Hi Steve, On Tuesday 15 April 2008, Steve Kemp wrote: > #267477 ssl: some easy way to set up an ssl server > (as apache-ssl package in apache 1) > > - Suggestion: > 1. Update the sites-available/default to include SSL options. Yes, but how? Put all common options into an include file and include it in each of the two virtual hosts (like Message #132 in the bug)? Maybe using two files sites-available/default and sites-available/default-ssl would be better even. And what virtualhost setup to use? The most correct one would be NameVirtualHost *:80 <VirtualHost *:80> ... <VirtualHost _default_:443> ... because the ssl virtual host is IP/port based, not name based. OTOH this could create headaches on upgrade. BTW, the NameVirtualHost statement should go into ports.conf (there is another bug about this, too). > 2. Update "a2enmod" so that if "a2enmod ssl" is executed then > a new certificate is generated via openssl | ssl-cert if > the referenced one isn't already present. I would prefer a separate script. But "a2enmod ssl" could print a pointer to that script. > > #290458 mod_ssl preventing apache2 from starting (segfault) > > - Suggestion: Close. Very old. Not confirmed. > agreed > > #350733 apache2: SSI generate seg fault on apache 2.0.55-4 > > - Suggestion: Close. Very old. Not confirmed. > agreed > > #301155 ssl.conf won't run > > - [Refers to an example file we no longer ship. Close bug if > we can handle #267477] > > > #395936: Apache2 SSL service stopped working since upgrade to > 2.2.3-2 > > - Close. Warning was added per bug log. > these two are the same and are an issue only when upgrading from 2.0. Can be closed for sid/lenny. > > #398520 missing /usr/sbin/apache2-ssl-certificate > > - Reinstate script, as a wrapper around openssl, or the new > ssl-cert package. > Question: Why was this removed? Can we not re-add it? > Don't know, I wasn't around then. One should look at it if it does something differently than ssl-cert. > > #421802 apache2: ssl.conf dropped IE workarounds > > - Reinstate options in the default file we ship as per > #2567477 - then close this bug. > right > > #260063 apache2: suggestion to add new file - conf.d/security.conf > > - I would add this file with the suggested comments. I'd also > suggest adding comments here about things such as: > 1. ServerTokens Minimal > 2. ServerSignature Off I am undecided about this. If yes, traceenable would be another candidate. > (If this were done #341022 could be closed.) Denying "/" by default would definitely need a NEWS entry, because it would break quite a few setups. > > I think those are the ones that jumped out at me on an initial > pass over the bugs of package 'apache2', I'm sure there are > probably more relevant ones in the other Apache packages; so I'll > look at those shortly, if this mail results in a positive response. > > I guess my questions now are: > > 1. Are these suggested solutions reasonable? > Sure. > 2. If so should I submit patches to the list / the relevant > bugs / do something else? I think mailing patches to the bugs would be best for a start. Thanks for your help. Cheers, Stefan
Attachment:
signature.asc
Description: This is a digitally signed message part.