On Fri, Apr 4, 2014 at 12:55 AM, Andy Canfield <andycanfi...@yandex.com>wrote:
> There are several lines in places that read > <IfModule mod_ssl.c> > There is no file on my hard disk named "mod_ssl.c". There is, however, a > file named > /usr/lib/apache2/modules/mod_ssl.so > Is there some magic connection between "mod_ssl.c" and "mod_ssl.so"? Like > was the ssl module written in C? > http://httpd.apache.org/docs/2.2/mod/core.html#ifmodule <IfModule *module*>: The module argument can be either the module identifier or the file name of the module, at the time it was compiled. For example, rewrite_module is the identifier and mod_rewrite.c is the file name. On 04/03/2014 09:46 PM, Yehuda Katz wrote: > > Debian/Ubuntu have a slightly different default layout and include some > tools to help you work with it. The tools just create the symlinks for you, > but the major benefit is that all of them support tab-completion, so you > know what is available. > > a2enmod / a2dismod: enable or disable apache modules > a2ensite / a2dissite: enable or disable apache vhosts > a2enconf / a2disconf: enable or disable apache configuration files > (added in Ubuntu 13.10) > > The first this to check is that you have loaded mod_ssl, either by > running `a2enmod ssl` or looking at the modules-enabled directory. > You are probably not listening on 443 since it is inside the <ifmodule> > and the module is not loaded. > > > Then as instructed by a2enmod I ran the command > service apache2 restart > I normally use '/etc/init.d/apache2 restart' but I did it with 'service' > this time. > They do the same thing in this case. I usually run apache2ctl configtest before I restart to make sure that I will not discover a problem when the server is in the process of restarting. > After some editing for fixing up things like DocumentRoot (changed to my > own) I got it to restart with no errors. > > > You should have Ubuntu's default SSL vhost in > sites-available/default-ssl.conf and you can enable it using the tool (or > manual symlink). > > There is no file extension on "/etc/apache2/sites-available/default-ssl", > I assume that file is correct. It starts with these two lines: > <IfModule mod_ssl.c> > <VirtualHost _default_:443> > > The above has they keyword "_default_" in the VirtualHost line. All of my > existing http config files read like this: > <VirtualHost *:80> > There is no Virtual Host name in that line, so presumably they all share > the same virtual host, yes? Do I need multiple virtual hosts for https, or > will one virtual host be OK for all the sites? > An HTTPS vhost is exactly the same as an HTTP vhost except for the certificate configuration. If you want multiple vhosts with HTTPS though, you either need an IP address for each or all of your users need to support SNI in their browsers (any modern browser should). This wiki page is a bit old, but still looks correct: http://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI Wonderful! I rebooted the computer just to make 100% sure of my restarting > EVERYTHING, and then ran 'nmap localhost' and it finally showed me this > line: > 443/tcp open https > Great! Now somebody is listening. > > I sent Firefox to "https://localhost/"; <https://localhost/> and after a > bunch of crabbing about the certificate I got to see the same site. So now > I have to figure out how to make a certificate (FYI I am an anarchist). > > I went to one of my sites and followed a link and discovered that it > switched back to "http://"; because that is what is in the HTML. Gotta fix > that. > > > You can enable any vhost for SSL by adding a few directives to it (it > will stop listening on non-ssl): > - Change the vritualhost port to 443 > - SSLEngine on > - SSLCertificateFile /etc/apache2/ssl/example.com.crt > - (SSLCertificateKeyFile /etc/apache2/ssl/example.com.key if the key is > not in the same file) > > There are a few other default things in the default-ssl vhost to fix > buggy browsers and provide more info to cgi-scripts. > > "buggy browsers" as in Internet Explorer, right? These are intra-company > web sites, and we simply tell people not to use IE. > > > - Y > > Thank you very much Yehuda. I think I am launched and can follow on for a > while by myself. > > > > > On Thu, Apr 3, 2014 at 6:10 AM, Andy Canfield <andycanfi...@yandex.com>wrote: > >> >> Files: >> >> -rw-r--r-- 1 root 859 Apr 3 11:45 /etc/apache2/ssl/crt/vhost1.crt >> >> -rw-r--r-- 1 root 916 Apr 3 11:45 /etc/apache2/ssl/key/vhost1.key >> >> So AFAIK I've got a certificate I've generated myself. Nobody vouches for >> me but it shoud enable encryption and make my TCP/IP packets hard to read. >> >> Contents of /etc/apache2/ports.conf: >> NameVirtualHost *:80 >> Listen 80 >> >> <IfModule mod_ssl.c> >> Listen 443 >> </IfModule> >> <IfModule mod_gnutls.c> >> Listen 443 >> </IfModule> >> >> Files: >> >> -rw-r--r-- 1 andy 1439 Apr 3 14:48 /etc/apache2/sites-available/default >> -rw-r--r-- 1 andy 7485 Jun 16 2011 >> /etc/apache2/sites-available/default-ssl >> -rw-r--r-- 1 root 7469 Feb 7 2012 >> /etc/apache2/sites-available/default-ssl.original >> -rw-r--r-- 1 root 950 Feb 7 2012 >> /etc/apache2/sites-available/default.original >> >> I see here that /etc/apache2/sites-available has one symbolic link to >> /etc/apache2/sites-available/default, and no symbolic links to any of the >> other entries in the sites-available directory. Also all the other entries >> in /etc/apache2/sites-available are symbolic links to configuration files >> such as >> >> lrwxrwxrwx 1 root 21 May 6 2012 /etc/apache2/sites-enabled/opal.conf -> >> /www/opal/apache.conf >> >> These links have been working fine for years as links into the site >> control directory and not into 'sites-available'. But perhaps that is wrong. >> >> Maybe what I need is a symbolic link from sites-enabled to >> ../sites-available/default-ssl ? Nope, tested, did not solve the problem.... >> >> When I give this command (as root) - >> >> /etc/init.d/apache2 restart >> >> I see only this output: >> >> apache2: Could not reliably determine the server's fully qualified domain >> name, using 192.168.1.112 for ServerName >> ... waiting apache2: Could not reliably determine the server's fully >> qualified domain name, using 192.168.1.112 for ServerName >> >> [ OK ] >> >> But nmap still says that nothing is listening to port 443. >> >> Thank you Oren. >> >> >> On 04/03/2014 04:04 PM, Oren wrote: >> >> Hi Andy. >> Process basically include getting/creating a certificate, define it on >> your site and reload apache. >> here is a centos manual which is not exactly the same on ubuntu but >> pretty much explains the order of things >> http://wiki.centos.org/HowTos/Https >> >> on ubuntu you will have to open the 443 port >> <IfModule mod_ssl.c> >> Listen 443 >> </IfModule> >> >> once the https is ready, you can do a redirect to the https site from >> http. (with mod_rewrite) >> >> do you have logs or any information on what is not working? >> >> Oren >> >> On 04/03/2014 11:39 AM, Andy Canfield wrote: >> >> I have been using apache for maybe ten years now, and maintain two >> servers in addition to the apache on my notebook computer for testing. >> All using Ubuntu Linux *.04 LTS. It now appears that I ought to convert >> from http to https. >> >> But the documentation is insane. A piece here, a piece there, have to do >> X (but first? and afterwards?). Assuming everything is else is OK, this >> is way you edit this line in VirtualHost file (there is no >> "/etc/apache2/.../VirtualHost" file!) >> >> I figure that I need to do it in two steps: >> [1] Get the https version up and running, and >> [2] Make the http version automatically switch to https. >> >> But I can't get https working at all, for anything. There's a "Listen >> 443" in /etc/apache2/ports.conf but 'nmap localhost' says 443 is a >> closed port. >> >> Has anybody else ever converted a hosted site from http to https? What >> did you have to do to get the secure one working? >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org >> For additional commands, e-mail: users-h...@httpd.apache.org >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org >> For additional commands, e-mail: users-h...@httpd.apache.org >> >> >> . >> >> >> > >
