Bookmarks

Yahoo Gmail Google Facebook Delicious Twitter Reddit Stumpleupon Myspace Digg

Search queries

Use of assignment to $[ is deprecated at /usr/local/sbin/apxs line 86. , wwwxxx vim, mysql closing table and opening table, 800c5000, setgid operation not permitted, pciehp: acpi_pciehprm on IBM, WWWXXX.DBF, 078274121, info0a ip, should prodicers of software_based services be held liable or not liable for economic injuries

Links

XODOX
Impressum

#1: Sample virtual machines with SSL?

Posted on 2008-04-08 18:44:51 by Adrian Marsh

Hi All,

I'm combining SSL, LDAPs and Virtual machines, but I've gotten lost on
what config is needed where.

I have a sample VirtualHost working on *:80 in httpd.conf. I need this
to be restricted to SSL only, so I moved the config to ssl.conf. This
already has a sample _default_:443 Virtual host in it. So I tried to tag
my virtualhost to the end of the SSL file, but no joy. I wanted to get
testserv.company.local working for SVN/LDAP/SSL, but leave the basic 443
https stuff alone...

Any ideas??

This gives me the below in ssl.conf:


LoadModule ssl_module modules/mod_ssl.so

Listen 443


AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl

SSLPassPhraseDialog builtin

SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout 300

SSLMutex default

SSLRandomSeed startup file:/dev/urandom 256
SSLRandomSeed connect builtin

SSLCryptoDevice builtin


<VirtualHost _default_:443>


ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn

SSLEngine on

SSLProtocol all -SSLv2

SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW

SSLCertificateFile /tmp/der_certnew.cer


SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key





<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>

SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0

CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>

<VirtualHost *:443>
DocumentRoot /var/www/testhtml
ServerName testserv.company.local
CustomLog logs/svn_logfile "%t %{SVN-ACTION}e %u" env=SVN-ACTION
CustomLog logs/testserv_log combined

<Location "/svn">
AuthBasicProvider ldap
DAV svn
SVNParentPath /home/SVN
SVNIndexXSLT "/svnindex.xsl"
AuthType Basic
AuthzLDAPAuthoritative off
AuthName "Subversion"
AuthUserFile /etc/svn-auth-file
AuthLDAPURL
"ldaps://ubiq-serv1.company.local/DC=company,DC=local?sAMAcc ountName?sub?(objectClass=*)"
NONE
AuthLDAPBindDN
"CN=ldapuser,OU=SBSUsers,OU=Users,OU=MyBusiness,DC=company,D C=local"
AuthLDAPBindPassword *******
#<LimitExcept GET PROPFIND OPTIONS REPORT>
Require valid-user
#</LimitExcept>
AuthzSVNAccessFile /tmp/svntest
</Location>

</VirtualHost>

Report this message

#2: Re: Sample virtual machines with SSL?

Posted on 2008-04-08 22:47:45 by unknown

Post removed (X-No-Archive: yes)

Report this message

#3: Re: Sample virtual machines with SSL?

Posted on 2008-04-09 10:26:52 by Adrian Marsh

Yes I tried that, producing the below... but it complains about a
priority (< _default_:443) and takes no effect

<VirtualHost *:443>
DocumentRoot /var/www/testhtml
ServerName testserv.company.local
CustomLog logs/svn_logfile "%t %{SVN-ACTION}e %u" env=SVN-ACTION
CustomLog logs/testserv_log combined

<Location "/svn">
AuthBasicProvider ldap
DAV svn
SVNParentPath /home/SVN
SVNIndexXSLT "/svnindex.xsl"
AuthType Basic
AuthzLDAPAuthoritative off
AuthName "Subversion"
AuthUserFile /etc/svn-auth-file
AuthLDAPURL
"ldaps://ubiq-serv1.company.local/DC=company,DC=local?sAMAcc ountName?sub?(objectClass=*)"
NONE
AuthLDAPBindDN
"CN=ldapuser,OU=SBSUsers,OU=Users,OU=MyBusiness,DC=company,D C=local"
AuthLDAPBindPassword *******
#<LimitExcept GET PROPFIND OPTIONS REPORT>
Require valid-user
#</LimitExcept>
AuthzSVNAccessFile /tmp/svntest
</Location>

</VirtualHost>

Davide Bianchi wrote:
> On 2008-04-08, Adrian Marsh <adrian.marsh@ubiquisys.com> wrote:
>> I have a sample VirtualHost working on *:80 in httpd.conf. I need this
>> to be restricted to SSL only
>
> Remove all the bits related to *:80 and leave only the ones for
> :443.
>
> Davide
>

Report this message

#4: Re: Sample virtual machines with SSL?

Posted on 2008-04-09 10:34:16 by unknown

Post removed (X-No-Archive: yes)

Report this message

#5: Re: Sample virtual machines with SSL?

Posted on 2008-04-09 10:57:41 by Adrian Marsh

Hi Davide, thanks for the help,

I did provide the whole SSL file in the original post.. I just removed
comment lines..

This is based on the original SSL config, but I only want the /svn
directives to be available on testserv.company.local, under SSL (and not
available via port 80).

So do I need to put things like SSLEngine on etc within my virtualhost??

When apache starts, it complains that theres a duplication of the configs:

Starting httpd: httpd: Could not reliably determine the server's fully
qualified domain name, using 127.0.0.1 for ServerName
[Sun Mar 30 09:53:35 2008] [warn] _default_ VirtualHost overlap on port
443, the first has precedence
[ OK ]




Repeated file here: (ssl.conf)


LoadModule ssl_module modules/mod_ssl.so

Listen 443


AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl

SSLPassPhraseDialog builtin

SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout 300

SSLMutex default

SSLRandomSeed startup file:/dev/urandom 256
SSLRandomSeed connect builtin

SSLCryptoDevice builtin


<VirtualHost _default_:443>


ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn

SSLEngine on

SSLProtocol all -SSLv2

SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW

SSLCertificateFile /tmp/der_certnew.cer


SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key





<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>

SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0

CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>

<VirtualHost *:443>
DocumentRoot /var/www/testhtml
ServerName testserv.company.local
CustomLog logs/svn_logfile "%t %{SVN-ACTION}e %u" env=SVN-ACTION
CustomLog logs/testserv_log combined

<Location "/svn">
AuthBasicProvider ldap
DAV svn
SVNParentPath /home/SVN
SVNIndexXSLT "/svnindex.xsl"
AuthType Basic
AuthzLDAPAuthoritative off
AuthName "Subversion"
AuthUserFile /etc/svn-auth-file
AuthLDAPURL
"ldaps://ubiq-serv1.company.local/DC=company,DC=local?sAMAcc ountName?sub?(objectClass=*)"
NONE
AuthLDAPBindDN
"CN=ldapuser,OU=SBSUsers,OU=Users,OU=MyBusiness,DC=company,D C=local"
AuthLDAPBindPassword *******
#<LimitExcept GET PROPFIND OPTIONS REPORT>
Require valid-user
#</LimitExcept>
AuthzSVNAccessFile /tmp/svntest
</Location>

</VirtualHost>

Davide Bianchi wrote:
> On 2008-04-09, Adrian Marsh <adrian.marsh@ubiquisys.com> wrote:
>> Yes I tried that, producing the below... but it complains about a
>> priority (< _default_:443) and takes no effect
>
> Please post the _whole_ config file, not just a snippet... and if you
> want SSL support on a vhost you need all the SSL_ related bits in the
> Vhost block.
>
> Suggestion: why don't jou just use the example vhost config file that is
> provided with Apache? It does work.
>
> Davide
>

Report this message

#6: Re: Sample virtual machines with SSL?

Posted on 2008-04-09 11:03:14 by unknown

Post removed (X-No-Archive: yes)

Report this message

#7: Re: Sample virtual machines with SSL?

Posted on 2008-04-09 11:41:31 by Adrian Marsh

> My suggestion stays the same: grab the bits you want to add (the /svn
> directory and authentications) and put them in the already-existing
> vhost entry:

Ok, but then that means that the /svn folder is available to any
hostname, not the specific VirtualHost that I want it to be - or have I
got my understanding wrong here?

