[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Apache -- SSL and normal on same system?

On Sun, Aug 13, 2000 at 09:19:20AM -0300, John Ackermann wrote:
> I've been running Apache successfully for a long time, and would like 
> to add a secured virtual site to my collection.  I tried installing 
> Debian apache-ssl but ran into a brick wall figuring out how to make it 
> work both for normal http on port 80, and https on port whatever.  
> Could some kind soul give me a pointer on how to set this up.  All the 
> documentation I've found for apache-ssl seems to assume that you're 
> going to run only a secure site, and not a mix.

Run apache (regular) on port 80 and apache-ssl on 443.  I've got my box
at work set up like this.  Just roll out the packages and start flying.
Nothing tricky.  If you get stuck, post back to the list (and maybe ping
me on the side).

> (By the way -- I know that in an e-commerce setting you'd want the 
> secure server to be on a separate box.  I'm not doing anything nearly 
> that critical, so don't mind the risk of having both secure and 
> unsecure servers running on the same machine.)

Not necessarily, AFAIK [1].  Regular-mode apache and apache-ssl don't share
address space, and if configured properly, are working from different
document roots.  The "risk" is about the same as having multiple accounts
on the same system.  Apache is pretty bulletproof -- there aren't a
whole mess of security problems associated with it (security tends to be
compromised through CGIs instead).

Here's a different analogy:  apache and apache-ssl are like having
telnet and ssh on the same box.  The fact that telnet is inherently
insecure in terms of data and session *doesn't* mean that ssh is
insecure, *so long as* no data are allowed to traverse the telnet
channel which would allow a compromise through ssh (eg:
userid/password).  So if the telnet were configured for unprivileged
user access in a chroot jail with very little command functionality (an
approximation of a standard http session), the risk is low.

Not that I'm advocating use of telnet to anyone.

Karsten M. Self <kmself@ix.netcom.com>     http://www.netcom.com/~kmself
 Evangelist, Opensales, Inc.                    http://www.opensales.org
  What part of "Gestalt" don't you understand?   Debian GNU/Linux rocks!
   http://gestalt-system.sourceforge.net/    K5: http://www.kuro5hin.org
GPG fingerprint: F932 8B25 5FDD 2528 D595 DC61 3847 889F 55F2 B9B0

[1] Though I claim no expertise.

Attachment: pgpdQ6FavY6lh.pgp
Description: PGP signature

Reply to: