securing one area of a vhost in apache 2

Hello,

I am using Apache/2.0.44 (Unix) mod_perl/1.99_09-dev Perl/v5.8.0
mod_ssl/2.0.44 OpenSSL/0.9.7

I have a virtual host which mostly is served without SSL. But it has one
area, /secure, that needs to be secured with SSL. I've tried various
combinations of directives but can't get it to work. Right now I have:


SSLEngine on
SSLProtocol all
SSLCipherSuite HIGH:MEDIUM
SSLCertificateFile /home/debug/www/_conf/certs/ladyraquel.crt
SSLCertificateKeyFile /home/debug/www/_conf/certs/ladyraquel.key
SSLCACertificateFile /home/debug/www/_conf/certs/ca.crt
SSLVerifyClient none


SSLVerifyClient require
SSLVerifyDepth 1



The server starts fine, serves non-SSL pages fine, but hangs when I
request /secure .

The error log has nothing, but the access log shows that the request went
instead to the server's first virtual host, with a weird method of 'L'.

Any advice much appreciated.

- nick

--

~~~~~~~~~~~~~~~~~~~~
Nick Tonkin {|8^)>

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE: securing one area of a vhost in apache 2

The technique I have seen for this is to simply serve the entire site using
SSL and link only to the areas you want as secure.



> -----Original Message-----
> From: owner-modssl-users@modssl.org
> [mailto:owner-modssl-users@modssl.org]On Behalf Of Nick Tonkin
> Sent: Wednesday, February 26, 2003 9:50 PM
> To: modssl-users@modssl.org
> Subject: securing one area of a vhost in apache 2
>
>
>
> Hello,
>
> I am using Apache/2.0.44 (Unix) mod_perl/1.99_09-dev Perl/v5.8.0
> mod_ssl/2.0.44 OpenSSL/0.9.7
>
> I have a virtual host which mostly is served without SSL. But it has one
> area, /secure, that needs to be secured with SSL. I've tried various
> combinations of directives but can't get it to work. Right now I have:
>
>
> SSLEngine on
> SSLProtocol all
> SSLCipherSuite HIGH:MEDIUM
> SSLCertificateFile /home/debug/www/_conf/certs/ladyraquel.crt
> SSLCertificateKeyFile /home/debug/www/_conf/certs/ladyraquel.key
> SSLCACertificateFile /home/debug/www/_conf/certs/ca.crt
> SSLVerifyClient none
>
>
> SSLVerifyClient require
> SSLVerifyDepth 1
>
>
>
> The server starts fine, serves non-SSL pages fine, but hangs when I
> request /secure .
>
> The error log has nothing, but the access log shows that the request went
> instead to the server's first virtual host, with a weird method of 'L'.
>
> Any advice much appreciated.
>
> - nick
>
> --
>
> ~~~~~~~~~~~~~~~~~~~~
> Nick Tonkin {|8^)>
>
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
>
>


____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE: securing one area of a vhost in apache 2

> -----Original Message-----
> From: Nick Tonkin [mailto:nick@tonkinresolutions.com]
> Sent: 27 February 2003 05:50
> To: modssl-users@modssl.org
> Subject: securing one area of a vhost in apache 2
>
>
>
> Hello,
>
> I am using Apache/2.0.44 (Unix) mod_perl/1.99_09-dev Perl/v5.8.0
> mod_ssl/2.0.44 OpenSSL/0.9.7
>
> I have a virtual host which mostly is served without SSL. But
> it has one
> area, /secure, that needs to be secured with SSL. I've tried various
> combinations of directives but can't get it to work. Right now I have:
>
>
> SSLEngine on
> SSLProtocol all
> SSLCipherSuite HIGH:MEDIUM
> SSLCertificateFile /home/debug/www/_conf/certs/ladyraquel.crt
> SSLCertificateKeyFile /home/debug/www/_conf/certs/ladyraquel.key
> SSLCACertificateFile /home/debug/www/_conf/certs/ca.crt
> SSLVerifyClient none
>
>
> SSLVerifyClient require
> SSLVerifyDepth 1
>
>
>
> The server starts fine, serves non-SSL pages fine, but hangs when I
> request /secure.

I'm assuming that you are only interested in securing access, not in using
client certificates. Would that be correct?

In that case this will suffice:


SSLEngine on
SSLProtocol all
SSLCipherSuite HIGH:MEDIUM
SSLCertificateFile /home/debug/www/_conf/certs/ladyraquel.crt
SSLCertificateKeyFile /home/debug/www/_conf/certs/ladyraquel.key

SSLRequireSSL



See the SSLRequireSSL directive for more details.

http://www.modssl.org/docs/2.8/ssl_reference.html#ToC22

-
John Airey, BSc (Jt Hons), CNA, RHCE
Internet systems support officer, ITCSD, Royal National Institute of the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 John.Airey@rnib.org.uk

A world of difference - in the UK, 37 million people put their faith on the
last census as "Christian". In Saudi Arabia, this answer would carry a death
sentence for any Saudi.

-

NOTICE: The information contained in this email and any attachments is
confidential and may be legally privileged. If you are not the
intended recipient you are hereby notified that you must not use,
disclose, distribute, copy, print or rely on this email's content. If
you are not the intended recipient, please notify the sender
immediately and then delete the email and any attachments from your
system.

RNIB has made strenuous efforts to ensure that emails and any
attachments generated by its staff are free from viruses. However, it
cannot accept any responsibility for any viruses which are
transmitted. We therefore recommend you scan all attachments.

Please note that the statements and views expressed in this email
and any attachments are those of the author and do not necessarily
represent those of RNIB.

RNIB Registered Charity Number: 226227

Website: http://www.rnib.org.uk
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: securing one area of a vhost in apache 2

You gave this site it's own IP address yes?

Virtual hosting with non-ssl works in a 'software' aware mode, while
virtual hosting with ssl is more 'hardware' in nature requireing specifici
IP addressing to function properly.

Thanks,

Ron DuFresne


On Wed, 26 Feb 2003, Nick Tonkin wrote:

>
> Hello,
>
> I am using Apache/2.0.44 (Unix) mod_perl/1.99_09-dev Perl/v5.8.0
> mod_ssl/2.0.44 OpenSSL/0.9.7
>
> I have a virtual host which mostly is served without SSL. But it has one
> area, /secure, that needs to be secured with SSL. I've tried various
> combinations of directives but can't get it to work. Right now I have:
>
>
> SSLEngine on
> SSLProtocol all
> SSLCipherSuite HIGH:MEDIUM
> SSLCertificateFile /home/debug/www/_conf/certs/ladyraquel.crt
> SSLCertificateKeyFile /home/debug/www/_conf/certs/ladyraquel.key
> SSLCACertificateFile /home/debug/www/_conf/certs/ca.crt
> SSLVerifyClient none
>
>
> SSLVerifyClient require
> SSLVerifyDepth 1
>
>
>
> The server starts fine, serves non-SSL pages fine, but hangs when I
> request /secure .
>
> The error log has nothing, but the access log shows that the request went
> instead to the server's first virtual host, with a weird method of 'L'.
>
> Any advice much appreciated.
>
> - nick
>
>

--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
admin & senior security consultant: sysinfo.com
http://sysinfo.com

"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
-- Johnny Hart

testing, only testing, and damn good at it too!

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE: securing one area of a vhost in apache 2

On Thu, 27 Feb 2003 John.Airey@rnib.org.uk wrote:

> > From: Nick Tonkin [mailto:nick@tonkinresolutions.com]
> >
> > I am using Apache/2.0.44 (Unix) mod_perl/1.99_09-dev Perl/v5.8.0
> > mod_ssl/2.0.44 OpenSSL/0.9.7
> >
> > I have a virtual host which mostly is served without SSL. But
> > it has one
> > area, /secure, that needs to be secured with SSL. I've tried various
> > combinations of directives but can't get it to work. Right now I have:

[ snip ]

> I'm assuming that you are only interested in securing access, not in using
> client certificates. Would that be correct?

Yes. No authentication needed. Just want to make an SSL connection.

> In that case this will suffice:
>
>
> SSLEngine on
> SSLProtocol all
> SSLCipherSuite HIGH:MEDIUM
> SSLCertificateFile /home/debug/www/_conf/certs/ladyraquel.crt
> SSLCertificateKeyFile /home/debug/www/_conf/certs/ladyraquel.key
>
> SSLRequireSSL
>
>
>
> See the SSLRequireSSL directive for more details.

This didn't work, I am afraid:

nick@world ~>lwp-request -sSd http://www.ladyraquel.com:8080/weather
GET http://www.ladyraquel.com:8080/weather --> 301 Moved Permanently
GET https://ladyraquel.com:8080/weather/ --> 501 Protocol scheme 'https' is not supported
## it's rewriting the http scheme ...
## https not supported for resource outside the named dir seems sort of OK

nick@world ~>lwp-request -sSd http://www.ladyraquel.com:8080/weather/
GET http://www.ladyraquel.com:8080/weather/ --> 200 OK
## working fine

nick@world ~>lwp-request -sSd http://www.ladyraquel.com:8080/secure/
GET http://www.ladyraquel.com:8080/secure/ --> 403 Forbidden
## sort of what i expected with scheme of http://

nick@world ~>lwp-request -sSed https://www.ladyraquel.com:8080/secure/
GET https://www.ladyraquel.com:8080/secure/ --> 501 Protocol scheme 'https' is not supported
## huh?!

Any more advice gratefully accepted :)

- nick

--

~~~~~~~~~~~~~~~~~~~~
Nick Tonkin {|8^)>

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE: securing one area of a vhost in apache 2

On Wed, 26 Feb 2003, Steven Resnick wrote:

> The technique I have seen for this is to simply serve the entire site using
> SSL and link only to the areas you want as secure.

But that sort of defeats the whole porpoise! I want users to be able to
browse the site and then when they enter a certain area, the connection
should swicth to SSL-encrypted via https. Are you saying that this cannot
be done with a separate virtual host?

- nick

--

~~~~~~~~~~~~~~~~~~~~
Nick Tonkin {|8^)>

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: securing one area of a vhost in apache 2

On Thu, 27 Feb 2003, R. DuFresne wrote:

>
> You gave this site it's own IP address yes?

No. It is using NameVirtualHost.

>
> Virtual hosting with non-ssl works in a 'software' aware mode, while
> virtual hosting with ssl is more 'hardware' in nature requireing specifici
> IP addressing to function properly.


Hmm. I must have missed this in the docos. Rechecking ...

Hm. Well, I see that I was on the wrong track with "How can I authenticate
my clients for a particular URL based on certificates but still allow
arbitrary clients to access the remaining parts of the server?" ... that
appears on closer inspection to deal with certificate-wielding clients ...

Hm.

So, bottom line, it is not possible to have a virtual host accessible via
http and require SSL for a part of it. Is that correct?

Thanks,

- nick

--

~~~~~~~~~~~~~~~~~~~~
Nick Tonkin {|8^)>

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: securing one area of a vhost in apache 2

On Thu, Feb 27, 2003 at 12:52:06PM -0800, Nick Tonkin wrote:
> nick@world ~>lwp-request -sSed https://www.ladyraquel.com:8080/secure/
> GET https://www.ladyraquel.com:8080/secure/ --> 501 Protocol scheme 'https' is not supported
> ## huh?!
>
> Any more advice gratefully accepted :)
>
This looks very much like a client error from lwp. You need
Crypt::SSLeay for that, see:
http://search.cpan.org/author/CHAMAS/Crypt-SSLeay-0.49/

vh

Mads Toftum
--
`Darn it, who spiked my coffee with water?!' - lwall

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: securing one area of a vhost in apache 2

On Thu, 27 Feb 2003, Mads Toftum wrote:

> On Thu, Feb 27, 2003 at 12:52:06PM -0800, Nick Tonkin wrote:
> > nick@world ~>lwp-request -sSed https://www.ladyraquel.com:8080/secure/
> > GET https://www.ladyraquel.com:8080/secure/ --> 501 Protocol scheme 'https' is not supported
> > ## huh?!

> This looks very much like a client error from lwp. You need
> Crypt::SSLeay for that, see:
> http://search.cpan.org/author/CHAMAS/Crypt-SSLeay-0.49/

I'm sorry, for what? For requesting https?

- nick

--

~~~~~~~~~~~~~~~~~~~~
Nick Tonkin {|8^)>

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE: securing one area of a vhost in apache 2

>>>So, bottom line, it is not possible to have a virtual host accessible via
http and require SSL for a part of it. Is that correct?

It's not really logical to want to segment out SSL-using and non-SSL-using
sections of a site within the server config; do this on the site itself in
the code. Here is what is commonly done, where I work anyway.

In your apache config, specify the use of SSL for the entire site. The
certificate applies to the entire site anyway, since a certificate applies
to anything that falls under the fully qualified domain name (FQDN) on the
certificate.

In the ***code*** of your site, hardcode the URL for the sections that
security to include "https" -- this sort of hardcoding (ie, using an
absolute path for the links instead of a relative one) is not "bad form"
since the URL should only be accessed using the FQDN anyway (ie, along as
the value on the certificate doesn't change, neither would the single
correct URL).

In the links that lead *out* of the secured area of the site, use absolute
links that specify "http" rather than "https".

Also in the code, if anyone tries to access those sections without SSL,
rewrite the URL in their browser so that it includes the "https".

And finally, also in the code, for any sections that don't require SSL (and
where you don't want the performance impact on needless SSL traffic), test
to see if the URL entered by the user includes "https" -- if it does,
rewrite it to remove the "s".

This works well for us and it pretty straight-forward to implement.

Regards,
S.


---
Shawn Syms | Team Lead, Systems Administration
Infinet Communications | shawn.syms@infinetcommunications.com
---




-----Original Message-----
From: Nick Tonkin [mailto:nick@tonkinresolutions.com]
Sent: Thursday, February 27, 2003 3:58 PM
To: R. DuFresne
Cc: modssl-users@modssl.org
Subject: Re: securing one area of a vhost in apache 2


On Thu, 27 Feb 2003, R. DuFresne wrote:

>
> You gave this site it's own IP address yes?

No. It is using NameVirtualHost.

>
> Virtual hosting with non-ssl works in a 'software' aware mode, while
> virtual hosting with ssl is more 'hardware' in nature requireing specifici
> IP addressing to function properly.


Hmm. I must have missed this in the docos. Rechecking ...

Hm. Well, I see that I was on the wrong track with "How can I authenticate
my clients for a particular URL based on certificates but still allow
arbitrary clients to access the remaining parts of the server?" ... that
appears on closer inspection to deal with certificate-wielding clients ...

Hm.

So, bottom line, it is not possible to have a virtual host accessible via
http and require SSL for a part of it. Is that correct?

Thanks,

- nick

--

~~~~~~~~~~~~~~~~~~~~~
Nick Tonkin {|8^)>

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: securing one area of a vhost in apache 2

Take a look at the "RedirectMatch" configuration directive. You should be
able to do something like

RedirectMatch http://www.mysite.com/secure/*
https://www.mysite.com/secure/secureindex.htm

73's

Don Woodward

----- Original Message -----
From: "Nick Tonkin"
To: "R. DuFresne"
Cc:
Sent: Thursday, February 27, 2003 15:57
Subject: Re: securing one area of a vhost in apache 2


> On Thu, 27 Feb 2003, R. DuFresne wrote:
>
> >
> > You gave this site it's own IP address yes?
>
> No. It is using NameVirtualHost.
>
> >
> > Virtual hosting with non-ssl works in a 'software' aware mode, while
> > virtual hosting with ssl is more 'hardware' in nature requireing
specifici
> > IP addressing to function properly.
>
>
> Hmm. I must have missed this in the docos. Rechecking ...
>
> Hm. Well, I see that I was on the wrong track with "How can I
authenticate
> my clients for a particular URL based on certificates but still allow
> arbitrary clients to access the remaining parts of the server?" ... that
> appears on closer inspection to deal with certificate-wielding clients
....
>
> Hm.
>
> So, bottom line, it is not possible to have a virtual host accessible via
> http and require SSL for a part of it. Is that correct?
>
> Thanks,
>
> - nick
>
> --
>
> ~~~~~~~~~~~~~~~~~~~~
> Nick Tonkin {|8^)>
>
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
>

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: securing one area of a vhost in apache 2

On Thu, 27 Feb 2003, Nick Tonkin wrote:

> On Thu, 27 Feb 2003, R. DuFresne wrote:
>
> >
> > You gave this site it's own IP address yes?
>
> No. It is using NameVirtualHost.
>
> >
> > Virtual hosting with non-ssl works in a 'software' aware mode, while
> > virtual hosting with ssl is more 'hardware' in nature requireing specifici
> > IP addressing to function properly.
>
>
> Hmm. I must have missed this in the docos. Rechecking ...
>
> Hm. Well, I see that I was on the wrong track with "How can I authenticate
> my clients for a particular URL based on certificates but still allow
> arbitrary clients to access the remaining parts of the server?" ... that
> appears on closer inspection to deal with certificate-wielding clients ...
>
> Hm.
>
> So, bottom line, it is not possible to have a virtual host accessible via
> http and require SSL for a part of it. Is that correct?

It's somewhat dependant upon what you are serving up. If there are like
perhaps two ends of the virtual host, say, http://www.someplace.com and
https://someplace.com under the same IP address space, then you will work
okay. If you are virtual hosting more then this, then you need seperate
IP addresses for at least each and every SSL vh, and if there's a no0n-ssl
end, that vh would need to most likely match the IP addressing setup of
the ssl side. I'm sure others will correct or enhance what I'm prolly
splaining poorly here.

thanks,

Ron DuFresne


>
> Thanks,
>
> - nick
>
>

--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
admin & senior security consultant: sysinfo.com
http://sysinfo.com

"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
-- Johnny Hart

testing, only testing, and damn good at it too!

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org