[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Apache to Apache-SSL



At 1017032218s since epoch (03/24/02 23:56:58 -0500 UTC), Sean wrote:
> Actually my problem was with getting the virtualhost part to work right.
> If you wouldn't mind, I would greatly appreciate being able to see a
> working httpd.conf with mod-ssl and virtualhost setup.

Attached below is the part of my httpd.conf that matters; the rest was
more or less a stock Debian config.  I'll outline the important stuff
here:

1) Use "Listen" directives, not "Port" directives.
2) Put SSL Globals BEFORE the VirtualHost directives
3) Use "NameVirtualHost *:80", rather than just "*", as we don't
   want to turn on NameVirtualHost for port 443 (recall that mod_ssl
   won't work with NameVirtualHost)
3) To create a virtual host that will listen on the SSL port, use:
   <VirtualHost _default_:443>

Note that this means that you can't use more than one virtual host
that uses SSL, unless you have separate IP addresses.

My config also listens on 8000, so I've left that stuff in (I don't
want to edit it out and ship it, as it might not work).

Good luck, and may the force be with you.

Jason

--
Jason Healy    |    jhealy@logn.net    |   http://www.logn.net/



# Use listen to bind to multiple addresses.
# Non-SSL
Listen 80
Listen 8000

# SSL
<IfModule mod_ssl.c>
Listen 443
</IfModule>

###
### BEGIN SSL CONFIGURATION VARIABLES
###

# These definitions should come before the VirtualHost commands

#
#   Some MIME-types for downloading Certificates and CRLs
#
<IfModule mod_ssl.c>
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl    .crl
</IfModule>


<IfModule mod_ssl.c>
#   Pass Phrase Dialog:
#   Configure the pass phrase gathering process.
#   The filtering dialog program (`builtin' is a internal
#   terminal dialog) has to provide the pass phrase on stdout.
SSLPassPhraseDialog  builtin

#   Inter-Process Session Cache:
#   Configure the SSL Session Cache: First either `none'
#   or `dbm:/path/to/file' for the mechanism to use and
#   second the expiring timeout (in seconds).
#SSLSessionCache        none
#SSLSessionCache        shm:logs/ssl_scache(512000)
SSLSessionCache         dbm:/var/run/ssl_scache
SSLSessionCacheTimeout  300

#   Semaphore:
#   Configure the path to the mutual explusion semaphore the
#   SSL engine uses internally for inter-process synchronization. 
SSLMutex  file:/var/run/ssl_mutex

#   Pseudo Random Number Generator (PRNG):
#   Configure one or more sources to seed the PRNG of the 
#   SSL library. The seed data should be of good random quality.
#   WARNING! On some platforms /dev/random blocks if not enough entropy
#   is available. This means you then cannot use the /dev/random device
#   because it would lead to very long connection times (as long as
#   it requires to make more entropy available). But usually those
#   platforms additionally provide a /dev/urandom device which doesn't
#   block. So, if available, use this one instead. Read the mod_ssl User
#   Manual for more details.
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
#SSLRandomSeed startup file:/dev/random  512
#SSLRandomSeed startup file:/dev/urandom 512
#SSLRandomSeed connect file:/dev/random  512
#SSLRandomSeed connect file:/dev/urandom 512

#   Logging:
#   The home of the dedicated SSL protocol logfile. Errors are
#   additionally duplicated in the general error log file.  Put
#   this somewhere where it cannot be used for symlink attacks on
#   a real server (i.e. somewhere where only root can write).
#   Log levels are (ascending order: higher ones include lower ones):
#   none, error, warn, info, trace, debug.
#SSLLog      /var/log/apache/ssl_engine_log
#SSLLogLevel info

</IfModule>

###
### END SSL CONFIGURATION VARIABLES
###

# VirtualHost: Allows the daemon to respond to requests for more than one
# server address, if your server machine is configured to accept IP packets
# for multiple addresses. This can be accomplished with the ifconfig 
# alias flag, or through kernel patches like VIF.

# Any httpd.conf or srm.conf directive may go into a VirtualHost command.
# See also the BindAddress entry.
 
# Use name-based virtual hosting.
#
#NameVirtualHost 146.115.121.54

# Normally, we could just say "NameVirtualHost *", but SSL does not
# support name-based virtual hosting (due to the encryption).
# Therefore, we must keep the name-based virtual hosting to the
# unencrypted ports only.

NameVirtualHost *:80
NameVirtualHost *:8000

# logn.net
<VirtualHost *:80, *:8000>
    ServerAdmin webmaster@logn.net
    DocumentRoot /var/web/www.logn.net/www
    ServerName www.logn.net
    ServerAlias logn.net
    ErrorLog /var/web/www.logn.net/logs/error_log
    CustomLog /var/web/www.logn.net/logs/access_log combined

    <Directory "/var/web/www.logn.net/www/">
        Options Indexes FollowSymLinks MultiViews Includes
        AllowOverride None
        Order allow,deny
        Allow from all
    </Directory>

    ScriptAlias /cgi-bin/ "/var/web/www.logn.net/cgi-bin/"

    <Directory "/var/web/www.logn.net/cgi-bin">
        AllowOverride None
        Options None
        Order allow,deny
        Allow from all
    </Directory>

</VirtualHost>

# mail.logn.net
<VirtualHost *:8000>
    ServerAdmin webmaster@logn.net
    DocumentRoot /usr/local/horde/imp
    ServerName mail.logn.net
    ServerAlias mail.logn.net
    ErrorLog /var/web/www.logn.net/logs/mail.error_log
    CustomLog /var/web/www.logn.net/logs/mail.access_log combined

    <Directory "/usr/local/horde">
        Options FollowSymLinks
        AllowOverride None
        Order allow,deny
        Allow from all
        php_flag magic_quotes_gpc Off
        php_flag track_vars On
        php_flag track_errors On
    </Directory>

    Alias /horde /usr/local/horde

</VirtualHost>

<IfModule mod_ssl.c>
# mail.logn.net with SSL
<VirtualHost _default_:443>
    ServerAdmin webmaster@logn.net
    DocumentRoot /usr/local/horde/imp
    ServerName mail.logn.net
    ServerAlias mail.logn.net
    ErrorLog /var/web/www.logn.net/logs/mail.error_log
    CustomLog /var/web/www.logn.net/logs/mail.access_log combined

    SSLEngine on
    SSLCertificateFile    /etc/apache/ssl.crt/mail.crt
    SSLCertificateKeyFile /etc/apache/ssl.key/mail.key

    SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown

    <Directory "/usr/local/horde">
        Options FollowSymLinks
        AllowOverride None
        Order allow,deny
        Allow from all
	php_flag magic_quotes_gpc Off
	php_flag track_vars On
	php_flag track_errors On
	SSLRequireSSL
    </Directory>

    Alias /horde /usr/local/horde

</VirtualHost>
</IfModule>


-- 
To UNSUBSCRIBE, email to debian-user-request@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org



Reply to: