Virtual Host question?

Virtual Host question?

am 19.06.2003 01:55:49 von RON MCKEEVER

Hello,

I have an apache1.3.27/mod_ssl2.8.12. I was told today I needed to fix
this issue with my web server "HTTP TRACE Enabled".

Now I have module mod_rewrite as a Loaded Module. The fix for this is as
follows:

If you are using Apache, add the following lines for each virtual
host in your configuration file :
RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]

I'm confused about where to place this in my httpd.conf?

I have two virtual hosts in my httpd.conf file. Does this look correct,
thanks alot for your help:


-VirtualHost 111.111.111.111-
Redirect / https://host.company.com/
Servername host.company.com
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]
-/VirtualHost-


-VirtualHost _default_:443-

# General setup for the virtual host
DocumentRoot "/opt/apache/htdocs"
ServerName host.company.com
ServerAdmin user@company.com
ErrorLog /opt/apache/logs/error_log
TransferLog /opt/apache/logs/access_log
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]

# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
# See the mod_ssl documentation for a complete list.
SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+e NULL
/
# this only for browsers where you know that their SSL implementation
# works correctly.
# Notice: Most problems of broken clients are also related to the HTTP
# keep-alive facility, so you usually additionally want to disable
# keep-alive for those clients, too. Use variable "nokeepalive" for
this.
# Similarly, one has to force some clients to use HTTP/1.0 to workaround
# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0"
and
# "force-response-1.0" for this.
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0

# Per-Server Logging:
# The home of a custom SSL log file. Use this when you want a
# compact non-error SSL logfile on a virtual host basis.
CustomLog /opt/apache/logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

-/VirtualHost-



Regards,
Rob

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Virtual Host question?

am 19.06.2003 04:12:24 von dufresne

If you have set this for the entire server as the default, you should not
have to reset it for each virtual host as they should carry the default
unless otherwise conf'ed not to.

Thanks,

Ron DuFresne


On Wed, 18 Jun 2003, rmck wrote:

> Hello,
>
> I have an apache1.3.27/mod_ssl2.8.12. I was told today I needed to fix
> this issue with my web server "HTTP TRACE Enabled".
>
> Now I have module mod_rewrite as a Loaded Module. The fix for this is as
> follows:
>
> If you are using Apache, add the following lines for each virtual
> host in your configuration file :
> RewriteEngine on
> RewriteCond %{REQUEST_METHOD} ^TRACE
> RewriteRule .* - [F]
>
> I'm confused about where to place this in my httpd.conf?
>
> I have two virtual hosts in my httpd.conf file. Does this look correct,
> thanks alot for your help:
>
>
> -VirtualHost 111.111.111.111-
> Redirect / https://host.company.com/
> Servername host.company.com
> RewriteEngine On
> RewriteCond %{REQUEST_METHOD} ^TRACE
> RewriteRule .* - [F]
> -/VirtualHost-
>
>
> -VirtualHost _default_:443-
>
> # General setup for the virtual host
> DocumentRoot "/opt/apache/htdocs"
> ServerName host.company.com
> ServerAdmin user@company.com
> ErrorLog /opt/apache/logs/error_log
> TransferLog /opt/apache/logs/access_log
> RewriteEngine On
> RewriteCond %{REQUEST_METHOD} ^TRACE
> RewriteRule .* - [F]
>
> # SSL Engine Switch:
> # Enable/Disable SSL for this virtual host.
> SSLEngine on
> # SSL Cipher Suite:
> # List the ciphers that the client is permitted to negotiate.
> # See the mod_ssl documentation for a complete list.
> SSLCipherSuite
> ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+e NULL
> /
> # this only for browsers where you know that their SSL implementation
> # works correctly.
> # Notice: Most problems of broken clients are also related to the HTTP
> # keep-alive facility, so you usually additionally want to disable
> # keep-alive for those clients, too. Use variable "nokeepalive" for
> this.
> # Similarly, one has to force some clients to use HTTP/1.0 to workaround
> # their broken HTTP/1.1 implementation. Use variables "downgrade-1.0"
> and
> # "force-response-1.0" for this.
> SetEnvIf User-Agent ".*MSIE.*" \
> nokeepalive ssl-unclean-shutdown \
> downgrade-1.0 force-response-1.0
>
> # Per-Server Logging:
> # The home of a custom SSL log file. Use this when you want a
> # compact non-error SSL logfile on a virtual host basis.
> CustomLog /opt/apache/logs/ssl_request_log \
> "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
>
> -/VirtualHost-
>
>
>
> Regards,
> Rob
>
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
>

--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
admin & senior security consultant: sysinfo.com
http://sysinfo.com

"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
-- Johnny Hart

testing, only testing, and damn good at it too!

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org