Bookmarks

Yahoo Gmail Google Facebook Delicious Twitter Reddit Stumpleupon Myspace Digg

Search queries

Wwwxxx.comvam, WWWXXX AMS, WWWXXX.APC, should producers of software based systems services such as atms be held liable for economic injuries suffered when their systems failed, WWWXXX DOCO, WWWXXX BDCE, WWWXXX DACB, wwwxxx,nvif, why atm producer might be held liable for economic injury, wwwxxxy=ServiceLogin

Links

XODOX
Impressum

#1: Sample virtual machines with SSL?

Posted on 2008-04-08 18:44:51 by Adrian Marsh

Hi All,

I'm combining SSL, LDAPs and Virtual machines, but I've gotten lost on
what config is needed where.

I have a sample VirtualHost working on *:80 in httpd.conf. I need this
to be restricted to SSL only, so I moved the config to ssl.conf. This
already has a sample _default_:443 Virtual host in it. So I tried to tag
my virtualhost to the end of the SSL file, but no joy. I wanted to get
testserv.company.local working for SVN/LDAP/SSL, but leave the basic 443
https stuff alone...

Any ideas??

This gives me the below in ssl.conf:


LoadModule ssl_module modules/mod_ssl.so

Listen 443


AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl

SSLPassPhraseDialog builtin

SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout 300

SSLMutex default

SSLRandomSeed startup file:/dev/urandom 256
SSLRandomSeed connect builtin

SSLCryptoDevice builtin


<VirtualHost _default_:443>


ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn

SSLEngine on

SSLProtocol all -SSLv2

SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW

SSLCertificateFile /tmp/der_certnew.cer


SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key





<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>

SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0

CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>

<VirtualHost *:443>
DocumentRoot /var/www/testhtml
ServerName testserv.company.local
CustomLog logs/svn_logfile "%t %{SVN-ACTION}e %u" env=SVN-ACTION
CustomLog logs/testserv_log combined

<Location "/svn">
AuthBasicProvider ldap
DAV svn
SVNParentPath /home/SVN
SVNIndexXSLT "/svnindex.xsl"
AuthType Basic
AuthzLDAPAuthoritative off
AuthName "Subversion"
AuthUserFile /etc/svn-auth-file
AuthLDAPURL
"ldaps://ubiq-serv1.company.local/DC=company,DC=local?sAMAcc ountName?sub?(objectClass=*)"
NONE
AuthLDAPBindDN
"CN=ldapuser,OU=SBSUsers,OU=Users,OU=MyBusiness,DC=company,D C=local"
AuthLDAPBindPassword *******
#<LimitExcept GET PROPFIND OPTIONS REPORT>
Require valid-user
#</LimitExcept>
AuthzSVNAccessFile /tmp/svntest
</Location>

</VirtualHost>

Report this message

#2: Re: Sample virtual machines with SSL?

Posted on 2008-04-08 22:47:45 by unknown

Post removed (X-No-Archive: yes)

Report this message

#3: Re: Sample virtual machines with SSL?

Posted on 2008-04-09 10:26:52 by Adrian Marsh

Yes I tried that, producing the below... but it complains about a
priority (< _default_:443) and takes no effect

<VirtualHost *:443>
DocumentRoot /var/www/testhtml
ServerName testserv.company.local
CustomLog logs/svn_logfile "%t %{SVN-ACTION}e %u" env=SVN-ACTION
CustomLog logs/testserv_log combined

<Location "/svn">
AuthBasicProvider ldap
DAV svn
SVNParentPath /home/SVN
SVNIndexXSLT "/svnindex.xsl"
AuthType Basic
AuthzLDAPAuthoritative off
AuthName "Subversion"
AuthUserFile /etc/svn-auth-file
AuthLDAPURL
"ldaps://ubiq-serv1.company.local/DC=company,DC=local?sAMAcc ountName?sub?(objectClass=*)"
NONE
AuthLDAPBindDN
"CN=ldapuser,OU=SBSUsers,OU=Users,OU=MyBusiness,DC=company,D C=local"
AuthLDAPBindPassword *******
#<LimitExcept GET PROPFIND OPTIONS REPORT>
Require valid-user
#</LimitExcept>
AuthzSVNAccessFile /tmp/svntest
</Location>

</VirtualHost>

Davide Bianchi wrote:
> On 2008-04-08, Adrian Marsh <adrian.marsh@ubiquisys.com> wrote:
>> I have a sample VirtualHost working on *:80 in httpd.conf. I need this
>> to be restricted to SSL only
>
> Remove all the bits related to *:80 and leave only the ones for
> :443.
>
> Davide
>

Report this message

#4: Re: Sample virtual machines with SSL?

Posted on 2008-04-09 10:34:16 by unknown

Post removed (X-No-Archive: yes)

Report this message

#5: Re: Sample virtual machines with SSL?

Posted on 2008-04-09 10:57:41 by Adrian Marsh

Hi Davide, thanks for the help,

I did provide the whole SSL file in the original post.. I just removed
comment lines..

This is based on the original SSL config, but I only want the /svn
directives to be available on testserv.company.local, under SSL (and not
available via port 80).

So do I need to put things like SSLEngine on etc within my virtualhost??

When apache starts, it complains that theres a duplication of the configs:

Starting httpd: httpd: Could not reliably determine the server's fully
qualified domain name, using 127.0.0.1 for ServerName
[Sun Mar 30 09:53:35 2008] [warn] _default_ VirtualHost overlap on port
443, the first has precedence
[ OK ]




Repeated file here: (ssl.conf)


LoadModule ssl_module modules/mod_ssl.so

Listen 443


AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl

SSLPassPhraseDialog builtin

SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout 300

SSLMutex default

SSLRandomSeed startup file:/dev/urandom 256
SSLRandomSeed connect builtin

SSLCryptoDevice builtin


<VirtualHost _default_:443>


ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn

SSLEngine on

SSLProtocol all -SSLv2

SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW

SSLCertificateFile /tmp/der_certnew.cer


SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key





<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>

SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0

CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>

<VirtualHost *:443>
DocumentRoot /var/www/testhtml
ServerName testserv.company.local
CustomLog logs/svn_logfile "%t %{SVN-ACTION}e %u" env=SVN-ACTION
CustomLog logs/testserv_log combined

<Location "/svn">
AuthBasicProvider ldap
DAV svn
SVNParentPath /home/SVN
SVNIndexXSLT "/svnindex.xsl"
AuthType Basic
AuthzLDAPAuthoritative off
AuthName "Subversion"
AuthUserFile /etc/svn-auth-file
AuthLDAPURL
"ldaps://ubiq-serv1.company.local/DC=company,DC=local?sAMAcc ountName?sub?(objectClass=*)"
NONE
AuthLDAPBindDN
"CN=ldapuser,OU=SBSUsers,OU=Users,OU=MyBusiness,DC=company,D C=local"
AuthLDAPBindPassword *******
#<LimitExcept GET PROPFIND OPTIONS REPORT>
Require valid-user
#</LimitExcept>
AuthzSVNAccessFile /tmp/svntest
</Location>

</VirtualHost>

Davide Bianchi wrote:
> On 2008-04-09, Adrian Marsh <adrian.marsh@ubiquisys.com> wrote:
>> Yes I tried that, producing the below... but it complains about a
>> priority (< _default_:443) and takes no effect
>
> Please post the _whole_ config file, not just a snippet... and if you
> want SSL support on a vhost you need all the SSL_ related bits in the
> Vhost block.
>
> Suggestion: why don't jou just use the example vhost config file that is
> provided with Apache? It does work.
>
> Davide
>

Report this message

#6: Re: Sample virtual machines with SSL?

Posted on 2008-04-09 11:03:14 by unknown

Post removed (X-No-Archive: yes)

Report this message

#7: Re: Sample virtual machines with SSL?

Posted on 2008-04-09 11:41:31 by Adrian Marsh

> My suggestion stays the same: grab the bits you want to add (the /svn
> directory and authentications) and put them in the already-existing
> vhost entry:

Ok, but then that means that the /svn folder is available to any
hostname, not the specific VirtualHost that I want it to be - or have I
got my understanding wrong here?

