Re: Apache -- SSL and normal on same system?
> Not necessarily, AFAIK . Regular-mode apache and apache-ssl don't share
> address space, and if configured properly, are working from different
> document roots. The "risk" is about the same as having multiple accounts
> on the same system. Apache is pretty bulletproof -- there aren't a
> whole mess of security problems associated with it (security tends to be
> compromised through CGIs instead).
> Here's a different analogy: apache and apache-ssl are like having
> telnet and ssh on the same box. The fact that telnet is inherently
> insecure in terms of data and session *doesn't* mean that ssh is
> insecure, *so long as* no data are allowed to traverse the telnet
> channel which would allow a compromise through ssh (eg:
> userid/password). So if the telnet were configured for unprivileged
> user access in a chroot jail with very little command functionality (an
> approximation of a standard http session), the risk is low.
You just made the light go on, I think. I was trying to run both
secure and normal sites using apache-ssl. I thought that the ssl
version could do both, and it was a matter of configuring each virtual
site to use one or the other. What you're saying is that I need to
install both apache and apache-ssl, running out of separate server
roots. I'll try that.
John Ackermann N8UR
Dayton, Ohio, USA
firstname.lastname@example.org -- http://www.febo.com
-----BEGIN PGP PUBLIC KEY BLOCK-----
-----END PGP PUBLIC KEY BLOCK-----