepalive # facility and force HTTP/1.0 responses (rather than HTTP/1.1 responses) when the # browser (User-Agent) is a version of MSIE. If you would like more information on # this, you might try the following page from the mod_ssl FAQ: # # http://www.modssl.org/docs/2.8/ssl_faq.html#ToC49 # IfModule mod_setenvif.c #SetEnvIf User-Agent .*MSIE.* nokeepalive \ ssl-unclean-shutdown downgrade-1.0 \ force-response-1.0 SetEnvIf User-Agent MSIE [1-4] nokeepalive \ ssl-unclean-shutdown downgrade-1.0 \ force-response-1.0 SetEnvIf User-Agent MSIE [5-9] ssl-unclean-shutdown /IfModule # # Inter-Process Session Cache: # Configure the SSL Session Cache: First either `none' # or `dbm:/path/to/file' for the mechanism to use and # second the expiring timeout (in seconds). #SSLSessionCachenone #SSLSessionCacheshm:/opt/apache/logs/ssl_scache(512000) SSLSessionCache dbm:/opt/apache/logs/ssl_scache SSLSessionCacheTimeout 300 # Semaphore: # Configure the path to the mutual explusion semaphore the # SSL engine uses internally for inter-process synchronization. SSLMutex file:/opt/apache/logs/ssl_mutex # Pseudo Random Number Generator (PRNG): # Configure one or more sources to seed the PRNG of the # SSL library. The seed data should be of good random quality. # WARNING! On some platforms /dev/random blocks if not enough entropy # is available. This means you then cannot use the /dev/random device # because it would lead to very long connection times (as long as # it requires to make more entropy available). But usually those # platforms additionally provide a /dev/urandom device which doesn't # block. So, if available, use this one instead. Read the mod_ssl User # Manual for more details. SSLRandomSeed startup builtin SSLRandomSeed connect builtin #SSLRandomSeed startup file:/dev/random 512 #SSLRandomSeed startup file:/dev/urandom 512 #SSLRandomSeed connect file:/dev/random 512 #SSLRandomSeed connect file:/dev/urandom 512 SSLEngine on SSLCipherSuite ALL:!ADH:!EXP56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL # The certificate files are now located under /opt/apache/conf SSLCertificateFile /opt/apache/conf/XXX.crt SSLCertificateKeyFile /opt/apache/conf/XXX.key __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: http to https redirect configuration question
Take a look at the mod_rewrite docos. I remember seeing some test to see if a file exists (-f operator?). You could parse the URL's path to infer the physical directory and check to see if an .htaccess file exists there, and redirect appropriately to the SSL virtual server. Off the top of my head, a problem you might encounter is that you'd only have access to the virtual path (the URL's path), and not to the filesystem path, so you'd have to be very careful to take possible aliases into account. OTOH, if I had that need, I'd probably do something in a mod_perl handler (not a content handler, probably in an auth or access handler) because I'd have full access to the Apache API. Cheers... MZ -Original Message- From: John W. Sopko Jr. [mailto:[EMAIL PROTECTED]] Sent: Monday, February 04, 2002 10:49 To: [EMAIL PROTECTED] Subject: http to https redirect configuration question I am having a difficult time solving the following: I want our apache non-secure http:// server to redirect to the secure https:// server whenever the non-secure server encounters a .htaccess file in any directory? I do not want to redirect entire directories or the server itself, only those that contain a .htaccess file. The standard apache Redirect or RedirctMatch cannot do this because the .htaccess file is not typically specified by the user. You run into a looping problem if you specify a redirect in the .htaccess file itself. I was hoping there is some switch at the server level to do this. I of course searched all the docs and mailing archives for a solution. There is a solution using javascript in the index.html file that can do a redirect but this would have to be placed in everyone's .index file and there is no guarantee users will do this. Any solutions would be appreciated. Thanks. -- John W. Sopko Jr. University of North Carolina email: [EMAIL PROTECTED] Computer Science Dept., CB 3175 Phone: 919-962-1844 Sitterson Hall; Room 135 Fax: 919-962-1799 Chapel Hill, NC 27599-3175 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Can I have HTTP and HTTPS in same VirtualHost block?
I have many virtual hosts which support SSL and non-SSL. For each host, I have built two VirtualHost blocks in my httpd.conf file -- identical blocks except for the port number, and use/non-use of the SSL key. Is there a way to combine all these, so that for each host, I can have one VirtualHost block which answers calls on ports 80 and 443, and turns on SSL as needed? It would make my httpd.conf file a lot tidier and less error-prone. Thank you in advance, Bryan
RE: http and https, same instance
-Original Message- From: Christopher Piggott HOME [mailto:[EMAIL PROTECTED]] Sent: 19 July 2001 16:49 To: [EMAIL PROTECTED] Subject: http and https, same instance Is it reasonable to expect to run some http and some https traffic on the same instance of apache 1.3 ? If you mean running name based virtual hosts on port 80 (http) and a single host on port 443 (https), the answer is of course, and we do that ourselves! Just to clarify, you can't use name based hosts for secure sites. They are OK for non-secure sites. There is one exception that is probably of very little use to anyone. - John Airey Internet Systems Support Officer, ITCSD, Royal National Institute for the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: http and https, same instance
John, With Stronghold 3 (a MOD_SSL derivative) on Apache 1.3.19. You can use IP based NameVirtualHosts with SSL. NameVirtualHost ipx:443 VirtualHost ipx:443 ServerName www.servera.com ... SSL info for www.servera.com /VirtualHost VirtualHost ipx:443 ServerName www.serverb.com SSL info for www.serverb.com /VirtualHost NameVirtualHost ipy:443 VirtualHost ipy:443 ServerName www.serverc.com SSL info for www.serverb.com /VirtualHost Restrictions: - ipx must resolve to a NIC on the local machine and the local machine must be able to resolve ipx to www.servera.com and www.serverb.com. - all requests for www.servera.com and www.serverb.com must come in on ipx. - ipy must resolve to a NIC on the local machine and the local machine must be able to resolve ipy to to www.serverc.com. - all requests for www.serverc.com must come in on ipy. - the certificate for www.servera.com must be for www.servera.com - the cetrificate for www.serverb.com must be for www.serverb.com - the certificate for www.serverc.com must be for www.serverc.com This appears to be a change in the Apache 1.3.19 version. I'm using this on Stronghold 3. Although, I have not tried it on MOD-SSL, I'm under the impression that this will work with MOD-SSL on Apache 1.3.19 and beyond. regards, David Marshall -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Friday, July 20, 2001 2:00 AM To: [EMAIL PROTECTED] Subject: RE: http and https, same instance -Original Message- From: Christopher Piggott HOME [mailto:[EMAIL PROTECTED]] Sent: 19 July 2001 16:49 To: [EMAIL PROTECTED] Subject: http and https, same instance Is it reasonable to expect to run some http and some https traffic on the same instance of apache 1.3 ? If you mean running name based virtual hosts on port 80 (http) and a single host on port 443 (https), the answer is of course, and we do that ourselves! Just to clarify, you can't use name based hosts for secure sites. They are OK for non-secure sites. There is one exception that is probably of very little use to anyone. - John Airey Internet Systems Support Officer, ITCSD, Royal National Institute for the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
http and https, same instance
Is it reasonable to expect to run some http and some https traffic on the same instance of apache 1.3 ? I have named virtual hosts, and I understand they don't work with mod_ssl, but what if I want something like this: NameVirtualHost 192.168.0.101 ### Definition for some http (non SSL) virtual hosts Virtual 192.168.0.101:80 ServerName host1.blah.blah.blah.com # definition for this virtual host /Virtual Virtual 192.168.0.101:80 ServerName host2.blah.blah.blah.com # definition for this virtual host /Virtual ### Definition for SSL - ALL port 443! Virtual _default_:443 Location / SSLRequireSSL /Location /Virtual In other words, I don't care if the virtual named hosts work properly for SSL, I just want it to work - and it's ok if HTTPS exists outside of any virtual host. I have thought of adding a second instance of the server, with its own config file (or switches in httpd.conf using IfDefine SSL) ... but I don't really want to lose the usefulness of apachectl. I don't know of a convenient way to do this other than brute force. Thanks, --Chris __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: http and https, same instance
If you have mod_perl, check out an article I wrote for take23 a while back at http://take23.org/articles/2001/03/12/redirect.xml?style=printable If you don't, maybe mod_rewrite would help? Then again, maybe I'm misreading what you need? --- Christopher Piggott HOME [EMAIL PROTECTED] wrote: Is it reasonable to expect to run some http and some https traffic on the same instance of apache 1.3 ? I have named virtual hosts, and I understand they don't work with mod_ssl, but what if I want something like this: NameVirtualHost 192.168.0.101 ### Definition for some http (non SSL) virtual hosts Virtual 192.168.0.101:80 ServerName host1.blah.blah.blah.com # definition for this virtual host /Virtual Virtual 192.168.0.101:80 ServerName host2.blah.blah.blah.com # definition for this virtual host /Virtual ### Definition for SSL - ALL port 443! Virtual _default_:443 Location / SSLRequireSSL /Location /Virtual In other words, I don't care if the virtual named hosts work properly for SSL, I just want it to work - and it's ok if HTTPS exists outside of any virtual host. I have thought of adding a second instance of the server, with its own config file (or switches in httpd.conf using IfDefine SSL) ... but I don't really want to lose the usefulness of apachectl. I don't know of a convenient way to do this other than brute force. Thanks, --Chris __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ Do You Yahoo!? Get personalized email addresses from Yahoo! Mail http://personal.mail.yahoo.com/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: http and https, same instance
I do not use mod_ssl, but I'm using SSL and NamedVirtualHosts on Apache 1.3.19... try this NameVirtualHost 192.168.0.101 ### Definition for some http (non SSL) virtual hosts Virtual 192.168.0.101:80 ServerName host1.blah.blah.blah.com # definition for this virtual host /Virtual Virtual 192.168.0.101:80 ServerName host2.blah.blah.blah.com # definition for this virtual host /Virtual NameVirtualHost 192.168.0.101:443 ### Definition for SSL - ALL port 443! Virtual 192.168.0.101:443 Location / SSLRequireSSL /Location /Virtual -Original Message- From: Christopher Piggott HOME [mailto:[EMAIL PROTECTED]] Sent: Thursday, July 19, 2001 8:49 AM To: [EMAIL PROTECTED] Subject: http and https, same instance Is it reasonable to expect to run some http and some https traffic on the same instance of apache 1.3 ? I have named virtual hosts, and I understand they don't work with mod_ssl, but what if I want something like this: NameVirtualHost 192.168.0.101 ### Definition for some http (non SSL) virtual hosts Virtual 192.168.0.101:80 ServerName host1.blah.blah.blah.com # definition for this virtual host /Virtual Virtual 192.168.0.101:80 ServerName host2.blah.blah.blah.com # definition for this virtual host /Virtual ### Definition for SSL - ALL port 443! Virtual _default_:443 Location / SSLRequireSSL /Location /Virtual In other words, I don't care if the virtual named hosts work properly for SSL, I just want it to work - and it's ok if HTTPS exists outside of any virtual host. I have thought of adding a second instance of the server, with its own config file (or switches in httpd.conf using IfDefine SSL) ... but I don't really want to lose the usefulness of apachectl. I don't know of a convenient way to do this other than brute force. Thanks, --Chris __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: http and https, same instance
Thanks, that did the trick. I didn't notice that you can specify a port on a NamedVirtualHosts directive. I realized that from your example. Once I changed my entry to: NameVirtualHost 192.168.0.101:80 then all of a sudden the HTTPS port was no longer part of a Named set of virtual hosts, and it works. This is great, because it means I only need one httpd running at a time, and can serve both my named virtual hosts AND the SSL pages. Thanks again. --Chris -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of David Marshall Sent: Thursday, July 19, 2001 11:53 AM To: '[EMAIL PROTECTED]' Subject: RE: http and https, same instance I do not use mod_ssl, but I'm using SSL and NamedVirtualHosts on Apache 1.3.19... try this NameVirtualHost 192.168.0.101 ### Definition for some http (non SSL) virtual hosts Virtual 192.168.0.101:80 ServerName host1.blah.blah.blah.com # definition for this virtual host /Virtual Virtual 192.168.0.101:80 ServerName host2.blah.blah.blah.com # definition for this virtual host /Virtual NameVirtualHost 192.168.0.101:443 ### Definition for SSL - ALL port 443! Virtual 192.168.0.101:443 Location / SSLRequireSSL /Location /Virtual -Original Message- From: Christopher Piggott HOME [mailto:[EMAIL PROTECTED]] Sent: Thursday, July 19, 2001 8:49 AM To: [EMAIL PROTECTED] Subject: http and https, same instance Is it reasonable to expect to run some http and some https traffic on the same instance of apache 1.3 ? I have named virtual hosts, and I understand they don't work with mod_ssl, but what if I want something like this: NameVirtualHost 192.168.0.101 ### Definition for some http (non SSL) virtual hosts Virtual 192.168.0.101:80 ServerName host1.blah.blah.blah.com # definition for this virtual host /Virtual Virtual 192.168.0.101:80 ServerName host2.blah.blah.blah.com # definition for this virtual host /Virtual ### Definition for SSL - ALL port 443! Virtual _default_:443 Location / SSLRequireSSL /Location /Virtual In other words, I don't care if the virtual named hosts work properly for SSL, I just want it to work - and it's ok if HTTPS exists outside of any virtual host. I have thought of adding a second instance of the server, with its own config file (or switches in httpd.conf using IfDefine SSL) ... but I don't really want to lose the usefulness of apachectl. I don't know of a convenient way to do this other than brute force. Thanks, --Chris __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
HTTP and HTTPS
Hi, i had apache 1.3.19 + mod_ssl-2.8.2 + openssl-0.9.6a installed with no error. i can start up Apache by running apachectl startssl and there is no error in error_log file either. But, i cannot connect to server via https with Netscape Navigator 4.7. It only can do http. Please help ! There must be something important that i missed. Thanks, Mengpei Hu __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
sometimes http sometimes https
does anyone know why if I use a response.redirect from a servlet to a jsp - I get a http jsp but if I do a getServletConfig().getServletContext().getRequestDispatcher I get a https page (obviously showing servley address in url window) I don't see why? Justin __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Automatic change from http to https when password is required
Sure, just tell Apache to protect your whole https document tree. Then whenever a user tries to get a document out of there, Apache will insist he/she be authenticated. -Original Message- From: Harald Falkenberg [mailto:[EMAIL PROTECTED]] Sent: Monday, February 05, 2001 3:00 PM To: [EMAIL PROTECTED] Subject: Automatic change from http to https when password is required Hi, is there a possibility to switch automatically from http to https as soon as a password is required to access a web page? The setup for the http and https server is identical. For any hints thank you in advance Harald __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Automatic change from http to https when password is required
I use mod_rewrite to redirect all http traffic to https. # # Mod rewrite # # rewrite environment RewriteEngine on RewriteLog /www/apache/logs/https_rewrite_log RewriteLogLevel 1 # redirect http to https # If you don't try to access https, then redirect to https RewriteCond %{SERVER_PORT} !^443$ RewriteRule ^/(.*) https://%{SERVER_NAME}/$1 [L,R] Scott -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Harald Falkenberg Sent: Monday, February 05, 2001 3:00 PM To: [EMAIL PROTECTED] Subject: Automatic change from http to https when password is required Hi, is there a possibility to switch automatically from http to https as soon as a password is required to access a web page? The setup for the http and https server is identical. For any hints thank you in advance Harald __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Automatic change from http to https when password is required
Hi Joshua, your described solution looks like the way I'm looking for. Can you please give me a piece of configuration? I'm not so familiar with handler handlings. So it would help me a lot. Do you think it is possible to use the rewrite mod instead of perl for this purpose? thanks in advance Harald --- Dr. Harald Falkenberg Deutsches Elektronensynchrotron (DESY) Notkestr. 85, 22603 Hamburg, Germany Phone: +49-40 8998-3753 Fax.: +49-40 8994-3753 E-Mail: [EMAIL PROTECTED] --- On Mon, 12 Feb 2001, Joshua Gerth wrote: Hi Harald, Although not strictly a modssl solution, I solved this by using a mod_perl PerlAccessHandler directive in each of my Location tags. Access handlers are processed before Authen/Authz handlers so all protected pages (those that require a login/password) are sent to the secure sever. Hope that helps somewhat, Joshua is there a possibility to switch automatically from http to https as soon as a password is required to access a web page? The setup for the http and https server is identical. For any hints thank you in advance Harald __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Automatic change from http to https when password is required
Hi Harald, your described solution looks like the way I'm looking for. Can you please give me a piece of configuration? I'm not so familiar with handler handlings. So it would help me a lot. Sure, your Location tag would look like: Location "/SecureMe/" AuthName "Whats the secret knock" AuthType Basic PerlAccessHandler Apache::ForceSSL PerlAuthenHandler Apache::MyAuthen PerlAuthzHandler Apache::MyAuthz requirevalid-user /Location You also need the line: PerlSetVar SecureServer my.secure.server.com So the Apache::ForceSSL is what does the http - https rewrite. It looks like: package Apache::ForceSSL; use strict; use Apache::Constants qw(:response); use Apache::Util qw(escape_uri); sub handler { # Get the rec # my $r = shift; my $port = $r-get_server_port; if( $port != 443 ) { my $server = $r-dir_config('SecureServer') or DECLINED; my $uri = escape_uri($r-uri); # Redirect to the encrypted port # my $location = "https://" . $server . $uri; $r-header_out('Location' = $location); $r-status(REDIRECT); $r-send_http_header; } return DECLINED; } 1; Once I figure out how to get the server name from mod_perl and how to successfully test for ssl I can make it even more dynamic. Do you think it is possible to use the rewrite mod instead of perl for this purpose? Not that I know of. I have heard of other people having an external rewrite file which says "if your URL is one of these then rewrite to ssl". The problem I have with that is its yet another file to update. The PerlAccessHandler is easy because I simply add it to the location block and I am done. Hope that helps, Joshua __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Automatic change from http to https when password is required
Hi Harald, One step is still missing in my chain: I like to change from http to https not depending on the directory or location tag. I like to switch as soon as an authorization is required. This is more flexible. I too tried to take it this direction first. So I added a bunch of stuff to my AuthenHandler. No go, by the time this module is executed, the browser has already asked for a login and password (so they are sent over plain text). So then you could have something like a global AccessHandler (I am guessing). The problem is your global access handler would have to dynamically know if the area being requested was protected or not since an AccessHandler could apply to more than just protected locations. Since that is later in the apache cycle I could not track down if this was even possible. So I was left with what I showed. It lloks like to find something simular like reacting on the server error code 401 by errordocument 401 /path/doc.html I think the problem with this is that in order to get the 401 you must first prompt the user for a login/password. I could be wrong though. Maybe someone else has some comments. Good luck, Joshua __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Automatic change from http to https when password is required
The switch is by appending https to your links instead of http. If you want, you can give both web servers the same document root. Haven't thought through completely, but I suppose you could have the logon screen be https explicitly, and all the other pages relative references, so once you've switched to https you would stay there. Seems full of holes though - someone could simply remove the "s" in https, backpage or any of a dozen other things. To be truly secure, I would have the two sites completely independent of each other. -Original Message- From: Harald Falkenberg [mailto:[EMAIL PROTECTED]] Sent: Monday, February 05, 2001 3:00 PM To: [EMAIL PROTECTED] Subject: Automatic change from http to https when password is required Hi, is there a possibility to switch automatically from http to https as soon as a password is required to access a web page? The setup for the http and https server is identical. For any hints thank you in advance Harald __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Automatic change from http to https when password is required
Hi Harald, Although not strictly a modssl solution, I solved this by using a mod_perl PerlAccessHandler directive in each of my Location tags. Access handlers are processed before Authen/Authz handlers so all protected pages (those that require a login/password) are sent to the secure sever. Hope that helps somewhat, Joshua is there a possibility to switch automatically from http to https as soon as a password is required to access a web page? The setup for the http and https server is identical. For any hints thank you in advance Harald __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Automatic change from http to https when password is required
On 12 February 2001 17:35, [EMAIL PROTECTED] [SMTP:[EMAIL PROTECTED]] wrote: The switch is by appending https to your links instead of http. If you want, you can give both web servers the same document root. Haven't thought through completely, but I suppose you could have the logon screen be https explicitly, and all the other pages relative references, so once you've switched to https you would stay there. Seems full of holes though - We utilise this method to allow users who are merely browsing to avoid https then have an explicit link to https://www.ourdomain.com/document when needed. We also use the SSLOptions RequireSSL config directive on specific directories/jserv zones (eg CGI-BIN, Servlets) to enforce SSL where data exchange is taking place. Additionally we even go as far as enforcing 128 bit connections only by using a perl script to dynamically redirect to the https part of the site if they have 128 bit, or to a page containing upgrade links for those withtout 128 bit encryption. (Use the SSLOptions +StdEnvVars to make the SSL Environment variables available to the CGI namespace - And refer to $ENV{"SSL_CYPHER_USEKEYSIZE"} in your perl script to retrieve the value of the encryption in use - NB an SSL Session must be ongoing for this to work of course) someone could simply remove the "s" in https, backpage or any of a dozen other things. To be truly secure, I would have the two sites completely independent of each other. this is the best way to go for sure - but if you correctly map your site by placing all of the stuff requiring SSL in self contained directories you can enforce SSL on those directories - which stops users dumb enough to remove the 's' from 'https' from accessing files in that directory. Hope this helps regards Earl -Original Message- From: Harald Falkenberg [mailto:[EMAIL PROTECTED]] Sent: Monday, February 05, 2001 3:00 PM To: [EMAIL PROTECTED] Subject: Automatic change from http to https when password is required Hi, is there a possibility to switch automatically from http to https as soon as a password is required to access a web page? The setup for the http and https server is identical. For any hints thank you in advance Harald __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Automatic change from http to https when password is required
Hi, is there a possibility to switch automatically from http to https as soon as a password is required to access a web page? The setup for the http and https server is identical. For any hints thank you in advance Harald __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: http vs. https
Wayne Li wrote: My question is, how can restrict a directory/file to be only accessed by https, and others by http? Think of the SSL server as a distinct VirtualHost so make sure the content directories don't overlap. E.g something like: HTTP virtual host: DocumentRoot /home/user/html/plain_HTTP SSL virtual host: DocumentRoot /home/user/html/ssl_stuff If you must have SSL stuff under the HTTP DocumentRoot then use: Directory /home/user/html/ssl_stuff/ SSLRequireSSL /Directory Rgds, Owen Boyle __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: http vs. https
And I can access the web server by both http and https. Both http://myhost/ and https://myhost/ are OK. My question is, how can restrict a directory/file to be only accessed by https, and others by http? Use the Location somewhere SSLRequireSSL /Location directive Bye, Ago ps.: you can use mod_rewrite to always rewrite these directories address from http:// to https:// __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: http vs. https
Hello ! And how did you manage your DocumentRoot settings ? Because I followed the instructions and settings and I just see the default redhat page, which says I should change the documentroot. But why shuold I ? I just keep the pages in a directory set up to virtual domains and all of them have a seperate directory under this virtuals directory. So how does it possible to use the same directory just with https://... Should I use the mod_rewrite every time ? Bye, Ago __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
http vs. https
Hi all, Now I successfully installed mod_ssl, and configure the httpd.conf as: IfDefine SSL Listen 80 Listen 443 /IfDefine VirtualHost _default_:443 SSLEngine on SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLCertificateFile /usr/local/apache/conf/ssl.crt/server.crt SSLCertificateKeyFile /usr/local/apache/conf/ssl.key/server.key /VirtualHost And I can access the web server by both http and https. Both http://myhost/ and https://myhost/ are OK. My question is, how can restrict a directory/file to be only accessed by https, and others by http? i.e. https://myhost/cgi-bin/test.pl http://myhost/ Wayne Comnetix Computer Systems Inc. 2872 Bristol Circle #100 Oakville, Ontario L6H 6G4 Tel: (905) 829-9988 ext 242 Fax: (905) 829-1944 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: forcing http to https with a twist
--- Haroon Rafique [EMAIL PROTECTED] wrote: Thanks for responding, Paul, Carlos and Michael. You're welcome. =o) Unfortunately, my situation is a catch 22. I will give you more background to help understand my position. Good idea, lol Here's the current situation: - homepage is http which leads to an https form-based login page. Here's what we want to achieve: - Make the https form-based login page be the actual homepage to eliminate an extra click-thru with a way to silently redirect to http page in the case of non-SSL capapble browser. Ah! That's a little simpler than I was thinking, actually. I think ~lol~ How do other people deal with this scenario? Is there always an http page which leads to the https page to cover the possibility that the user is coming in with non-SSL lynx and at least you could warn them about that on the http page. Any other way out? Ok. Try this (and I'm hoping more knowledgeable folk will poke holes in this where applicable, since they'll probably have better ideas.) I run my SSL server as a VirtualHost on the same box, but with practically the same setup (docroot, etc.), but I think you should be able to set up the SSL document root in one location (the https form-based login page you mentioned) and the http on port 80 (or whatever you're using) document root on the nonsecure info page. If someone hits the nonsecure server, it'll give them its page, which isn't the same as the SSL login (though it can be named the same, just in another directory). If they use https they'll hit the secure port, and get the secure docroot's login page. Holes, anyone? I'm not testing this or rummaging through the documentation as I blather, so please don't let me lead anyone astray... Paul Thanks, -- Haroon Rafique [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ Do You Yahoo!? Yahoo! Shopping - Thousands of Stores. Millions of Products. http://shopping.yahoo.com/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: forcing http to https with a twist
Paul, If you need people to login, then the first page can be served up with http: The action of the form should be https://myserver.com/cgi/login.pl This technique is not often used, because the secure icon does not come up when they are on the login page, only when they have logged in. By setting the action of the form to https:, it means that the data IS encrypted in tranmission. Hope that makes sense Mike At 11:15 8/12/2000 -0800, you wrote: --- Haroon Rafique [EMAIL PROTECTED] wrote: Thanks for responding, Paul, Carlos and Michael. You're welcome. =o) Unfortunately, my situation is a catch 22. I will give you more background to help understand my position. Good idea, lol Here's the current situation: - homepage is http which leads to an https form-based login page. Here's what we want to achieve: - Make the https form-based login page be the actual homepage to eliminate an extra click-thru with a way to silently redirect to http page in the case of non-SSL capapble browser. Ah! That's a little simpler than I was thinking, actually. I think ~lol~ How do other people deal with this scenario? Is there always an http page which leads to the https page to cover the possibility that the user is coming in with non-SSL lynx and at least you could warn them about that on the http page. Any other way out? Ok. Try this (and I'm hoping more knowledgeable folk will poke holes in this where applicable, since they'll probably have better ideas.) I run my SSL server as a VirtualHost on the same box, but with practically the same setup (docroot, etc.), but I think you should be able to set up the SSL document root in one location (the https form-based login page you mentioned) and the http on port 80 (or whatever you're using) document root on the nonsecure info page. If someone hits the nonsecure server, it'll give them its page, which isn't the same as the SSL login (though it can be named the same, just in another directory). If they use https they'll hit the secure port, and get the secure docroot's login page. Holes, anyone? I'm not testing this or rummaging through the documentation as I blather, so please don't let me lead anyone astray... Paul Thanks, -- Haroon Rafique [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ Do You Yahoo!? Yahoo! Shopping - Thousands of Stores. Millions of Products. http://shopping.yahoo.com/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: forcing http to https with a twist
Thanks for responding, Paul, Carlos and Michael. Unfortunately, my situation is a catch 22. I will give you more background to help understand my position. Here's the current situation: - homepage is http which leads to an https form-based login page. Here's what we want to achieve: - Make the https form-based login page be the actual homepage to eliminate an extra click-thru with a way to silently redirect to http page in the case of non-SSL capapble browser. How do other people deal with this scenario? Is there always an http page which leads to the https page to cover the possibility that the user is coming in with non-SSL lynx and at least you could warn them about that on the http page. Any other way out? Thanks, -- Haroon Rafique [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: forcing http to https with a twist
