This is part of The Pile, a partial archive of some open source mailing lists and newsgroups.
comp.infosystems.www.servers.unix newsgroup:
Subject: Re: ssl & Virtual hosts questions
Date: Fri, 15 Sep 2000 09:04:06 -0500
From: adam
Ron wrote:
> I am now configing virtual hosts using ssl. And I want
> to know does ssl support name-based virtual hosts.
No. SSL handshakes are done before the client sends an HTTP request,
since name-based virtual hosts work off of the HTTP request (Host: line)
the SSL handshake can only rely on the IP address as a clue to what
domain name is being asked for.
===
mod_perl list:
Subject: apache-mod_ssl and name based virtual hosts
From: Charles Galpin
Date: Mon, 26 Jul 1999 22:28:34 -0400 (EDT)
I can't seem to get my virtual hosts to use their own certificates.
I have the server configured with a single IP and multiple virtual hosts,
each serving on port 80, and securely on port 443. Everything works nicely
except that the first certificate the browser picks up (ie from
https://www.A.com)
is then used happily when going to https://www.B.com. If I stop netscape,
and go to https://www.B.com, then https://www.A.com accepts it's
certificate happily.
Is this a limitation of name based virtual hosts? kind of sucks.
If not, can anyone provide some hints. I can provide details of my config
if need be.
===
Subject: Re: apache-mod_ssl and name based virtual hosts
From: "Igmar Palsenberg"
Date: Tue, 27 Jul 1999 15:20:51 +0200
>Hi all
>I can't seem to get my virtual hosts to use their own certificates.
>I have the server configured with a single IP and multiple virtual >hosts,
>each serving on port 80, and securely on port 443. Everything >works nicely
>except that the first certificate the browser picks up (ie from
>https://www.A.com)
>is then used happily when going to https://www.B.com. If I stop >netscape,
>and go to https://www.B.com, then https://www.A.com accepts it's
>certificate happily.
>Is this a limitation of name based virtual hosts? kind of sucks.
Limitation ?? The entire certification stuff is useless when used with
named-based virtual hosting.
named-based is a HTTP 1.1 thingy, and doesn't work with. If you need to use
SSL, then use one IP per host.
>If not, can anyone provide some hints. I can provide details of my >config
>if need be.
===
Subject: Re: understanding the httpd access log
From: Steve Borho
Date: Wed, 30 Jun 1999 13:20:24 -0500
On Wed, Jun 30, 1999 at 07:30:58AM -1000, widget wrote:
> Can anyone help me understand the httpd access log?
>
> 207.55.188.128 - - [25/May/1999:02:54:37 -1000] "HEAD / HTTP/1.0" 200 0
> 207.55.188.134 - - [26/Jun/1999:05:14:31 -1000] "HEAD / HTTP/1.0" 200 0
> 207.55.188.132 - - [26/Jun/1999:06:26:30 -1000] "HEAD / HTTP/1.0" 200 0
> 200.203.197.80 - - [26/Jun/1999:11:58:30 -1000] "GET /cm HTTP/1.1" 404 208
> 200.203.197.80 - - [26/Jun/1999:12:03:53 -1000] "GET /cm HTTP/1.1" 404 208
> 207.121.14.66 - - [26/Jun/1999:16:17:43 -1000] "GET / HTTP/1.0" 200 4766
> ~~~~~~~~~~ ~~~~~~~~~~~~~~~ ~~~~ ~~~~~~~~~ ~~ ~~ ~~~
> | | |
> | | | |
> the source date & Time 1? 2?
> 3? 4? 5?
>
>
> The first two fields make sense
>
> 1? the -1000 what does it mean?
10 hours before GMT
> 2? The "GET" is self explanatory but the "HEAD" isn't. Anyway the default
> file is index.html why do some HEAD /HTTP, while others GET /HTTP and
> others GET /cm HTTP?
Many browsers will request the HEAD first before doing a GET to find
out if the copy it has in it's cache is still current. Here's what a
HEAD request looks like when I do it by hand:
gauss-l% telnet www.ststech.com 80
Trying 192.168.1.66...
Connected to server1.ststech.com.
Escape character is '^]'.
