Bug#267477: Easing the task of setting up SSL

To: 267477@bugs.debian.org
Subject: Bug#267477: Easing the task of setting up SSL
From: Dan Woodard <dan@www2.siri.org>
Date: Thu, 24 Mar 2005 11:55:35 -0500 (EST)
Message-id: <[🔎] Pine.LNX.4.58.0503240859370.19972@www2.siri.org>
Reply-to: Dan Woodard <dan@www2.siri.org>, 267477@bugs.debian.org

If I could make a couple of suggestions for the ordinary user,

1.  the "IfDefine" and "\IfDefine" tags in the example ssl.conf keep the
SSL virtual host from starting with "apache2ctl start" if SSL isn't
defined.  SSL is defined in some cases by the init script but not by
apache2ctl unless a specific command line option is given.
This took a long time for me to figure out.  My suggestion would be:

1) apache2ctl and the apache2 init script should by default start the
server in the same configuration, as the init script itself suggests.

2) Please consider dropping the "IfDefine SSL" tag from the example
ssh.conf; those who know how to use command-line options can easily add it
if they need to.  Virtual hosts can already be added or disabled by
linking them into sites-enabled.  The first-time user should be able to do
basic configuration and run the server without command-line options.

2.  The example ssl.conf file contains a "Listen 443" directive before the
virtualhost section, but some of the how-to files suggest adding this
directive to the ports.conf file.  If it is present in both places,
apache2ctl configtest gives "OK" but the server fails to fully start.

My suggestion would be to keep the "Listen 443" directives in the
ports.conf file, since that is apparently what the file is for, and have
apache2ctl warn if more than one "Listen 443" directive is present or if
there is a virtual host on 443 but no listen statement.  An alternative
would be to simply listen on all ports that have virtual hosts.

Finally, here is my current ssl.conf file: I think it would be helpful to
give a very short but workable example in the hosts-available directory so the
user can get it going.

SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl    .crl
SSLPassPhraseDialog  builtin
SSLSessionCache         dbm:/var/run/ssl_scache
SSLSessionCacheTimeout  300
SSLMutex  file:/var/run/ssl_mutex
#edit the following four lines for your site
<VirtualHost ssl.myhost.org:443>
DocumentRoot "/var/www"
ServerName ssl.myhost.org:443
ServerAdmin me@myhost.org
ErrorLog /var/log/apache2/ssl.error_log
TransferLog /var/log/apache2/ssl.access_log
SSLEngine on
SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
#change the following two files to the files in /etc/apache2/ssl
SSLCertificateFile /etc/apache2/ssl/apache.pem
SSLCertificateKeyFile /etc/apache2/ssl/1a2d4a6c.0
</VirtualHost>

Finally, a README.ssl file in the /etc/apache2 directory could give the
following steps:
1)  create a self-signed certificate and key file in /etc/apache2/ssl
2)  add "Listen 443" to "ports.conf"
3)  edit the /etc/hosts/available/ssl.conf file (noting that one can
either use the same hostname for https or a different virtual hostname).
3)  enable the ssl virtual host by linking it to /etc/apache2/hosts-enabled
4)  restart apache2 with apache2ctl configtest; apache2ctl restart

This is great software; I just want to save time for the many people who
use Debian.

Respectfully,
Dan Woodard

Reply to:

Prev by Date: mod_dosevasive
Next by Date: Bug#301266: Always advertises "Debian GNU/Linux"
Previous by thread: mod_dosevasive
Next by thread: Bug#301266: Always advertises "Debian GNU/Linux"
Index(es):
- Date
- Thread