Haroon Rafique wrote: - homepage is http which leads to an https form-based login page. This is the normal way to do things. Here's what we want to achieve: - Make the https form-based login page be the actual homepage to eliminate an extra click-thru with a way to silently redirect to http page in the case of non-SSL capapble browser. Remember that SSL isn't something the user switches on by accident - they have to choose SSL by using "https" instead of "http" in the browser. You want an SSL server which also serves HTTP. That is fairly easy - simply make two identical virtual hosts, one on port 443, the other on port 80: VirtualHost my.site.com:443 ...contents /VirtualHost VirtualHost my.site.com:80 ...contents /VirtualHost This will respond with identical content to https or http. Rgds,Owen Boyle. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
forcing http to https with a twist
I have been reading the archives for a while now and didn't see any solution to my problem. So here goes... Thank in advance for any solutions To force people to use https instead of http, I could use the mod_rewrite as follows (all is theoretical, I don't have access to apache or apache with mod_ssl right now, so please bear with me): RewriteEngine On # use log level 9 for most verbose 0 for least RewriteLogLevel 9 RewriteLog "/etc/httpd/logs/rewrite.log" RewriteCond %{HTTPS} !=on RewriteRule ^/(.*) https://%{SERVER_NAME}/$1 [R,L] It is absolutely essential to give the user the ability to see the homepage as regular http (and a few tech support pages) in case they have SSL turned off, or are using lynx without SSL support. Otherwise, if I blindly forward all http requests to https how would they know they're supposed to use SSL when they're using a non-SSL browser. Is it possible to not have a RewriteCond which prevents the RewriteRule to execute to take care of the above situation? Am I missing something obvious? Thanks, -- Haroon Rafique [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: forcing http to https with a twist
--- Haroon Rafique [EMAIL PROTECTED] wrote: I have been reading the archives for a while now and didn't see any solution to my problem. So here goes... Thank in advance for any solutions To force people to use https instead of http, I could use the mod_rewrite as follows (all is theoretical, I don't have access to apache or apache with mod_ssl right now, so please bear with me): RewriteEngine On # use log level 9 for most verbose 0 for least RewriteLogLevel 9 RewriteLog "/etc/httpd/logs/rewrite.log" RewriteCond %{HTTPS} !=on RewriteRule ^/(.*) https://%{SERVER_NAME}/$1 [R,L] It is absolutely essential to give the user the ability to see the homepage as regular http (and a few tech support pages) in case they have SSL turned off, or are using lynx without SSL support. Otherwise, if I blindly forward all http requests to https how would they know they're supposed to use SSL when they're using a non-SSL browser. Is it possible to not have a RewriteCond which prevents the RewriteRule to execute to take care of the above situation? Am I missing something obvious? Thanks, -- Haroon Rafique [EMAIL PROTECTED] As a quick-and-dirty response, here's a modperl handler we set up: #~~ # module for Apache/mod_perl PerlPostReadRequestHandler to redirect # users on the nonsecure port over to SSL (hopefully saving bookmarks) #__ package Apache::PortCorrect; use strict; use Apache::Constants qw( :response :methods ); sub handler { my($r,$s,$url,$args,$uri,$subr); $r = shift;# the request object return OK if 443 == $r-get_server_port; (undef,$url,undef) = split(/\s+/o, $r-the_request); return OK if $url =~ m{ ^(?:/ |.*[.](?:gif|jpg) |/(?: public | teampages | pics | avgrates | regulatory )(?:/.*)? |/(?:home|cook)[.]shtml )$ }ixo; $uri = "https://buda.bst.bls.com" . $url; $uri .= "?$args" if $args = $r-args; $r-custom_response(MOVED,$uri); return MOVED; } 1; # guarantee return code for load === It allows http on the listed subsites, but redirects to the secure port for everything else. If you don't have mod_perl, you might manage a similar effect with some hacking. There are better ways, but my ride's waiting. =o) Good luck. __ Do You Yahoo!? Yahoo! Shopping - Thousands of Stores. Millions of Products. http://shopping.yahoo.com/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: forcing http to https with a twist
Try adding: RewiteCond %{REQUEST_URI} !~ m/(homepage|techsup1|techsup2)\.html$/ which tells the server don't redirect to HTTPS provided the requested uri is not the homepage or tech support pages. i hope this helps ;) Or maybe just put your secure pages in a different directory and use the SSLRequire directive in that specific directory. -Carlos Haroon Rafique wrote: I have been reading the archives for a while now and didn't see any solution to my problem. So here goes... Thank in advance for any solutions To force people to use https instead of http, I could use the mod_rewrite as follows (all is theoretical, I don't have access to apache or apache with mod_ssl right now, so please bear with me): RewriteEngine On # use log level 9 for most verbose 0 for least RewriteLogLevel 9 RewriteLog "/etc/httpd/logs/rewrite.log" RewriteCond %{HTTPS} !=on RewriteRule ^/(.*) https://%{SERVER_NAME}/$1 [R,L] It is absolutely essential to give the user the ability to see the homepage as regular http (and a few tech support pages) in case they have SSL turned off, or are using lynx without SSL support. Otherwise, if I blindly forward all http requests to https how would they know they're supposed to use SSL when they're using a non-SSL browser. Is it possible to not have a RewriteCond which prevents the RewriteRule to execute to take care of the above situation? Am I missing something obvious? Thanks, -- Haroon Rafique [EMAIL PROTECTED]> __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] -- --- Carlos Ramirez + Boeing + Reusable Space Systems + 714.372.4181 --- -- Don't make me use uppercase
Re: forcing http to https with a twist
I've been planning on adding a force in the PHP function we call in the header of each page to do this. Not sure if mod rewrite would be a better solution or not. Using a special header function allows me to tightly control which pages are used though. *^*^*^* Have the courage to take your own thoughts seriously, for they will shape you. -- Albert Einstein On Wed, 6 Dec 2000, Haroon Rafique wrote: I have been reading the archives for a while now and didn't see any solution to my problem. So here goes... Thank in advance for any solutions To force people to use https instead of http, I could use the mod_rewrite as follows (all is theoretical, I don't have access to apache or apache with mod_ssl right now, so please bear with me): RewriteEngine On # use log level 9 for most verbose 0 for least RewriteLogLevel 9 RewriteLog "/etc/httpd/logs/rewrite.log" RewriteCond %{HTTPS} !=on RewriteRule ^/(.*) https://%{SERVER_NAME}/$1 [R,L] It is absolutely essential to give the user the ability to see the homepage as regular http (and a few tech support pages) in case they have SSL turned off, or are using lynx without SSL support. Otherwise, if I blindly forward all http requests to https how would they know they're supposed to use SSL when they're using a non-SSL browser. Is it possible to not have a RewriteCond which prevents the RewriteRule to execute to take care of the above situation? Am I missing something obvious? Thanks, -- Haroon Rafique [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Redirect http to https -- was -Re: [BugDB] Http redirected to https (PR#441)
