Danny Yee wrote:
> But I'd like to disable (non-anonymous) ftp for security reasons, and
> have people access their files through https instead. Has anyone got
> any experience doing this? Are there simple instructions on setting
> this up under Apache (and the security issues involved...) and is the
> peformance hit a problem (https being slow)?
Well there is a performance hit using SSL but depending on the expected
usage it may or may not be that much of a problem, and irt's certainly
not as much of a problem as it used to be.
Adding https support is pretty easy, install OpenSSL and mod_ssl and
away you go (or Apache-SSL depending on your political leanings) and
re-do Apache.
The fun part is setting up the certificate stuff. Either way you have to
generate a private key and a certificate request. The certificate
request is what you get what you get signed to create your server
certificate. To do that you either toddle off to Verisign with the
associated outlay which is nice and easy.
The cheaper less easy way is to create yourt own self-signed
certificates. To do that you set yourself up as your own Certificate
Authority and use your 'authority certificate' (not the right term) to
sign the certificate request and create the server certificate. The
problem arises wjhen your browser acceses the site as the browser does
not recognise the certificate authority. You can make the users download
the CA certificate which means the browser does not complain about
server certs that are signed by that authority but it's a bit of a
kludge.
Having said that, you could do somehow ditch people out of the site that
don't have the CA cert in their browser, and only allow authorised users
to download the CA cert into their browser as an added level of
security.
Have a looksee at the OpenSSL and SSLeay docs for some links on being
your own CA.
Cheers,
Graeme
--
SLUG - Sydney Linux Users Group Mailing List - http://www.slug.org.au
To unsubscribe send email to [EMAIL PROTECTED] with
unsubscribe in the text
