[users@httpd] FreeBSD apache httpd-2.4.56 wont build support? libaprutil undefined reference to libiconv_open

2023-04-09 Thread Paul Kudla (SCOM.CA Internet Services Inc.) 



[06:52:17] argg.scom.ca [root:0] 
/usr/local/src/net/httpd-2.4.56.current/support

# gmake
gmake[1]: Entering directory 
'/usr/local/src/net/httpd-2.4.56.current/support'
/usr/local/apr/build-1/libtool --silent --mode=link cc  -g -O2 
-L/usr/local/lib   -o htpasswd  htpasswd.lo passwd_common.lo 
/usr/local/apr/lib/libaprutil-1.la -lexpat 
/usr/local/apr/lib/libapr-1.la -lcrypt -lpthread -lcrypt
ld: error: /usr/local/apr/lib/libaprutil-1.so: undefined reference to 
libiconv_open [--no-allow-shlib-undefined]
ld: error: /usr/local/apr/lib/libaprutil-1.so: undefined reference to 
libiconv [--no-allow-shlib-undefined]
ld: error: /usr/local/apr/lib/libaprutil-1.so: undefined reference to 
libiconv_close [--no-allow-shlib-undefined]

cc: error: linker command failed with exit code 1 (use -v to see invocation)
gmake[1]: *** [Makefile:48: htpasswd] Error 1
gmake[1]: Leaving directory 
'/usr/local/src/net/httpd-2.4.56.current/support'
gmake: *** [/usr/local/src/net/httpd-2.4.56.current/build/rules.mk:75: 
all-recursive] Error 1

--


Happy Sunday !!!
Thanks - paul

Paul Kudla


Scom.ca Internet Services 
004-1009 Byron Street South
Whitby, Ontario - Canada
L1N 4S3

Toronto 416.642.7266
Main 1.866.411.7266
Fax 1.888.892.7266
Email p...@scom.ca

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] site compromised and httpd log analysis

2022-07-06 Thread Paul Kudla (SCOM.CA Internet Services Inc.) 



Happy Wednesday

Ok allow me to share some experience :

about 4 years ago 1one1 hosting, myself and a bunch of others got hacked.

this is because i was using common vhosts pointing to the web directory

because www:www were the rights (no real easy way to get around that) i 
had to lock php down (as indicated) along with wordpress etc.


It appears this is the real issue at hand, once a server is comprimised 
(regardless of the operating system at hand) it basically needs to wiped 
clean and reloaded


the config below might be like using a balistic missle when a sledge 
hammer will do ...


however touch wood i have not need hacked since

and if someone does figure out a site login (ftp,wordpress etc) then the 
damage is contained to that site and will not bleed out sideways.


unfortunately this is what is required in today's operating environment

so basically with this config

central logging that will firewall ip's on demand

wordpress fail2ban showing bad admin logins being track

people try all day long but no real issues other the the odd dos attacks 
with the firewall will fix within 20 minutes of the attack?



Hope this explains / helps .


Happy Wednesday !!!
Thanks - paul

Paul Kudla


Scom.ca Internet Services 
004-1009 Byron Street South
Whitby, Ontario - Canada
L1N 4S3

Toronto 416.642.7266
Main 1.866.411.7266
Fax 1.888.892.7266
Email p...@scom.ca

On 7/6/2022 8:57 AM, Frank Gingras wrote:
Cross-site contamination is not the same as exploiting insecure php 
scripts to upload malicious content.


I will agree that isolation is a good idea, but it really has little to 
do with the thread at hand.


On Wed, 6 Jul 2022 at 06:30, Paul Kudla (SCOM.CA  
Internet Services Inc.) mailto:p...@scom.ca>> wrote:



ok may or may not be related but i found i had to lock php, wordpress
etc down heavely in apache

especially if you are using vhosts

i found one authorized site could talk to another without making things
more strict

yes its a pain to have one vhost per site but its the only way to fully
isolate one from the other

if someone executes stuff it stays within their working directory

example (shows http alias etc - note the directory directives - i use a
database --> script generator so its not too inconvient.) :



ServerName bedrockconstruction.ca 
ServerAlias bedrockconstruction.ca 
ServerAlias www.bedrockconstruction.ca

Redirect permanent / https://bedrockconstruction.ca/




ServerName bedrockconstruction.ca 
ServerAlias bedrockconstruction.ca 
ServerAlias www.bedrockconstruction.ca

DocumentRoot /www/bedrockconstruction.ca 

SSLEngine on
SSLProtocol all
SSLCertificateFile
/www/bedrockconstruction.ca/ssl/bedrockconstruction.ca.crt

SSLCertificateKeyFile
/www/bedrockconstruction.ca/ssl/bedrockconstruction.ca.key

SSLCertificateChainFile
/www/bedrockconstruction.ca/ssl/bedrockconstruction.ca.chain



SuexecUserGroup www www

http://bedrockconstruction.ca/wp-content/uploads/>">

Order Deny,Allow
Deny from All



http://bedrockconstruction.ca>>
php_admin_value open_basedir /www/bedrockconstruction.ca:/var/log/


http://bedrockconstruction.ca>>
php_admin_value sys_temp_dir /www/bedrockconstruction.ca/tmp/



http://bedrockconstruction.ca>>
php_admin_value session.save_path /www/bedrockconstruction.ca/tmp/



http://bedrockconstruction.ca>>
php_admin_value soap.wsdl_cache_dir /www/bedrockconstruction.ca/tmp/



http://bedrockconstruction.ca>>
php_admin_value upload_tmp_dir /www/bedrockconstruction.ca/tmp



http://bedrockconstruction.ca>">
AllowOverride All
php_value session.save_path "/www/bedrockconstruction.ca/
"















Happy Wednesday !!!
Thanks - paul

Paul Kudla


Scom.ca Internet Services >
004-1009 Byron Street South
Whitby, Ontario - Canada
L1N 4S3

Toronto 416.642.7266
Main 1.866.411.7266
Fax 1.888.892.7266
Email p...@scom.ca 

On 7/5/2022 9:52 PM, KK CHN wrote:
 > https://pastebin.com/YspPiWif

Re: [users@httpd] site compromised and httpd log analysis [EXT]

2022-07-06 Thread Paul Kudla (SCOM.CA Internet Services Inc.) 



ok thats for more detail 

ok redirects simply are considered insecure when it comes to ssl certs

ie apache serves the content under the alias redirect previous to going 
towards the main site.


that will defanitely be the issue.

i ran into this myself (i have multiple domains redirected on one account ?)

my config for this is below maybe this helps ?

it handles all the domains and the http redirects

i believe the trick is to issue all of the redirects under http:// only 
pointing to one https:// is how i got around this issue.


otherwise you would need one cert per actual domain

i dont see the harm in http:// --> https:// actual site

since apache redirects it immediately?



ServerName electrokineticsolutions.com
ServerAlias electrokineticsolutions.com
ServerAlias www.electrokineticsolutions.com
ServerAlias eksolutions.ca
ServerAlias www.eksolutions.ca
ServerAlias eksolutions.ca
ServerAlias electrokineticsolutions.ca
ServerAlias www.electrokineticsolutions.ca
ServerAlias electrokineticsolutions.ca
ServerAlias electrokinetc.ca
ServerAlias www.electrokinetc.ca
ServerAlias electrokinetc.ca
ServerAlias electro-kineticsolutions.ca
ServerAlias www.electro-kineticsolutions.ca
ServerAlias electro-kineticsolutions.ca
ServerAlias electrokinetic-solutions.ca
ServerAlias www.electrokinetic-solutions.ca
ServerAlias electrokinetic-solutions.ca
ServerAlias electro-kinetic-solutions.ca
ServerAlias www.electro-kinetic-solutions.ca
ServerAlias electro-kinetic-solutions.ca
ServerAlias ek-solutions.ca
ServerAlias www.ek-solutions.ca
ServerAlias ek-solutions.ca
ServerAlias electrokinetic-solutions.com
ServerAlias www.electrokinetic-solutions.com
ServerAlias electrokinetic-solutions.com
ServerAlias eks.ca
ServerAlias www.eks.ca
ServerAlias eks.ca
Redirect permanent / https://electrokineticsolutions.com/



ServerName electrokineticsolutions.com
ServerAlias electrokineticsolutions.com
ServerAlias www.electrokineticsolutions.com
DocumentRoot /www/eks.ca

SSLEngine on
SSLProtocol all
SSLCertificateFile /www/eks.ca/ssl/electrokineticsolutions.com.crt
SSLCertificateKeyFile /www/eks.ca/ssl/electrokineticsolutions.com.key
SSLCertificateChainFile /www/eks.ca/ssl/electrokineticsolutions.com.chain


SuexecUserGroup www www



Order Deny,Allow
Deny from All




php_admin_value open_basedir /www/eks.ca:/var/log/



php_admin_value sys_temp_dir /www/eks.ca/tmp/



php_admin_value session.save_path /www/eks.ca/tmp/



php_admin_value soap.wsdl_cache_dir /www/eks.ca/tmp/



php_admin_value upload_tmp_dir /www/eks.ca/tmp



AllowOverride All
php_value session.save_path "/www/eks.ca/"









Happy Wednesday !!!
Thanks - paul

Paul Kudla


Scom.ca Internet Services <http://www.scom.ca>
004-1009 Byron Street South
Whitby, Ontario - Canada
L1N 4S3

Toronto 416.642.7266
Main 1.866.411.7266
Fax 1.888.892.7266
Email p...@scom.ca

On 7/6/2022 8:03 AM, James Smith wrote:

Never had these issues at all if you set up vhosts correctly.

But agree we tend to have 2 vhosts for the domain

  * vhost 1 is the real vhost and handle requests
  * vhost 2 contains all the redirects from other domain names to the canonical 
one

The only ServerAlias lines in vhost 1 are for development URLs which are run on 
different servers

But we also don't expose our wordpress - but use a mirroring script to serve 
the site as predominantly static {takes careful design to do this!}


-Original Message-
From: Paul Kudla (SCOM.CA Internet Services Inc.) 
Sent: 06 July 2022 11:29
To: users@httpd.apache.org
Subject: Re: [users@httpd] site compromised and httpd log analysis [EXT]


ok may or may not be related but i found i had to lock php, wordpress etc down 
heavely in apache

especially if you are using vhosts

i found one authorized site could talk to another without making things more 
strict

yes its a pain to have one vhost per site but its the only way to fully isolate 
one from the other

if someone executes stuff it stays within their working directory

example (shows http alias etc - note the directory directives - i use a database 
--> script generator so its not too inconvient.) :



ServerName bedrockconstruction.ca
ServerAlias bedrockconstruction.ca
ServerAlias 
https://urldefense.proofpoint.com/v2/url?u=http-3A__www.bedrockconstruction.ca&d=DwIDaQ&c=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo&r=oH2yp0ge1ecj4oDX0XM7vVY_Oi8KXyHxOVIqskbHBAc&m=NocH2bgtJpik8PIJwPUix3SJ7UY_NOBu-St0juQBbZNOEtxO4zB3CMmSBHgsav10&s=2I8OZ_jBeUEUwIOVDyTOtp8vGvpwwAi20BxIyLEQ4d0&e=
Redirect permanent / 
https://urldefense.proofpoint.com/v2/url?u=https-3A__bedrockconstruction.ca_&d=DwIDaQ&c=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo&r=oH2yp0ge1ecj4oDX0XM7vVY_Oi8KXyHxOVIqskbHBAc&m=NocH2bgtJpik8PIJwPUix3SJ7UY_NOBu-St0juQBbZNOEtxO4zB3CMmSBHgsav10&s=ACmbZk0Pm3piuR1DATvB0hI5ScZQPHlJe7ZcD4xBOOY&e=



ServerName bedrockconstruction.ca
ServerAlias bedrockconstruction.ca
ServerAlias 
https://urldef

Re: [users@httpd] NameVirtualHost fails

2022-07-06 Thread Paul Kudla (SCOM.CA Internet Services Inc.) 



this is how my ssl, vhosts, redirects are setup maybe this will help

note any ssl website name MUST equal a valid certificate or you will get 
a cert mismatch error !!


granted there are several cert authorities (free ssl etc) i have found 
its just easier to get a resale account (lots of providers opensrs, 
certigo, thwarte etc etc) and pay the 10.00 per cert.


cert would be ok for www.xxx.com xnd xxx.com (aka you typically only 
need one certificate per site.)


not pushing any provider, just saying letsencrypt etc does not always 
work reliabily or speed issues





ServerName bedrockconstruction.ca
ServerAlias bedrockconstruction.ca
ServerAlias www.bedrockconstruction.ca
Redirect permanent / https://bedrockconstruction.ca/



ServerName bedrockconstruction.ca
ServerAlias bedrockconstruction.ca
ServerAlias www.bedrockconstruction.ca
DocumentRoot /www/bedrockconstruction.ca

SSLEngine on
SSLProtocol all
SSLCertificateFile 
/www/bedrockconstruction.ca/ssl/bedrockconstruction.ca.crt
SSLCertificateKeyFile 
/www/bedrockconstruction.ca/ssl/bedrockconstruction.ca.key
SSLCertificateChainFile 
/www/bedrockconstruction.ca/ssl/bedrockconstruction.ca.chain



SuexecUserGroup www www



Order Deny,Allow
Deny from All




php_admin_value open_basedir /www/bedrockconstruction.ca:/var/log/



php_admin_value sys_temp_dir /www/bedrockconstruction.ca/tmp/



php_admin_value session.save_path /www/bedrockconstruction.ca/tmp/



php_admin_value soap.wsdl_cache_dir /www/bedrockconstruction.ca/tmp/



php_admin_value upload_tmp_dir /www/bedrockconstruction.ca/tmp



AllowOverride All
php_value session.save_path "/www/bedrockconstruction.ca/"






Happy Wednesday !!!
Thanks - paul

Paul Kudla


Scom.ca Internet Services 
004-1009 Byron Street South
Whitby, Ontario - Canada
L1N 4S3

Toronto 416.642.7266
Main 1.866.411.7266
Fax 1.888.892.7266
Email p...@scom.ca

On 7/5/2022 5:38 PM, scom...@httpd.apache.org wrote:
I've tried several variations but basically the error message is that 
the certificate and the key for example2.com 
 don't match. I thought I had set up the 
certificate with the proper keys so something must be screwed up  with 
the certificate. I'm working on that.


Jack

On 2 Jul 2022, at 1:21, Frank Gingras > wrote:


What does the error log say, exactly? Note that TLS failures can be 
almost silent in the logs, so if a single vhost causes the startup 
error, then check the certificate.


On Fri, 1 Jul 2022 at 17:24, jnil...@jala.com 
 mailto:jnil...@jala.com>> 
wrote:


Here's an example version of my vhosts.conf file:

# http redirect

 ServerName central.com 
 ServerAlias www.example1.com 
*.example1.com 
 Redirect / https://www.example1.com/ 
 ErrorLog /var/log/apache2/example1.com
-error80_log
 CustomLog /var/log/apache2/example1.com
-access80_log combined



 ServerName example2.com 
 ServerAlias www.example2.com 
*.example2.com 
 Redirect / https://www.example2.com/ 
 ErrorLog /var/log/apache2/example2.com
-error80_log
 CustomLog /var/log/apache2/example2.com
-access80_log combined


# https version

 ServerAdmin webmas...@central.com 
 ServerName example1.com 
 ServerAlias www.example1.com 
*.example1.com 
 DocumentRoot "/home/data/hqwww/htdocs"
 SSLEngine on
 SSLProtocol all -SSLv2
 SSLCertificateFile /etc/apache2/ssl.crt/example.crt
 SSLCertificateKeyFile /etc/apache2/ssl.key/www.example1.com.key

 SSLCertificateChainFile /etc/apache2/ssl.crt/example1.ca
-bundle
 RewriteEngine On
 RewriteOptions Inherit


 
  AllowOverride None
  Options FollowSymlinks
  Require all granted
 


  AccessFileName .htaccess

 ErrorLog /var/log/apache2/example1.com
-error_log
 CustomLog /var/log/apache2/example1.com
-access_log combined


  Include /etc/apache2/conf.d/*.conf




  ServerAdmin webmas...@central.com 
  ServerName example2.com 
  ServerAlias www.example2.com 
*.example2.com 
  DocumentRoot "/home/data/jmnwww/htdocs"
  SSLEngine on
  SSLProtocol all -SSLv2
  SSLCertificateFile /etc/apache2/ssl.crt/example2.crt
  SSLCertificateKeyFile /etc/apache2/ssl.key/www.example2.com.key

Re: [users@httpd] site compromised and httpd log analysis

2022-07-06 Thread Paul Kudla (SCOM.CA Internet Services Inc.) 



ok may or may not be related but i found i had to lock php, wordpress 
etc down heavely in apache


especially if you are using vhosts

i found one authorized site could talk to another without making things 
more strict


yes its a pain to have one vhost per site but its the only way to fully 
isolate one from the other


if someone executes stuff it stays within their working directory

example (shows http alias etc - note the directory directives - i use a 
database --> script generator so its not too inconvient.) :




ServerName bedrockconstruction.ca
ServerAlias bedrockconstruction.ca
ServerAlias www.bedrockconstruction.ca
Redirect permanent / https://bedrockconstruction.ca/



ServerName bedrockconstruction.ca
ServerAlias bedrockconstruction.ca
ServerAlias www.bedrockconstruction.ca
DocumentRoot /www/bedrockconstruction.ca

SSLEngine on
SSLProtocol all
SSLCertificateFile 
/www/bedrockconstruction.ca/ssl/bedrockconstruction.ca.crt
SSLCertificateKeyFile 
/www/bedrockconstruction.ca/ssl/bedrockconstruction.ca.key
SSLCertificateChainFile 
/www/bedrockconstruction.ca/ssl/bedrockconstruction.ca.chain



