Sample virtual machines with SSL?

Hi All,

I'm combining SSL, LDAPs and Virtual machines, but I've gotten lost on
what config is needed where.

I have a sample VirtualHost working on *:80 in httpd.conf. I need this
to be restricted to SSL only, so I moved the config to ssl.conf. This
already has a sample _default_:443 Virtual host in it. So I tried to tag
my virtualhost to the end of the SSL file, but no joy. I wanted to get
testserv.company.local working for SVN/LDAP/SSL, but leave the basic 443
https stuff alone...

Any ideas??

This gives me the below in ssl.conf:


LoadModule ssl_module modules/mod_ssl.so

Listen 443


AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl

SSLPassPhraseDialog builtin

SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout 300

SSLMutex default

SSLRandomSeed startup file:/dev/urandom 256
SSLRandomSeed connect builtin

SSLCryptoDevice builtin





ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn

SSLEngine on

SSLProtocol all -SSLv2

SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW

SSLCertificateFile /tmp/der_certnew.cer


SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key






SSLOptions +StdEnvVars


SSLOptions +StdEnvVars


SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0

CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"



DocumentRoot /var/www/testhtml
ServerName testserv.company.local
CustomLog logs/svn_logfile "%t %{SVN-ACTION}e %u" env=SVN-ACTION
CustomLog logs/testserv_log combined


AuthBasicProvider ldap
DAV svn
SVNParentPath /home/SVN
SVNIndexXSLT "/svnindex.xsl"
AuthType Basic
AuthzLDAPAuthoritative off
AuthName "Subversion"
AuthUserFile /etc/svn-auth-file
AuthLDAPURL
"ldaps://ubiq-serv1.company.local/DC=company,DC=local?sAMAcc ountName?sub?(objectClass=*)"
NONE
AuthLDAPBindDN
"CN=ldapuser,OU=SBSUsers,OU=Users,OU=MyBusiness,DC=company,D C=local"
AuthLDAPBindPassword *******
#
Require valid-user
#
AuthzSVNAccessFile /tmp/svntest

Re: Sample virtual machines with SSL?

Post removed (X-No-Archive: yes)

Re: Sample virtual machines with SSL?

Yes I tried that, producing the below... but it complains about a
priority (< _default_:443) and takes no effect


DocumentRoot /var/www/testhtml
ServerName testserv.company.local
CustomLog logs/svn_logfile "%t %{SVN-ACTION}e %u" env=SVN-ACTION
CustomLog logs/testserv_log combined


AuthBasicProvider ldap
DAV svn
SVNParentPath /home/SVN
SVNIndexXSLT "/svnindex.xsl"
AuthType Basic
AuthzLDAPAuthoritative off
AuthName "Subversion"
AuthUserFile /etc/svn-auth-file
AuthLDAPURL
"ldaps://ubiq-serv1.company.local/DC=company,DC=local?sAMAcc ountName?sub?(objectClass=*)"
NONE
AuthLDAPBindDN
"CN=ldapuser,OU=SBSUsers,OU=Users,OU=MyBusiness,DC=company,D C=local"
AuthLDAPBindPassword *******
#
Require valid-user
#
AuthzSVNAccessFile /tmp/svntest




Davide Bianchi wrote:
> On 2008-04-08, Adrian Marsh wrote:
>> I have a sample VirtualHost working on *:80 in httpd.conf. I need this
>> to be restricted to SSL only
>
> Remove all the bits related to *:80 and leave only the ones for
> :443.
>
> Davide
>

Re: Sample virtual machines with SSL?

Post removed (X-No-Archive: yes)

Re: Sample virtual machines with SSL?

Hi Davide, thanks for the help,

I did provide the whole SSL file in the original post.. I just removed
comment lines..

This is based on the original SSL config, but I only want the /svn
directives to be available on testserv.company.local, under SSL (and not
available via port 80).

So do I need to put things like SSLEngine on etc within my virtualhost??

When apache starts, it complains that theres a duplication of the configs:

Starting httpd: httpd: Could not reliably determine the server's fully
qualified domain name, using 127.0.0.1 for ServerName
[Sun Mar 30 09:53:35 2008] [warn] _default_ VirtualHost overlap on port
443, the first has precedence
[ OK ]




Repeated file here: (ssl.conf)


LoadModule ssl_module modules/mod_ssl.so

Listen 443


AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl

SSLPassPhraseDialog builtin

SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout 300

SSLMutex default

SSLRandomSeed startup file:/dev/urandom 256
SSLRandomSeed connect builtin

SSLCryptoDevice builtin





ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn

SSLEngine on

SSLProtocol all -SSLv2

SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW

SSLCertificateFile /tmp/der_certnew.cer


SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key






SSLOptions +StdEnvVars


SSLOptions +StdEnvVars


SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0

CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"



DocumentRoot /var/www/testhtml
ServerName testserv.company.local
CustomLog logs/svn_logfile "%t %{SVN-ACTION}e %u" env=SVN-ACTION
CustomLog logs/testserv_log combined


AuthBasicProvider ldap
DAV svn
SVNParentPath /home/SVN
SVNIndexXSLT "/svnindex.xsl"
AuthType Basic
AuthzLDAPAuthoritative off
AuthName "Subversion"
AuthUserFile /etc/svn-auth-file
AuthLDAPURL
"ldaps://ubiq-serv1.company.local/DC=company,DC=local?sAMAcc ountName?sub?(objectClass=*)"
NONE
AuthLDAPBindDN
"CN=ldapuser,OU=SBSUsers,OU=Users,OU=MyBusiness,DC=company,D C=local"
AuthLDAPBindPassword *******
#
Require valid-user
#
AuthzSVNAccessFile /tmp/svntest




Davide Bianchi wrote:
> On 2008-04-09, Adrian Marsh wrote:
>> Yes I tried that, producing the below... but it complains about a
>> priority (< _default_:443) and takes no effect
>
> Please post the _whole_ config file, not just a snippet... and if you
> want SSL support on a vhost you need all the SSL_ related bits in the
> Vhost block.
>
> Suggestion: why don't jou just use the example vhost config file that is
> provided with Apache? It does work.
>
> Davide
>

Re: Sample virtual machines with SSL?

Post removed (X-No-Archive: yes)

Re: Sample virtual machines with SSL?

> My suggestion stays the same: grab the bits you want to add (the /svn
> directory and authentications) and put them in the already-existing
> vhost entry:

Ok, but then that means that the /svn folder is available to any
hostname, not the specific VirtualHost that I want it to be - or have I
got my understanding wrong here?

Davide Bianchi wrote:
> On 2008-04-09, Adrian Marsh wrote:
>> [Sun Mar 30 09:53:35 2008] [warn] _default_ VirtualHost overlap on port
>> 443, the first has precedence
>> [ OK ]
>
> This basically means: Hey, I can't run two SSL Vhosts on the same
> ip/port! And one doesn't even have a ServerName! I'll use the first one,
> ok?
>
> My suggestion stays the same: grab the bits you want to add (the /svn
> directory and authentications) and put them in the already-existing
> vhost entry:
>
>>
>> ErrorLog logs/ssl_error_log
>> TransferLog logs/ssl_access_log << remove this, since you have other logs
>> LogLevel warn
>>
>> SSLEngine on
>> SSLProtocol all -SSLv2
>> SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
>> SSLCertificateFile /tmp/der_certnew.cer
>> SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key
>>
>>
>> SSLOptions +StdEnvVars
>>
>>
>> SSLOptions +StdEnvVars
>>
>>
>> SetEnvIf User-Agent ".*MSIE.*" \
>> nokeepalive ssl-unclean-shutdown \
>> downgrade-1.0 force-response-1.0
>>
>> CustomLog logs/ssl_request_log \
>> "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
>
>> DocumentRoot /var/www/testhtml
>> ServerName testserv.company.local
>> CustomLog logs/svn_logfile "%t %{SVN-ACTION}e %u" env=SVN-ACTION
>> CustomLog logs/testserv_log combined
>>
>>
>> AuthBasicProvider ldap
>> DAV svn
>> SVNParentPath /home/SVN
>> SVNIndexXSLT "/svnindex.xsl"
>> AuthType Basic
>> AuthzLDAPAuthoritative off
>> AuthName "Subversion"
>> AuthUserFile /etc/svn-auth-file
>> AuthLDAPURL
>> "ldaps://ubiq-serv1.company.local/DC=company,DC=local?sAMAcc ountName?sub?(objectClass=*)"
>> NONE
>> AuthLDAPBindDN
>> "CN=ldapuser,OU=SBSUsers,OU=Users,OU=MyBusiness,DC=company,D C=local"
>> AuthLDAPBindPassword *******
>> #
>> Require valid-user
>> #
>> AuthzSVNAccessFile /tmp/svntest
>>
>>
>>
>
> And that should be it.
> Davide
>

Re: Sample virtual machines with SSL?

Post removed (X-No-Archive: yes)

Re: Sample virtual machines with SSL?

Hi Davide,

Will definitly try that. And I'll check the docs too, I can see if I
specify a certificate registered to abc.company.com but it Virtualhosts
to xyz.company.com, then that would be a problem. Don't see why the IP
itself would matter though.. but I'll check the docs when I get to that
point for the detail.

Davide Bianchi wrote:
> On 2008-04-09, Adrian Marsh wrote:
>>> My suggestion stays the same: grab the bits you want to add (the /svn
>>> directory and authentications) and put them in the already-existing
>>> vhost entry:
>> Ok, but then that means that the /svn folder is available to any
>> hostname, not the specific VirtualHost that I want it to be - or have I
>> got my understanding wrong here?
>
> If you want more VirtualHosts (with or without SSL), you'll have to
> specify more in your configuration, therefore, remove the '_default_'
> bit and add a ServerName directive to distinguish them. Also, be aware
> that running multiple SSL host on the same IP will have bad results on
> the certificate side of the thing (see the documentation).
>
> Davide
>

Re: Sample virtual machines with SSL?

Post removed (X-No-Archive: yes)

Re: Sample virtual machines with SSL?

Doh!! Just realised why you cant actually do name-based virtual hosting
at all under SSL... only IP specific or maybe port specific..

Thanks anyway Davide.

Davide Bianchi wrote:
> On 2008-04-09, Adrian Marsh wrote:
>> Will definitly try that. And I'll check the docs too, I can see if I
>> specify a certificate registered to abc.company.com but it Virtualhosts
>> to xyz.company.com, then that would be a problem. Don't see why the IP
>> itself would matter though.
>
> 'cause (as explained in the doc) Apache need to know which Vhost is to
> deliver the right certificate, but to know the Vhost, he has to decrypt the
> request, and to do so, he needs a certificate... so he picks the first
> one all the time.
>
> Davide
>