Davide Bianchi wrote:
> On 2008-04-09, Adrian Marsh <adrian.marsh@ubiquisys.com> wrote:
>> [Sun Mar 30 09:53:35 2008] [warn] _default_ VirtualHost overlap on port
>> 443, the first has precedence
>> [ OK ]
>
> This basically means: Hey, I can't run two SSL Vhosts on the same
> ip/port! And one doesn't even have a ServerName! I'll use the first one,
> ok?
>
> My suggestion stays the same: grab the bits you want to add (the /svn
> directory and authentications) and put them in the already-existing
> vhost entry:
>
>> <VirtualHost _default_:443>
>> ErrorLog logs/ssl_error_log
>> TransferLog logs/ssl_access_log << remove this, since you have other logs
>> LogLevel warn
>>
>> SSLEngine on
>> SSLProtocol all -SSLv2
>> SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
>> SSLCertificateFile /tmp/der_certnew.cer
>> SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key
>>
>> <Files ~ "\.(cgi|shtml|phtml|php3?)$">
>> SSLOptions +StdEnvVars
>> </Files>
>> <Directory "/var/www/cgi-bin">
>> SSLOptions +StdEnvVars
>> </Directory>
>>
>> SetEnvIf User-Agent ".*MSIE.*" \
>> nokeepalive ssl-unclean-shutdown \
>> downgrade-1.0 force-response-1.0
>>
>> CustomLog logs/ssl_request_log \
>> "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
>
>> DocumentRoot /var/www/testhtml
>> ServerName testserv.company.local
>> CustomLog logs/svn_logfile "%t %{SVN-ACTION}e %u" env=SVN-ACTION
>> CustomLog logs/testserv_log combined
>>
>> <Location "/svn">
>> AuthBasicProvider ldap
>> DAV svn
>> SVNParentPath /home/SVN
>> SVNIndexXSLT "/svnindex.xsl"
>> AuthType Basic
>> AuthzLDAPAuthoritative off
>> AuthName "Subversion"
>> AuthUserFile /etc/svn-auth-file
>> AuthLDAPURL
>> "ldaps://ubiq-serv1.company.local/DC=company,DC=local?sAMAcc ountName?sub?(objectClass=*)"
>> NONE
>> AuthLDAPBindDN
>> "CN=ldapuser,OU=SBSUsers,OU=Users,OU=MyBusiness,DC=company,D C=local"
>> AuthLDAPBindPassword *******
>> #<LimitExcept GET PROPFIND OPTIONS REPORT>
>> Require valid-user
>> #</LimitExcept>
>> AuthzSVNAccessFile /tmp/svntest
>> </Location>
>>
>> </VirtualHost>
>
> And that should be it.
> Davide
>

Report this message

#8: Re: Sample virtual machines with SSL?

Posted on 2008-04-09 12:10:28 by unknown

Post removed (X-No-Archive: yes)

Report this message

#9: Re: Sample virtual machines with SSL?

Posted on 2008-04-09 14:05:55 by Adrian Marsh

Hi Davide,

Will definitly try that. And I'll check the docs too, I can see if I
specify a certificate registered to abc.company.com but it Virtualhosts
to xyz.company.com, then that would be a problem. Don't see why the IP
itself would matter though.. but I'll check the docs when I get to that
point for the detail.

Davide Bianchi wrote:
> On 2008-04-09, Adrian Marsh <adrian.marsh@ubiquisys.com> wrote:
>>> My suggestion stays the same: grab the bits you want to add (the /svn
>>> directory and authentications) and put them in the already-existing
>>> vhost entry:
>> Ok, but then that means that the /svn folder is available to any
>> hostname, not the specific VirtualHost that I want it to be - or have I
>> got my understanding wrong here?
>
> If you want more VirtualHosts (with or without SSL), you'll have to
> specify more in your configuration, therefore, remove the '_default_'
> bit and add a ServerName directive to distinguish them. Also, be aware
> that running multiple SSL host on the same IP will have bad results on
> the certificate side of the thing (see the documentation).
>
> Davide
>

Report this message

#10: Re: Sample virtual machines with SSL?

Posted on 2008-04-09 14:26:58 by unknown

Post removed (X-No-Archive: yes)

Report this message

#11: Re: Sample virtual machines with SSL?

Posted on 2008-04-11 16:00:46 by Adrian Marsh

Doh!! Just realised why you cant actually do name-based virtual hosting
at all under SSL... only IP specific or maybe port specific..

Thanks anyway Davide.

Davide Bianchi wrote:
> On 2008-04-09, Adrian Marsh <adrian.marsh@ubiquisys.com> wrote:
>> Will definitly try that. And I'll check the docs too, I can see if I
>> specify a certificate registered to abc.company.com but it Virtualhosts
>> to xyz.company.com, then that would be a problem. Don't see why the IP
>> itself would matter though.
>
> 'cause (as explained in the doc) Apache need to know which Vhost is to
> deliver the right certificate, but to know the Vhost, he has to decrypt the
> request, and to do so, he needs a certificate... so he picks the first
> one all the time.
>
> Davide
>

Report this message