SuexecUserGroup www www



Order Deny,Allow
Deny from All




php_admin_value open_basedir /www/bedrockconstruction.ca:/var/log/



php_admin_value sys_temp_dir /www/bedrockconstruction.ca/tmp/



php_admin_value session.save_path /www/bedrockconstruction.ca/tmp/



php_admin_value soap.wsdl_cache_dir /www/bedrockconstruction.ca/tmp/



php_admin_value upload_tmp_dir /www/bedrockconstruction.ca/tmp



AllowOverride All
php_value session.save_path "/www/bedrockconstruction.ca/"















Happy Wednesday !!!
Thanks - paul

Paul Kudla


Scom.ca Internet Services 
004-1009 Byron Street South
Whitby, Ontario - Canada
L1N 4S3

Toronto 416.642.7266
Main 1.866.411.7266
Fax 1.888.892.7266
Email p...@scom.ca

On 7/5/2022 9:52 PM, KK CHN wrote:

https://pastebin.com/YspPiWif 

One of the websites hosted  by a customer on our Cloud infrastructure 
was compromised, and the attackers were able to replace the home page 
with their banner html page.


The log files output I have pasted above.

The site compromised was PHP 7 with MySQL.

 From the above log, can someone point out what exactly happened and how 
they are able to deface the home page.


How to prevent these attacks ? What is the root cause of this 
vulnerability  and how the attackers got access ?


Any other logs or command line outputs required to trace back kindly let 
me know what other details  I have to produce ?


Kindly shed your expertise in dealing with these kind of attacks and 
trace the root cause and prevention measures to block this.


Regards,
Krish



--
This message has been scanned for viruses and
dangerous content by *MailScanner* , and is
believed to be clean.


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Apache website conversion from alias to virtualhost

2022-06-08 Thread Paul Kudla (SCOM.CA Internet Services Inc.) 



please note that changing the site around

you will also have to update your dns to point to the webserver

ie : basecolldev.mydomain.fr

needs a dns lookup

otherwise apache virtual hosts would get setup to match

fyi



Happy Wednesday !!!
Thanks - paul

Paul Kudla


Scom.ca Internet Services 
004-1009 Byron Street South
Whitby, Ontario - Canada
L1N 4S3

Toronto 416.642.7266
Main 1.866.411.7266
Fax 1.888.892.7266
Email p...@scom.ca

On 6/8/2022 12:18 PM, Tom Browder wrote:
On Wed, Jun 8, 2022 at 07:12 Thomas WILLIAMSON 
mailto:t-william...@eauxdevienne.fr>> wrote:


Hello,

I have to take over an internal Web server that has been configured
by a colleague who is no longer there. Our developers team asks me
to convert applications URLs from an /Alias/ to a /Virtualhosts/
(subdomain naming) system. For instance:

https://srv-intra.mydomain.fr/basecolldev



should become

https://basecolldev.mydomain.fr 


I am curious as to why they think there is a need for a change since the 
alias can handle the desired name format. And the alias should be much 
easier to maintain.


-Tom

--
This message has been scanned for viruses and
dangerous content by *MailScanner* , and is
believed to be clean.


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] Re: {Disarmed} Re: [users@httpd] Re: Multi-domain with SSL - Virtualhost all need IPs?

2022-05-21 Thread Paul Kudla (SCOM.CA Internet Services Inc.) 



Ok to clarify (this is standard apache from day one moving from 
convential SSL certs towards SNI used today)



# Change this to Listen on specific IP addresses as shown below to
# prevent Apache from glomming onto all bound IP addresses.
#
#Listen 12.34.56.78:80
Listen 80
#Listen 443


the above will specify the listening address / port

by default this is ALL ip's on ALL interfaces (ie no Listen ip statement 
specified)


and is designated by * when setting up a host entry

*:80 means normal httpd port on ALL avaliable ip's either specified 
above or if NO Listen statement then ALL interfaces will Listen.


*:443 means normal ssl port on ALL avaliable ip's either specified above 
or if NO Listen statement then ALL interfaces will Listen.



1.1.1.1:443 (for example) means non standard ip listen address (this is 
typically NEVER used anymore)


so what ever you tell apache to listen on by default or otherwise "*" 
means exactly that ALL INTERFACES SPECIFIED.



when using sni you MUST specify a seperate VirtualHost (NOT VHOSTS)


ServerName underconstruction.scom.ca
ServerAlias underconstruction.scom.ca
DocumentRoot /www/underconstruction.scom.ca



ServerName underconstruction.scom.ca
ServerAlias underconstruction.scom.ca
DocumentRoot /www/underconstruction.scom.ca
SSLEngine on
SSLProtocol all
SSLCertificateKeyFile /www/scom.ca/ssl/scom.ca.key
SSLCertificateFile /www/scom.ca/ssl/scom.ca.crt
SSLCertificateChainFile /www/scom.ca/ssl/scom.ca.chain



sni will pickup on the servername and then comapre the associated ssl 
cert as specified by the file location.


also note proper certs today get registered as the domain ie in this 
case scom.ca with also allow www.scom.ca (ServerAlias above) but nothing 
else (unless you have a wildcard)



this is all there is to it

notes :

ip addresses used to be assigned before the sni days, meaning that ssl 
only ran on one ip address and one certificate per server instance


which is why you needed 16 ipaddress to host 16 different ssl certificates.

sni was invented because ipv4 addresses are running out (aka most 
upstream providers will not alot ip's for this useage anymore)


and most hosts run multiple domains names etc so sni is just simply more 
efficent.



Note when building

Prerequisites to use SNI

Use OpenSSL 0.9.8f or later

Build OpenSSL with the TLS Extensions option enabled (option 
enable-tlsext; OpenSSL 0.9.8k and later has this enabled by default).


Apache must have been built with that OpenSSL (./configure 
--with-ssl=/path/to/your/openssl). In that case, mod_ssl will 
automatically detect the availability of the TLS extensions and support SNI.


Apache must use that OpenSSL at run-time, which might require setting 
LD_LIBRARY_PATH or equivalent to point to that OpenSSL, maybe in 
bin/envvars. (You'll get unresolved symbol errors at Apache startup if 
Apache was built with SNI but isn't finding the right openssl libraries 
at run-time.)


Also i founs that the

Include apache2/conf/extra/httpd-ssl.conf

had to be modified not to use ssl certs by default (as they get 
specified in the Virtual Hosts statement.


Hope this is a better explanation and clarifies the confusion happening 
below ?




Happy Saturday !!!
Thanks - paul

Paul Kudla


Scom.ca Internet Services 
004-1009 Byron Street South
Whitby, Ontario - Canada
L1N 4S3

Toronto 416.642.7266
Main 1.866.411.7266
Fax 1.888.892.7266

On 5/20/2022 6:00 PM, Frank Gingras wrote:

Charles,

No, you are completely incorrect. You should never define vhosts as 
:.


On Fri, 20 May 2022 at 13:09, Yehuda Katz > wrote:


That is not correct. That causes httpd to try to look up the
matching IP address using DNS. Use only IP addresses or wildcards.

- Y

On Fri, May 20, 2022 at 1:06 PM Bender, Charles
 wrote:

Your virtual host is defined wrong. Use the names not IP addresses

http://example2.com>*MailScanner has
detected a possible fraud attempt from "1.1.1.13:443" claiming
to be* :443 >
Servername*MailScanner has detected a possible fraud attempt
from "linkprotect.cudasvc.com" claiming to be* example2.com


SSLEngine on
SSLCertificateFile /etc/http/certs/example2.crt
...


*From:* frank picabia mailto:fpica...@gmail.com>>
*Sent:* Friday, May 20, 2022 12:55 PM
*To:* users@httpd.apache.org 
mailto:users@httpd.apache.org>>
*Subject:* Re: [users@httpd] Re: Multi-domain with SSL -
Virtualhost all need IPs?
I'm trying hard to get the lay of the land logic here, and it

Re: [users@httpd] Multi-domain with SSL - Virtualhost all need IPs?

2022-05-19 Thread Paul Kudla (SCOM.CA Internet Services Inc.) 



ok this is starting to make more sense as we go along 

I went through all of this myself when setting up origionally

i found that i can not use vhosts easily with ssl / sni / sans etc

and san is a nightmare to manage everytime you make a cert change.

it was just more reliable to use individual config entries and sni and 
proper certs for the domain.


also note certrs today handle the domain.com & www.domain.com in one 
cert (or apache - never really did figure that out)


basically domain.com handles both with the ServerAlias


also (why i forgot about it) vhosts allows users to criss cross 
directories data wise (ie all rights are users www:www) which is why i 
went away from that type of config.


unless this has changed i ended up dumping vhosts config and went with 
individual config entries per website.



examples below using *:80 & *:443 respectively


ServerName underconstruction.scom.ca
ServerAlias underconstruction.scom.ca
DocumentRoot /www/underconstruction.scom.ca



ServerName underconstruction.scom.ca
ServerAlias underconstruction.scom.ca
DocumentRoot /www/underconstruction.scom.ca
SSLEngine on
SSLProtocol all
SSLCertificateKeyFile /www/scom.ca/ssl/scom.ca.key
SSLCertificateFile /www/scom.ca/ssl/scom.ca.crt
SSLCertificateChainFile /www/scom.ca/ssl/scom.ca.chain


I know its long and drawn out in the config file which is why i wrote a 
python script against a pgsql database to generate my config but IT DOES 
WORK!



a better example (more secure) - this keeps all php scripts and users 
from bleeding into other user directories. This is how onetoone, myself 
and a bunch of other providers got hacked a few years back.


Mainly due to wordpress security issues.

vhosts is convient but not super secure.


ServerName video.guelph.eks.scom.ca
ServerAlias video.guelph.eks.scom.ca
DocumentRoot /www/video.guelph.eks.scom.ca


SuexecUserGroup www www



Order Deny,Allow
Deny from All




php_admin_value open_basedir /www/video.guelph.eks.scom.ca:/var/log/



php_admin_value sys_temp_dir /www/video.guelph.eks.scom.ca/tmp/



php_admin_value session.save_path /www/video.guelph.eks.scom.ca/tmp/



php_admin_value soap.wsdl_cache_dir /www/video.guelph.eks.scom.ca/tmp/



php_admin_value upload_tmp_dir /www/video.guelph.eks.scom.ca/tmp



AllowOverride All
php_value session.save_path "/www/video.guelph.eks.scom.ca/"





&


ServerName video.guelph.eks.scom.ca
ServerAlias video.guelph.eks.scom.ca
DocumentRoot /www/video.guelph.eks.scom.ca


SuexecUserGroup www www



Order Deny,Allow
Deny from All




php_admin_value open_basedir /www/video.guelph.eks.scom.ca:/var/log/



php_admin_value sys_temp_dir /www/video.guelph.eks.scom.ca/tmp/



php_admin_value session.save_path /www/video.guelph.eks.scom.ca/tmp/



php_admin_value soap.wsdl_cache_dir /www/video.guelph.eks.scom.ca/tmp/



php_admin_value upload_tmp_dir /www/video.guelph.eks.scom.ca/tmp



AllowOverride All
php_value session.save_path "/www/video.guelph.eks.scom.ca/"


SSLEngine on
SSLProtocol all
SSLCertificateKeyFile /www/scom.ca/ssl/scom.ca.key
SSLCertificateFile /www/scom.ca/ssl/scom.ca.crt
SSLCertificateChainFile /www/scom.ca/ssl/scom.ca.chain



Note I have a wildcard ssl cert but the file location setup is clearly 
defined.




Happy Thursday !!!
Thanks - paul

Paul Kudla


Scom.ca Internet Services 
004-1009 Byron Street South
Whitby, Ontario - Canada
L1N 4S3

Toronto 416.642.7266
Main 1.866.411.7266
Fax 1.888.892.7266

On 5/19/2022 9:11 AM, Rainer Canavan wrote:


On Wed, May 18, 2022 at 11:53 PM Frank Gingras  wrote:


Not sure if you saw the other answer on the other email:

// If you can't use a SAN, then you need to configure all your vhosts as 
IP:443, whereas one vhost uses a separate IP, and the remainder uses the second 
IP.


That sounds wrong to me. Apache should pick a matching certificate for
the hostname specified via SNI by the client, if any, or the first one
configured as a fallback (assuming the vhost IP / * specification
matches). Note that only vhosts with IP:port are considered, if any
are specified and match the request. You should be able to use *:443
for all vhosts.

Rainer

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org




-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] Re: {Disarmed} Re: [users@httpd] Multi-domain with SSL - Virtualhost all need IPs?

2022-05-18 Thread Paul Kudla (SCOM.CA Internet Services Inc.) 



you need to  set the cert files per virtual domain

example :


ServerName underconstruction.scom.ca
ServerAlias underconstruction.scom.ca
DocumentRoot /www/underconstruction.scom.ca
SSLEngine on
SSLProtocol all
SSLCertificateKeyFile /www/scom.ca/ssl/scom.ca.key
SSLCertificateFile /www/scom.ca/ssl/scom.ca.crt
SSLCertificateChainFile /www/scom.ca/ssl/scom.ca.chain




ServerName ekst.ca
ServerAlias ekst.ca
ServerAlias www.ekst.ca
DocumentRoot /www/ekst.ca

SSLEngine on
SSLProtocol all
SSLCertificateFile /www/ekst.ca/ssl/ekst.ca.crt
SSLCertificateKeyFile /www/ekst.ca/ssl/ekst.ca.key
SSLCertificateChainFile /www/ekst.ca/ssl/ekst.ca.chain






Happy Wednesday !!!
Thanks - paul

Paul Kudla


Scom.ca Internet Services 
004-1009 Byron Street South
Whitby, Ontario - Canada
L1N 4S3

Toronto 416.642.7266
Main 1.866.411.7266
Fax 1.888.892.7266

On 5/18/2022 5:26 PM, frank picabia wrote:

Sorry, different domain.

300 hosts like *.example1.com 
and now we have 1 example2.com 


On Wed, May 18, 2022 at 4:31 PM Frank Gingras > wrote:


See if you can add a SAN to that wildcard certificate first.

On Wed, 18 May 2022 at 15:21, frank picabia mailto:fpica...@gmail.com>> wrote:


We have a server with over 300 vhosts on it.  Marketing/CMS
madness I guess.
All on the same domain name.  Many VirtualHosts are defined with
*:443
and then ServerName to rely on SNI.
We have a wildcard cert for the domain and all the hosts use that.

Now there is a different domain to add for SSL.  For some reason
the first domain name's certificate is being found.  I've put the
IP for our new comer domain so we have http://1.1.1.1:443> >
but it is still finding the other cert.  This IP is uniquely
assigned
with the different domain, as you'd expect with DNS.  So it can't
be a overlap of the IP used elsewhere.

Researching this problem ("wrong cert loaded for vhost"),
I read that in the initial SSL connection, it
is talking to the IP, and whatever values we have for ServerName
have no bearing until the page is being accessed.  If that's the
case
then it might have matched another vhost with *:443 first
I tried putting my new domain at the top of ssl.conf but it made
no difference.

I'm thinking I need to edit each *:443 case and change it to the
appropriate IP.
That will be a lot of work, so I'm looking for affirmation that
is likely to make the difference.



--
This message has been scanned for viruses and
dangerous content by *MailScanner* , and is
believed to be clean.


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] Re: {Disarmed} Re: [users@httpd] Multi-domain with SSL - Virtualhost all need IPs?

2022-05-18 Thread Paul Kudla (SCOM.CA Internet Services Inc.) 



ok san is only useable if the cert is setup that way

i bought a proper *.scom.ca wildcard ssl cert for my domain

i then buy mail.xxx.com certs for the other domains

sni works well when configured this way.

granted san might or might not work (i never tries that) however san was 
designed more for apache web servers vs email etc


san does allow adding domains but i more complicated to control what the 
cert is doing (or not)


sound like what i did will work better for you situation

example sni.conf file (import this at the end of your main dovecot.conf file

using :

#Addition ssl config
!include sni.conf

please note that below i wront a python script to pull the cert from a 
db table


getssl.cert

all it does it return the text for the ssl cert (key first then 
certificate then both Intermediate certs)


you can point this to an ssl key file (the old way) formatted the same

either will work

note you need both the default cert setup AND the local name as well

a *. signifies a wildcard ssl cert

like *.scom.ca

note you need to do something similiar in postfix as well for this to 
work across smtp + dovecot





# cat sni.conf
#sni.conf
ssl = yes
verbose_ssl = yes
ssl_dh =  ssl_key = /programs/common/getssl.cert -c mail.hamletdevelopments.ca 
-q yes
  ssl_cert = /programs/common/getssl.cert -c mail.hamletdevelopments.ca 
-q yes
  ssl_ca = /programs/common/getssl.cert -c mail.hamletdevelopments.ca 
-q yes

}




Happy Wednesday !!!
Thanks - paul

Paul Kudla


Scom.ca Internet Services 
004-1009 Byron Street South
Whitby, Ontario - Canada
L1N 4S3

Toronto 416.642.7266
Main 1.866.411.7266
Fax 1.888.892.7266

On 5/18/2022 3:31 PM, Frank Gingras wrote:

See if you can add a SAN to that wildcard certificate first.

On Wed, 18 May 2022 at 15:21, frank picabia > wrote:



We have a server with over 300 vhosts on it.  Marketing/CMS madness
I guess.
All on the same domain name.  Many VirtualHosts are defined with *:443
and then ServerName to rely on SNI.
We have a wildcard cert for the domain and all the hosts use that.

Now there is a different domain to add for SSL.  For some reason
the first domain name's certificate is being found.  I've put the
IP for our new comer domain so we have http://1.1.1.1:443> >
but it is still finding the other cert.  This IP is uniquely assigned
with the different domain, as you'd expect with DNS.  So it can't
be a overlap of the IP used elsewhere.

Researching this problem ("wrong cert loaded for vhost"),
I read that in the initial SSL connection, it
is talking to the IP, and whatever values we have for ServerName
have no bearing until the page is being accessed.  If that's the case
then it might have matched another vhost with *:443 first
I tried putting my new domain at the top of ssl.conf but it made no
difference.

I'm thinking I need to edit each *:443 case and change it to the
appropriate IP.
That will be a lot of work, so I'm looking for affirmation that is
likely to make the difference.



--
This message has been scanned for viruses and
dangerous content by *MailScanner* , and is
believed to be clean.


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org