HEAD / HTTP/1.0
HTTP/1.1 200 OK
Date: Wed, 30 Jun 1999 18:14:03 GMT
Server: Apache/1.3.3 (Unix) (Red Hat/Linux)
Last-Modified: Wed, 25 Nov 1998 19:18:47 GMT
ETag: "4016-18a5-365c5817"
Accept-Ranges: bytes
Content-Length: 6309
Connection: close
Content-Type: text/html
Connection closed by foreign host.
> 3? what are the 1.0 and the 1.0
HTTP version numbers. Look at the HTTP rfc's for details.
> 4? & 5? what are these numbers?
The first number is the return code. The second one... I have no
idea, maybe a byte count.
===
Subject: RE: Security questions with Linux as web server
From: "Chad W. Skinner"
Date: Wed, 21 Jul 1999 17:40:28 -0500
Many of the Gurus will want to correct this if possible as I am new to
linux, but wanted to help where possible. First, I am new to linux and am
still reading about security so I would double check this.
--> Questions:
--> 1) How can I enable password checking when a page is requested from a
--> directory where there is .htpasswd file? Right now it looks like my
Linux
--> box happily disregards this file totally.
All of your apache questions can be answered by reading "Apache: The
Definitive Guide" by Ben Laurie and Peter Laurie (published by O'Reilly. It
gives instructions to all of the directives.
I believe to allow access to .htpasswd files within a specific directory you
would have to use something like.
First to limit access to the root directory (not of the http server, but of
the filesystem
AllowOverride none
Now to selectively add ability to use .htaccess files
AccessFileName .htaccess
AllowOverride AuthConfig
AuthType Basic
AuthName RealmNameHere
AuthUserFile path/to/user/file
require valid-user
--> 2) It looks like it is possible for all BUT root to FTP to my
--> Linux machine.
--> How do I correct this?
No clue here, but can you image how much damage someone could do as root!
--> 3) I would like the general public to be able only to browse our
--> site on the PC and download those files which we have as http links
--> on our pages. How do i disable everything else? (No FTP access, no email
--> relaying etc)
I don't know about email, but if ftp or any service you wish to limit access
to is running through inetd you should look into tcpwrappers and the files
/etc/hosts.allow and /etc/hosts.deny.
--> 4) I am not all that familiar with the workings of the sendmail
--> program but I need to have formmail running as we have a few request
--> pages which actually sends the requests using email. How do i configure
--> this?
What is form mail I have never hear of it? Is it a form of EMOD (email on
demand)?
--> 5) I generally need to be able to use perl scripts on my pages,
--> how is this enabled?
I don't want to give you advice here as I don't know the security
precautions and don't want to tell you wrong. You might try the perl
website, I think the name I am looking for is Ralph Engalshall or something
like this, but I believe he wrote e-perl and might have some good
information on configuring perl on his website.
Subject: Re: apache-mod_ssl and name based virtual hosts
--> 6) Is there anything else to think of security-wise?
>From the list I would say the answer is that there is always more one can do
for security, but when does one stop? I don't know.
I don't know if any of this helps, but I have found the book mentioned above
helpful. I have not read the whole thing yet, but it does have a chapter on
CGI and another on Apache security (both of which I have yet to read). It
might be worth the trip to a local bookstore to check it out.
===
Subject: Setting up user cgi-bin directories in Apache?!!@#
From: Steven Hildreth
Date: Tue, 27 Jul 1999 13:32:53 -0500
Hey!
So I am trying to setup users (www.servername.com/~username) cgi-bin
directories. I create the user and then chmod the directory to 755 then
create public_html, this works you can then access the
www.servername.com/~username/index.html page in the public_html.
But when I create a textclock.cgi script (known to work on another
server) and place it in the user public_html/cgi-bin it does not exec?
Any links, pointers, or just anything related would be appreciated.
===
Subject: Re: Setting up user cgi-bin directories in Apache?!!@#
From: Scott McCool
Date: Tue, 27 Jul 1999 05:40:41 -0500 (CDT)
Check your web server logs. If you're using apache they are named
error_log, cgi_log, access_log, etc. Most likely you have mis set
permissions on the file. If you are using SUExec or some cgi wrapper
program then the .cgi file will likely need to be owned by the user whose
directory the file resides in and should have permissions of 700 (owner
read,write,execute) only. Also make sure the directory the script resides
in is at least 700 (maybe 755?).
Hope this helps, it's kind of off the top of my head.
===
Subject: Re: Setting up user cgi-bin directories in Apache?!!@#
From: Brent Sims
Date: Tue, 27 Jul 1999 16:38:16 -0600 (MDT)
On Tue, 27 Jul 1999, Steven Hildreth so wrote:
> Hey!
>
> But when I create a textclock.cgi script (known to work on another
> server) and place it in the user public_html/cgi-bin it does not exec?
>
The default installation of Apache is clamped down tight enough to keep
most of us out of trouble till we figure things out. If you haven't
already done so, you need to configure Apache to allow cgi scripts to be
executed in user directories. The easiest way is to simply simply
uncomment the 'AddHandler cgi-script .cgi' macro on your systems
/etc/httpd/srm.conf file. This is also the most dangerous way. And while I
did provide the information you need, having done so, I highly recommend
that you dig into the Apache (RTFM) manual a bit as it covers the security
aspects of this kind of thing rather nicely. And there are indeed some
major security considerations involved.
What I personally do is to handle this on a per directory basis which
means I have to tweak the configuration files every time a user is added
or removed. While a whole lot of work, it results in my being able to
sleep at night and thus, IMHO, is well worth the effort.
No, I'm not paranoid. I'm just lazy enough to have figured out that
running a secure box is a lot less work than the alternative.
===
Subject: Re: apache won't start or dies quietly
From: Bill Carlson
Date: Mon, 28 Jun 1999 15:35:33 -0500 (CDT)
On Fri, 25 Jun 1999, Gary wrote:
> It doesn't give me any error message. If I execute
> "/etc/rc.d/init.d/httpd start" it just says "Starting httpd: httpd" but
> there are no 'httpd' processes running and the server won't serve
> documents. If I execute "/usr/sbin/httpd", there are no messages at
> all. I ran syntax check on my config files and they returned an ok
> status. I don't get a "/var/run/httpd.pid" file but I do get
> "/var/lock/subsys/http" file whenever I try to start it. The first time
> I noticed it wasn't working there were a couple of
Apache logs all of its errors to the error log. Redhat default is
/var/log/httpd/error_log. Take a look there, it should tell you why it is
starting and dumping.
===
Subject: Re: apache-mod_ssl and name based virtual hosts
From: Charles Galpin
Date: Tue, 27 Jul 1999 16:33:18 -0400 (EDT)
Thanks
I'm just using test certs, so I wasn't sure - I did assume the certs were
IP based.
On Tue, 27 Jul 1999, Igmar Palsenberg wrote:
> >Hi all
>
> >I can't seem to get my virtual hosts to use their own certificates.
>
> >I have the server configured with a single IP and multiple virtual >hosts,
> >each serving on port 80, and securely on port 443. Everything >works nicely
> >except that the first certificate the browser picks up (ie from
> >https://www.A.com)
> >is then used happily when going to https://www.B.com. If I stop >netscape,
> >and go to https://www.B.com, then https://www.A.com accepts it's
> >certificate happily.
>
> >Is this a limitation of name based virtual hosts? kind of sucks.
>
>
> Limitation ?? The entire certification stuff is useless when used with
> named-based virtual hosting.
>
> named-based is a HTTP 1.1 thingy, and doesn't work with. If you need to use
> SSL, then use one IP per host.
--
===
Subject: Re: apache-mod_ssl and name based virtual hosts
From: "Igmar Palsenberg"
Date: Wed, 28 Jul 1999 11:32:00 +0200
>Thanks
>I'm just using test certs, so I wasn't sure - I did assume the certs >were
>IP based.
Certs are based on the name of the webserver. The problem is that without
HTTP 1.1 all goes to the same IP, and the webserver can't make the
difference.
Second, the only way the cert data is 'safe' is by using one IP per host.
I setup normal host using name based aliasing, SSL with one host per IP.
===
Subject: Re: apache-mod_ssl and name based virtual hosts
From: Charles Galpin
Date: Wed, 28 Jul 1999 06:40:11 -0400 (EDT)
I just want to make sure I understand this. Are you saying that https
is not handled the same way as http 1.1 requests? I would think if http
1.1 used the name, then I'd have thought the same would occur for https,
if the certs are name based.
this is just for a friend. Since I don't need a secure server for any of
my other domains it's not a big deal right now. I'd like to pick up some
more IPs, but my isp only sells them in blocks of 32 - not worth it to me.
===
--
Subject: Re: apache-mod_ssl and name based virtual hosts
From: "Igmar Palsenberg"
Date: Wed, 28 Jul 1999 12:59:55 +0200
>I just want to make sure I understand this. Are you saying that https
>is not handled the same way as http 1.1 requests? I would think if >http
>1.1 used the name, then I'd have thought the same would occur for >https,
>if the certs are name based.
Keep in mind that not ALL browsers support HTTP 1.1.
https is a little bit different, but the essential thing is that a key is
issued on the servername.
I don't know if IP's have influence, but if they do (for example when a
browser does a reverse lookup), then thing's don't match.
The way named based virtual host work is that the browser gives not only the
location (GET /test/hello.html), but also give the full servername of the
server they wish to talk to.
This is the thing that sometimes let weird things occur, especially when the
browser somehow connects the host IP with the key it receives.
I never got named based virtual to work properly with SSL.
>this is just for a friend. Since I don't need a secure server for any of
>my other domains it's not a big deal right now. I'd like to pick up >some
>more IPs, but my isp only sells them in blocks of 32 - not worth it to >me.
Yep, have the same problem.
===
Subject: Apache config
From: "Russell W. Behne"
Date: Fri, 6 Aug 1999 15:11:46 -0400 (EDT)
I want to selectively restrict access to my webserver by disallowing
certain hosts/domains from accessing my apache. Is this the correct
method to use in my access.conf, or if not what is?
# Controls who can get stuff from this server.
order deny,allow
deny from .badguy.com
deny from .troublemaker.net
allow from all
===
===
redhat-list:
Subject: Re: certificate
From: "Kevsurf" <kevsurf@mindspring.com>
Date: Wed, 16 Feb 2000 15:22:27 -0600
"Steve Lee" <maillist@blitzen.net> wrote:
> > On Wed, 16 Feb 2000, Kevsurf wrote:
> > "Steve Lee" <maillist@blitzen.net> wrote:
> > > > how many different cirtificate can you
> > > > run on one server doing virtual hosting.
> > > You can run as many certificates as you want to, one for each domain.
> > > Just look in the /etc/httpsd/conf/httpsd.conf file and you'll see
> > > where to specify the certificate for each domain/IP setup.
> > How would i setup apache for multiple cert.
> > my apache has been compiled under a different path
> > /opt/httpd/apache/
> > and under the conf there is no httpsd.conf
> > maybe that is a default redhat thing.
> > how would i create my own plus one
> > two other virtual domains.
> >
> > This would be of great help.
> > How much does it cost for teh
> > cert. from a third party.
This is an apache setup I'm talking about. Checkout http://www.apache.org
and http://www.apache-ssl.org for information on setting up certs.
Thawte charges $125 for a certificate.
===
Subject: Re: apache, mod_perl
From: hUnTeR <hunter@userfriendly.net>
Date: Mon, 21 Feb 2000 17:23:09 -0500
"Martin A. Marques" wrote:
>
> Has someone installed apache+openssl+mod_php+mod_perl?
> I have all but the last (mod_perl) and want to add this feature (really
> needed), and would like to do it with rpms.
>
> Any Idea???
Martin -
I run apache-1.3.11 with mod_ssl-2.5.0 and openssl-0.94 along with
mod_perl-1.21 and php-3.0.14. All basically built from source rpms using
the spec files from older rpms and tweaked for the upgrades. Example:
I started with apache-mod_ssl-1.3.9-1.3.6 or something like that. Took
the spec file from that and used it to build by own rpm of
apache-mod_ssl-1.3.11-2.5.0. Then built mod_perl as a DSO module for
this webserver, and php-3.0.14 built from the php-3.0.12 rpm spec file.
I did this over a month ago, because at that time there were no rpms for
this to allow me to upgrade smoothly, so i have to plug and chug on my
own.
There is a good starting point here..http://www.jasons.org/modssl.phtml
although i believe that website is currently down. If you email me off
the list i can send you the instructions in text.
===