RE: QUESTION FROM ADRIAN STOVALL Hi Adrian, I assume your problem is as follows: - You have a normal HTTP site and an SSL site. - A user in the HTTP site should click on a link and automatically be redirected to the SSL site. - The web-page in the HTTP site should *not* contain the explicit SSL URL (e.g. https://whatever). - This last requirement is what makes life difficult (by the way, if you *don't* have that requirement, just explicitly link to https and you don't need to rewrite!) Try the following: (1) Switch on logging; i.e. add the directives marked --; RewriteEngine on -- RewriteLog logs/rewrite_log -- RewriteLogLevel 9 RewriteRule ...whatever the rule is... Tail the logfile (i.e. # tail -f rewrite_log) while you try hits and see what it is doing. Also check the normal TransferLog. (3) You need to rewrite a string in the HTTP site to turn it into a URL which leads to the SSL site. Similarly, in the SSL directory, you need to rewrite a URL to get back to the HTTP directory. Look at this example: (a) in the HTTP VirtualHost; DocumentRoot/home/banana/html RewriteRule ^/secure/(.*) https://www.banana.com/$1 (b) in the HTTP HTML docs; a href=/secure/credit_card_form.htmlThis goes to the SSL VirtualHost/a this gets rewritten like: /secure/credit_card_form.html -- https://www.banana.com/credit_card_form.html (c) in the SSL VirtualHost; DocumentRoot/home/banana/html/secure_stuff RewriteRule ^/http/(.*) http://www.banana.com/$1 (d) in SSL HTML docs; a href=/http/plain_old_file.htmlThis goes back to good old HTTP/a this gets rewritten like: /http/plain_old_file.html -- http://www.banana.com/plain_old_file.html Note that the "http" and "secure" directories don't actually exist. These are just tokens that the Rewrite engine parses and replaces with the appropriate http:// or https:// URLs. Also note that the DocumentRoots are different for the HTTP and SSL sites. Best of Luck, Owen Boyle. -- SWX Swiss Exchange, 10 Cours de Rive, 1211 Geneve 3 --+- Phone: +41 (0)22 849 5648 | Fax: +41 (0)22 849 5643 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Redirect http to https -- was -Re: [BugDB] Http redirected to https (PR#441)
Just out of curiosity: What's the advantage of avoiding links with "https" to get to an SSL URL from an HTTP site? I don't know of one. The reason I do this is if someone types in http they will be redirected to https instead of getting a "server is not responding" since I wouldn't be listening on port 80. -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602 915-695-6962 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Redirect http to https -- was -Re: [BugDB] Http redirected to https (PR#441)
I would like to find out how to set the website to default or redirect all http calls to https. Do I use the same method as described for relative calls ? Owen gave me several suggestions which worked. The first thing to do is to seperate your root doc and cgi directories for your ssl and non-ssl. Failure to do this sets up a loop. Then you can use mod_rewrite, redirect, or redirectmatch to send things to the ssl side. -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602 915-695-6962 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: HTTP fails, HTTPS works
I did try the same thing, but it didnt work for me. It would also be impractical for me to not use seperate files, since I host 25 domains on that server. I did end up fixing the problem by using the apache-mod-ssl releases in the contrib section of the website. Things work great now. Thanks for the help. Dan Matthew Vanecek wrote: I had the same problem. Poked at it a bit, couldn't figure it out. Everything was configured properly, and everything was compiled properly. https worked beautifully, but not at the same time as http. Caused me much loss of hair. :/ After poking through the archives to no avail, I decided to get rid of the Includes and just put everthing in my httpd.conf. Lo and Behold! IT WORKED!!! I was amazed and irritated. Why it doesn't work with "Include conf/ssl/mod_ssl.conf" I have no idea. I even had Port 80 set up in a virtual host, without success. Here is the relevant section from my httpd.conf. Hope it helps: # Include conf/ssl/mod_ssl.conf LoadModule ssl_module/usr/lib/apache/libssl.so AddModule mod_ssl.c Listen 443 Listen 80 AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl.crl SSLPassPhraseDialog builtin SSLSessionCache dbm:logs/ssl_scache SSLSessionCacheTimeout 300 SSLMutex file:logs/ssl_mutex SSLRandomSeed startup builtin SSLRandomSeed connect builtin SSLLog logs/ssl_engine_log SSLLogLevel info SSLEngine off VirtualHost _default_:80 ServerAdmin [EMAIL PROTECTED] DocumentRoot /home/httpd/html SSLEngine off /VirtualHost VirtualHost _default_:443 DocumentRoot /home/httpd/secure ServerAdmin [EMAIL PROTECTED] ErrorLog logs/ssl-error_log TransferLog logs/ssl-access_log SSLEngine on SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLCertificateFile conf/ssl/server.crt SSLCertificateKeyFile conf/ssl/server.key SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown CustomLog logs/ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" /VirtualHost # Include conf/ssl/ssl.default-vhost.conf -- Matthew Vanecek Visit my Website at http://mysite.directlink.net/linuxguy For answers type: perl -e 'print $i=pack(c5,(41*2),sqrt(7056),(unpack(c,H)-2),oct(115),10);' * For 93 million miles, there is nothing between the sun and my shadow except me. I'm always getting in the way of something... __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: HTTP fails, HTTPS works
I had the same problem. Poked at it a bit, couldn't figure it out. Everything was configured properly, and everything was compiled properly. https worked beautifully, but not at the same time as http. Caused me much loss of hair. :/ After poking through the archives to no avail, I decided to get rid of the Includes and just put everthing in my httpd.conf. Lo and Behold! IT WORKED!!! I was amazed and irritated. Why it doesn't work with "Include conf/ssl/mod_ssl.conf" I have no idea. I even had Port 80 set up in a virtual host, without success. Here is the relevant section from my httpd.conf. Hope it helps: # Include conf/ssl/mod_ssl.conf LoadModule ssl_module/usr/lib/apache/libssl.so AddModule mod_ssl.c Listen 443 Listen 80 AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl.crl SSLPassPhraseDialog builtin SSLSessionCache dbm:logs/ssl_scache SSLSessionCacheTimeout 300 SSLMutex file:logs/ssl_mutex SSLRandomSeed startup builtin SSLRandomSeed connect builtin SSLLog logs/ssl_engine_log SSLLogLevel info SSLEngine off VirtualHost _default_:80 ServerAdmin [EMAIL PROTECTED] DocumentRoot /home/httpd/html SSLEngine off /VirtualHost VirtualHost _default_:443 DocumentRoot /home/httpd/secure ServerAdmin [EMAIL PROTECTED] ErrorLog logs/ssl-error_log TransferLog logs/ssl-access_log SSLEngine on SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLCertificateFile conf/ssl/server.crt SSLCertificateKeyFile conf/ssl/server.key SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown CustomLog logs/ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" /VirtualHost # Include conf/ssl/ssl.default-vhost.conf -- Matthew Vanecek Visit my Website at http://mysite.directlink.net/linuxguy For answers type: perl -e 'print $i=pack(c5,(41*2),sqrt(7056),(unpack(c,H)-2),oct(115),10);' * For 93 million miles, there is nothing between the sun and my shadow except me. I'm always getting in the way of something... __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: HTTP fails, HTTPS works
Dan Kuykendall wrote: So at this point I have to choose between HTTP and HTTPS. The two just wont work together. Apache doesnt even log connection attempts, because it doesnt even seem to have the port open. Does anyone know why this is happening? HTTP and HTTPS definitely do work on the same server - we are doing it here. Make sure that your server is configured correctly. You need to configure two different virtual hosts, one for normal bound to port 80, the second for SSL, bound to port 443. The normal virtualhost should have "SSLEngine off", and the SSL virtualhost should have "SSLEngine on" along with other config directives giving the certificate names, etc. Make sure that in your global config, SSLEngine is off. Regards, Graham -- __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: HTTP fails, HTTPS works
Could you post your httpd.conf file so we can see more information? It's probably because you don't have a virtual host section for http and the server will default to https if ssl support is included. John At 12:36 PM 4/17/2000 -0700, you wrote: I did a fresh install of RedHat 6.2 compiled and installed openssl-0.9.5-1.src.rpm (which builds openssl and openssl-devel). then compiled and installed mod_ssl-2.6.2-1.src.rpm. Now when I start apache with httpd -DSSL or even just httpd I can connect with https://localhost but not http://localhost If I comment out the 2 lines that mod_ssl added to my httpd.conf file I can connect with http://localhost but of course not http://localhost The two lines are Include conf/ssl/mod_ssl.conf Include conf/ssl/ssl.default-vhost.conf So at this point I have to choose between HTTP and HTTPS. The two just wont work together. Apache doesnt even log connection attempts, because it doesnt even seem to have the port open. Does anyone know why this is happening? Dan __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: HTTP fails, HTTPS works
Have your tried to add listen ip-address:80 also to the configuration files I think that if you do the SSL-stuff he only listen to port 443 for the moment. Mike King wrote: Don't give up, this should work, although what you can do if you have to is run two processes, use httpd for non-SSL traffic, and httpsd for SSL traffic. Keep on persevering Mike At 12:36 PM 4/17/2000 -0700, you wrote: I did a fresh install of RedHat 6.2 compiled and installed openssl-0.9.5-1.src.rpm (which builds openssl and openssl-devel). then compiled and installed mod_ssl-2.6.2-1.src.rpm. Now when I start apache with httpd -DSSL or even just httpd I can connect with https://localhost but not http://localhost If I comment out the 2 lines that mod_ssl added to my httpd.conf file I can connect with http://localhost but of course not http://localhost The two lines are Include conf/ssl/mod_ssl.conf Include conf/ssl/ssl.default-vhost.conf So at this point I have to choose between HTTP and HTTPS. The two just wont work together. Apache doesnt even log connection attempts, because it doesnt even seem to have the port open. Does anyone know why this is happening? Dan __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] -- .--. |o_o | |:_/ | "One difference between SuSE and Red Hat is that the // \ \ former operates in a country where people don't sue (| | ) each other over coffee being too hot." /'\_ _/`\ Linus Torvalds \___)=(___/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: HTTP fails, HTTPS works
Well, I gave up. The problem was something I could not figure out, so I when to the modssl.org contrib page and downloaded an apache-mod_ssl src rpm and did a compile of that. I also had to grab the php-mod_ssl and build and install it as well. Now everything works fine. I didnt have time to fully figure out what was wrong, since this was a production server. I have a test box that i may screw up, the same way I did to my production box, to see what was wrong. Thanks for all the suggestions! Dan Kuykendall David Heremans wrote: Have your tried to add listen ip-address:80 also to the configuration files I think that if you do the SSL-stuff he only listen to port 443 for the moment. Mike King wrote: Don't give up, this should work, although what you can do if you have to is run two processes, use httpd for non-SSL traffic, and httpsd for SSL traffic. Keep on persevering Mike At 12:36 PM 4/17/2000 -0700, you wrote: I did a fresh install of RedHat 6.2 compiled and installed openssl-0.9.5-1.src.rpm (which builds openssl and openssl-devel). then compiled and installed mod_ssl-2.6.2-1.src.rpm. Now when I start apache with httpd -DSSL or even just httpd I can connect with https://localhost but not http://localhost If I comment out the 2 lines that mod_ssl added to my httpd.conf file I can connect with http://localhost but of course not http://localhost The two lines are Include conf/ssl/mod_ssl.conf Include conf/ssl/ssl.default-vhost.conf So at this point I have to choose between HTTP and HTTPS. The two just wont work together. Apache doesnt even log connection attempts, because it doesnt even seem to have the port open. Does anyone know why this is happening? Dan __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] -- .--. |o_o | |:_/ | "One difference between SuSE and Red Hat is that the // \ \ former operates in a country where people don't sue (| | ) each other over coffee being too hot." /'\_ _/`\ Linus Torvalds \___)=(___/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: http to https proxying
On Tue, Mar 21, 2000, Dat Truong wrote: I was wondering if you can help me with a particular problem. I'm trying to go from browser to apache proxy via HTTP and from apache proxy to ws via HTTPS. I keep getting FORBIDDEN (You don't have permission to access /pinky/ on this server.). My ws (NES) is configured with SSL (server cert only). Can Apache Proxy act as a SSL client? If mod_ssl is loaded, mod_proxy can act as a HTTPS client, yes. Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
http to https proxying
Hello Folks. I was wondering if you can help me with a particular problem. I'm trying to go from browser to apache proxy via HTTP and from apache proxy to ws via HTTPS. I keep getting FORBIDDEN (You don't have permission to access /pinky/ on this server.). My ws (NES) is configured with SSL (server cert only). Can Apache Proxy act as a SSL client? Thank you very much in advance. Dat Truong __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Http and https doesn't work together
Here are some error messages from the ssl_engine_log file. I still can't get the server to answer normal http requests when I reboot apache with -dssl. Stephen [02/Nov/1999 23:02:39] [info] Initial (No.1) HTTPS request received for child 1 (server 216.200.162.55:443) [02/Nov/1999 23:02:39] [info] Connection to child 1 closed with unclean shutdown (server 216.200.162.55:443) [02/Nov/1999 23:02:39] [info] Connection to child 2 established (server 216.200.162.55:443) [02/Nov/1999 23:02:39] [info] Connection: Client IP: 216.70.158.229, Protocol: SSLv3, Cipher: EXP-RC4-MD5 (40/128 bits) [02/Nov/1999 23:02:39] [info] Initial (No.1) HTTPS request received for child 2 (server 216.200.162.55:443) [02/Nov/1999 23:02:39] [info] Connection to child 2 closed with unclean shutdown (server 216.200.162.55:443) [02/Nov/1999 23:02:40] [info] Connection to child 3 established (server 216.200.162.55:443) [02/Nov/1999 23:02:40] [info] Connection: Client IP: 216.70.158.229, Protocol: SSLv3, Cipher: EXP-RC4-MD5 (40/128 bits) [02/Nov/1999 23:02:40] [info] Initial (No.1) HTTPS request received for child 3 (server 216.200.162.55:443) [02/Nov/1999 23:02:40] [info] Connection to child 3 closed with unclean shutdown (server 216.200.162.55:443) [02/Nov/1999 23:02:40] [info] Connection to child 4 established (server 216.200.162.55:443) [02/Nov/1999 23:02:40] [error] SSL handshake interrupted by system [Hint: Stop button pressed in browser?!] (System error follows) [02/Nov/1999 23:02:40] [error] System: Connection reset by peer (errno: 54) [02/Nov/1999 23:05:40] [info] Connection to child 5 established (server DreamTime.net:443) [02/Nov/1999 23:05:40] [info] Connection: Client IP: 216.70.158.229, Protocol: SSLv3, Cipher: EXP-RC4-MD5 (40/128 bits) [02/Nov/1999 23:05:40] [info] Initial (No.1) HTTPS request received for child 5 (server DreamTime.net:443) [02/Nov/1999 23:05:40] [info] Connection to child 5 closed with unclean shutdown (server DreamTime.net:443) [02/Nov/1999 23:05:40] [info] Connection to child 6 established (server DreamTime.net:443) [02/Nov/1999 23:05:40] [info] Connection to child 7 established (server DreamTime.net:443) [02/Nov/1999 23:05:41] [info] Connection: Client IP: 216.70.158.229, Protocol: SSLv3, Cipher: EXP-RC4-MD5 (40/128 bits) [02/Nov/1999 23:05:41] [info] Connection: Client IP: 216.70.158.229, Protocol: SSLv3, Cipher: EXP-RC4-MD5 (40/128 bits) [02/Nov/1999 23:05:41] [info] Initial (No.1) HTTPS request received for child 7 (server DreamTime.net:443) [02/Nov/1999 23:05:41] [info] Initial (No.1) HTTPS request received for child 6 (server DreamTime.net:443) [02/Nov/1999 23:05:41] [info] Connection to child 6 closed with unclean shutdown (server DreamTime.net:443) [02/Nov/1999 23:05:41] [info] Connection to child 7 closed with unclean shutdown (server DreamTime.net:443) __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
6. Try out Apache with SSL (HTTP and HTTPS possible):
Hi, first of all thanks for the tip Ralf on the setenv for the installation process. Ok, im on step 6. I made the certificate ("make certificate"), where u have to type in country name, organisation name, etc. The ssl.crt, ssl.csr, ssl.key dirs are created in the apache_1.3.4/conf dir. The server.key, server.crt, server.csr files are created. Ive tested the http access (http://www.abc.com) from my browser. That as well works. But when i try to start ssl with "/apache_1.3.4/bin/apachectl startssl". The 'startssl' option cannot be recognised. Looks like only (start|stop|restart|fullstatus|st) are allowed. I.e i cannot the ssl daemon to kick in, i.e no https://www.abc.com Anything tt ive missed?! G. -- Gilles Chong ([EMAIL PROTECTED], [EMAIL PROTECTED]) Systems Engineer, Internet Division CSA Automated Pte Ltd, Singapore. __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: 6. Try out Apache with SSL (HTTP and HTTPS possible):
On Mon, Mar 08, 1999, Gilles L. Chong Hok Yuen wrote: first of all thanks for the tip Ralf on the setenv for the installation process. Ok, im on step 6. I made the certificate ("make certificate"), where u have to type in country name, organisation name, etc. The ssl.crt, ssl.csr, ssl.key dirs are created in the apache_1.3.4/conf dir. The server.key, server.crt, server.csr files are created. Ive tested the http access (http://www.abc.com) from my browser. That as well works. But when i try to start ssl with "/apache_1.3.4/bin/apachectl startssl". The 'startssl' option cannot be recognised. Looks like only (start|stop|restart|fullstatus|st) are allowed. I.e i cannot the ssl daemon to kick in, i.e no https://www.abc.com Anything tt ive missed?! H when the apachectl isdn't patched correctly you should have seen an error under configure time. Because the whole configuration, building and installation went fine for you, I guess you've messed up something. Are you sure the /apache_1.3.4/bin/httpd actually is the patches one? Run "/apache_1.3.4/bin/httpd -l", there should be a mod_ssl.c unless you used the DSO facility. And the /apache_1.3.4/bin/apachectl script should really contain an startssl entry. But ok, the startssl is not important. It's nothing more than a wrapper around "/apache_1.3.4/bin/httpd -DSSL", so try to start it this way. Nevertheless can you find out for me why /apache_1.3.4/bin/apachectl hasn't the startssl patched in? Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: [BugDB] PRIVATE: speaking HTTP to HTTPS port (PR#72)
On Tue, Jan 05, 1999, [EMAIL PROTECTED] wrote: Full_Name: roger luethi Version: 2.1.4 OS: solaris 2.6 Submission from: vega.tarsec.com (195.246.80.99) connections to http://hostname:443 result in a document containing no data (which is not the problem, of course, since we're expecting https on port 443). the ssl virtual host error log reads: [data][error] SSLeay: error:1407609B:SSL routines:SSL23_GET_CLIENT_HELLO:http request [Hint: speaking HTTP to HTTPS port!?] which makes sense and is a useful error message. while the general server error log says: [date][notice] httpd: child pid 5081 exit signal Segmentation Fault (11) only the child dies, so the server keeps serving and the incident went unnoticed if there were no log files. so it's not a very serious issue, but i still would like to know if this is supposed to happen. this was observed with apache_1.3.3, compiled to contain mod_info, mod_perl, mod_php and mod_ssl in their latest releases (as of building the binary). i noticed there's now a later mod_ssl, but from the changes i'd guess it doesn't solve the problem. Yes, when you get no error page and instead a segfault, then we have a bug somewhere in the code which tries to print out the error page. I'll investigate... Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: [BugDB] Can't run http and https on the same port (PR#46)
On Fri, Nov 13, 1998, [EMAIL PROTECTED] wrote: Full_Name: Gordon Eastman Version: mod_ssl/2.0.14 SSLeay/0.9.0b OS: Submission from: ecarh800.nortel.com (192.58.194.87) I am trying to configure an Apache SSL server to accept either http or https requests on the same port. I thought I could do this by first configuring for https per the examples and then removing the SSLRequireSSL directive. This didn't work. Shutting down, removing SSLRequireSSL from httpd.conf and restarting seemed to have no effect. Only https connections were accepted. I know this is a somewhat unusual configuration. If this is the way it is supposed to work, please let me know. No, you cannot use HTTPS and HTTP on the same port (as long as we talk about the same IP as well). And there is also no reason for this. Because HTTP per default uses port 80 and HTTPS per default uses port 443. So you don't have to use the same port just to make http://yourhost/ and https://yourhost/ work (what I guess is your intent). Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: [BugDB] relative jump from http to https (PR#27)
On Wed, Sep 30, 1998, [EMAIL PROTECTED] wrote: Anyone knows how to jump from an unsecure document to a secure one, but using relative link? href=https:./anyhting.html is useless coz' the documents comes back unsecure anyway. You should read the FAQ under: http://www.engelschall.com/sw/mod_ssl/docs/#FAQ-rellinks That's the trick I use on the http://www.engelschall.com/sw/mod_ssl/example/test.phtml page to switch between HTTP and HTTPS without hardcoding my server URLs (development vs. production platform). Isn't that exactly what you're searchig for? Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: [BugDB] relative jump from http to https (PR#27)
Cheers, Pablo. On Wed, Sep 30, 1998, [EMAIL PROTECTED] wrote: Anyone knows how to jump from an unsecure document to a secure one, but using relative link? href=https:./anyhting.html is useless coz' the documents comes back unsecure anyway. You should read the FAQ under: http://www.engelschall.com/sw/mod_ssl/docs/#FAQ-rellinks That's the trick I use on the http://www.engelschall.com/sw/mod_ssl/example/test.phtml page to switch between HTTP and HTTPS without hardcoding my server URLs (development vs. production platform). Isn't that exactly what you're searchig for? Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: http://server.ch = https://server.ch
On Sat, Sep 26, 1998, Olivier Mueller wrote: I have about 30 virtualservers registred in my httpd.conf, and I'd like to be able to access to the same pages when I use https:// and http:// (for both pages and cgi-bin). Is that possible (I guess so). Could somebody show me his httpd.conf (learning by example...). What you have to do is mainly the following: 1. Make sure your virtual hosts are IP-based (see http://www.engelschall.com/sw/mod_ssl/docs/manual21b.html#FAQ-vhosts for the reason) 2. Copy your VirtualHost sections and - replace `..:80' with `..:443' - Add `SSLEnable' and `SSLCertificatePath', etc. to the new sections (see the httpd.conf-dist file for hints which directives you should use) 3. Add `SSLDisable' to the old VirtualHost sections or at least the main server (outside any VirtualHost sections) The best advice is to don't confuse yourself is to look at the provided httpd.conf-dist file and start from there or at least adjust your existing config with this file in mind. Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: http://server.ch = https://server.ch
On Sun, 27 Sep 1998, Ralf S. Engelschall wrote: What you have to do is mainly the following: 1. Make sure your virtual hosts are IP-based (see http://www.engelschall.com/sw/mod_ssl/docs/manual21b.html#FAQ-vhosts for the reason) Ok. I understand that it doesn't work now. But will it work later, wit newer versions of Apache/mod_ssl/SSLeay ? 2. Copy your VirtualHost sections and - replace `..:80' with `..:443' - Add `SSLEnable' and `SSLCertificatePath', etc. to the new sections (see the httpd.conf-dist file for hints which directives you should use) 3. Add `SSLDisable' to the old VirtualHost sections or at least the main server (outside any VirtualHost sections) Thanks a lot, it works nicely. I suggest you put this question and the answer in your faq. Olivier __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
http://server.ch = https://server.ch
First of all, 100x thanks to R. Engelschall and the whole Apache team for these high quality programs which are mod_sll and Apache! Now my question: I have about 30 virtualservers registred in my httpd.conf, and I'd like to be able to access to the same pages when I use https:// and http:// (for both pages and cgi-bin). Is that possible (I guess so). Could somebody show me his httpd.conf (learning by example...). Regards from Zurich, Olivier, just starting with mod_ssl __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]