Davide Bianchi wrote:
> On 2008-04-09, Adrian Marsh <adrian.marsh@ubiquisys.com> wrote:
>> [Sun Mar 30 09:53:35 2008] [warn] _default_ VirtualHost overlap on port
>> 443, the first has precedence
>> [ OK ]
>
> This basically means: Hey, I can't run two SSL Vhosts on the same
> ip/port! And one doesn't even have a ServerName! I'll use the first one,
> ok?
>
> My suggestion stays the same: grab the bits you want to add (the /svn
> directory and authentications) and put them in the already-existing
> vhost entry:
>
>> <VirtualHost _default_:443>
>> ErrorLog logs/ssl_error_log
>> TransferLog logs/ssl_access_log << remove this, since you have other logs
>> LogLevel warn
>>
>> SSLEngine on
>> SSLProtocol all -SSLv2
>> SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
>> SSLCertificateFile /tmp/der_certnew.cer
>> SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key
>>
>> <Files ~ "\.(cgi|shtml|phtml|php3?)$">
>> SSLOptions +StdEnvVars
>> </Files>
>> <Directory "/var/www/cgi-bin">
>> SSLOptions +StdEnvVars
>> </Directory>
>>
>> SetEnvIf User-Agent ".*MSIE.*" \
>> nokeepalive ssl-unclean-shutdown \
>> downgrade-1.0 force-response-1.0
>>
>> CustomLog logs/ssl_request_log \
>> "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
>
>> DocumentRoot /var/www/testhtml
>> ServerName testserv.company.local
>> CustomLog logs/svn_logfile "%t %{SVN-ACTION}e %u" env=SVN-ACTION
>> CustomLog logs/testserv_log combined
>>
>> <Location "/svn">
>> AuthBasicProvider ldap
>> DAV svn
>> SVNParentPath /home/SVN
>> SVNIndexXSLT "/svnindex.xsl"
>> AuthType Basic
>> AuthzLDAPAuthoritative off
>> AuthName "Subversion"
>> AuthUserFile /etc/svn-auth-file
>> AuthLDAPURL
>> "ldaps://ubiq-serv1.company.local/DC=company,DC=local?sAMAcc ountName?sub?(objectClass=*)"
>> NONE
>> AuthLDAPBindDN
>> "CN=ldapuser,OU=SBSUsers,OU=Users,OU=MyBusiness,DC=company,D C=local"
>> AuthLDAPBindPassword *******
>> #<LimitExcept GET PROPFIND OPTIONS REPORT>
>> Require valid-user
>> #</LimitExcept>
>> AuthzSVNAccessFile /tmp/svntest
>> </Location>
>>
>> </VirtualHost>
>
> And that should be it.
> Davide
>

Report this message

#8: Re: Sample virtual machines with SSL?

Posted on 2008-04-09 12:10:28 by unknown

Post removed (X-No-Archive: yes)

Report this message

#9: Re: Sample virtual machines with SSL?

Posted on 2008-04-09 14:05:55 by Adrian Marsh

Hi Davide,

Will definitly try that. And I'll check the docs too, I can see if I
specify a certificate registered to abc.company.com but it Virtualhosts
to xyz.company.com, then that would be a problem. Don't see why the IP
itself would matter though.. but I'll check the docs when I get to that
point for the detail.

Davide Bianchi wrote:
> On 2008-04-09, Adrian Marsh <adrian.marsh@ubiquisys.com> wrote:
>>> My suggestion stays the same: grab the bits you want to add (the /svn
>>> directory and authentications) and put them in the already-existing
>>> vhost entry:
>> Ok, but then that means that the /svn folder is available to any
>> hostname, not the specific VirtualHost that I want it to be - or have I
>> got my understanding wrong here?
>
> If you want more VirtualHosts (with or without SSL), you'll have to
> specify more in your configuration, therefore, remove the '_default_'
> bit and add a ServerName directive to distinguish them. Also, be aware
> that running multiple SSL host on the same IP will have bad results on
> the certificate side of the thing (see the documentation).
>
> Davide
>

Report this message

#10: Re: Sample virtual machines with SSL?

Posted on 2008-04-09 14:26:58 by unknown

Post removed (X-No-Archive: yes)

Report this message

#11: Re: Sample virtual machines with SSL?

Posted on 2008-04-11 16:00:46 by Adrian Marsh

Doh!! Just realised why you cant actually do name-based virtual hosting
at all under SSL... only IP specific or maybe port specific..

Thanks anyway Davide.

Davide Bianchi wrote:
> On 2008-04-09, Adrian Marsh <adrian.marsh@ubiquisys.com> wrote:
>> Will definitly try that. And I'll check the docs too, I can see if I
>> specify a certificate registered to abc.company.com but it Virtualhosts
>> to xyz.company.com, then that would be a problem. Don't see why the IP
>> itself would matter though.
>
> 'cause (as explained in the doc) Apache need to know which Vhost is to
> deliver the right certificate, but to know the Vhost, he has to decrypt the
> request, and to do so, he needs a certificate... so he picks the first
> one all the time.
>
> Davide
>

Report this message