Bug#234591: apache2-common: Confusing SSL configuration
Package: apache2-common
Version: 2.0.48-7
Severity: normal
Followup-For: Bug #234591
I tried to configure apache2 with SSL (in order to run a subversion
repository) and it was unclear to me what's the preferred way to
configure SSL access.
I found four sources of SSL-related information on my unstable box:
- /usr/share/doc/apache2-common/README-SSL
- /usr/share/doc/apache2/examples/ssl.conf.gz
- the program apache2-ssl-certificate and its output (I assume) in
/etc/apache2/ssl/
- /etc/apache2/mods-available/ssl.conf
None of them seem to be aware of the other, as can be derived from where
they place their files, e.g., for certificates we have:
- README-SSL: /etc/apache2/sites/<SERVERNAME>-ssl.*/
- examples/ssl.conf: /etc/apache2/ssl.*/
- apache2-ssl-certificate: /etc/apache2/ssl/
- mods-available/ssl.conf: N/A
I think this is highly confusing. (I think /etc/apache2/ssl/ is the
best location since it provides the highest degree of modularity, imho,
but that's beside the point of this bug report.)
Also, I guess I'm missing something about the intention behind
apache2-ssl-certificate, but since it is lacking a man page I didn't
find out. (This should probably be a separate bug report.)
In general, it's not clear how automation of the configuration process
is achieved as hinted at in /etc/apache2/README. For example, I assumed
that it is a good idea to leave apache2.conf untouched and try to put
all my changes in conf.d or httpd.conf? However, that's impossible
since I need to change the
NameVirtualHost *
directive to
NameVirtualHost *:80
in order to support the IP-based virtual host for the SSL port.
Essentially, I think that the aim should be to provide a configuration
that works safely out-of-the-box and it should be obvious how to extend
it without missing out on any automatic config updates that Debian
provides.
Anyway, thanks for all your efforts :-)
-Chris
-- System Information:
Debian Release: testing/unstable
APT prefers unstable
APT policy: (990, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.4.21-3-686
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8
Versions of packages apache2-common depends on:
ii debconf 1.4.16 Debian configuration management sy
ii debianutils 2.5.4 Miscellaneous utilities specific t
ii libapr0 2.0.48-7 The Apache Portable Runtime
ii libc6 2.3.2.ds1-9 GNU C Library: Shared libraries an
ii libdb4.2 4.2.52-10 Berkeley v4.2 Database Libraries [
ii libexpat1 1.95.6-6 XML parsing C library - runtime li
ii libldap2 2.1.22-1 OpenLDAP libraries
ii libssl0.9.7 0.9.7c-5 SSL shared libraries
ii mime-support 3.23-1 MIME files 'mime.types' & 'mailcap
ii net-tools 1.60-8 The NET-3 networking toolkit
ii openssl 0.9.7c-5 Secure Socket Layer (SSL) binary a
ii ssl-cert 1.0-7 Simple debconf wrapper for openssl
ii zlib1g 1:1.2.1-2 compression library - runtime
-- no debconf information
--
Chris Stork <> Support eff.org! <> http://www.ics.uci.edu/~cstork/
OpenPGP fingerprint: B08B 602C C806 C492 D069 021E 41F3 8C8D 50F9 CA2F
Reply to: