httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Boyle Owen" <Owen.Bo...@swx.com>
Subject RE: [users@httpd] New to SSL
Date Wed, 21 May 2003 08:32:16 GMT
>-----Original Message-----
>From: Nigel Peck - MIS Web Design [mailto:nigel@miswebdesign.com]
>
>A minor point that I'd overlooked until just now :). I need to 
>support SSL on a number of (customer) domains:
>
>What's the best way to achieve this?

IP-based virtual hosting: A separate SSL VH for each IP. Before you ask,
you can't do name-based virtual hosting over SSL.

>Do they all need their own certificate?

Yes. The cert contains a "common name" which the browser checks when it
receives the cert from the server. The CN must match the URL you typed
into the browser or the client gets a warning (because the server could
be impersonating the URL). The certificate authenticates the site - that
is, it proves that the site operator has the right to use whatever FQDN
you are using.

>How do I stop the second instance from listening on 80?

Use the "Listen" directive. If you have no "Listen" then the default is
for apache to Listen to port 80. As soon as you enter one Listen
directive, you defeat the default and apache listens only to ports
defined by Listen directives. To run an SSL-only apache, you stick one
big "Listen 443" in the config and apache will listen only to that port.
(There's no "DontListen" directive :-)

>Am I right in saying that if an Apache server has SSL installed then
>"./httpd -V" would show up HAVE_SSL? (It doesn't)

There are three ways apache can implement SSL:

- apache-ssl (don't know what this shows, but binary is called "httpsd"
- if you have this you'd know it wihout having to check).
- apache + mod_ssl compiled in (will show up "mod_ssl" in httpd -l)
- apache + mod_ssl loaded dynamically at runtime (won't show up in httpd
-l, but you must have mod_so)

I don't think -V would show HAVE_SSL since mod_ssl is just another
module as far as apache is concerned. It doesn't say HAVE_PERL or
HAVE_PHP, does it? However, if you see "-D EAPI" then that means that
apache was compiled with the extended API which is pointer that it was
intended to use mod_ssl. You could also try putting in a few SSL
directives and trying to start - if your binary doesn't recognise them,
you'll get a mis-spelled directive error.

Rgds,
Owen Boyle
Disclaimer: Any disclaimer attached to this message may be ignored.  

>
>Thanks for the response,
>Nigel
>
>MIS Web Design
>http://www.miswebdesign.com/
>
>
>---------------------------------------------------------------------
>The official User-To-User support forum of the Apache HTTP 
>Server Project.
>See <URL:http://httpd.apache.org/userslist.html> for more info.
>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
>For additional commands, e-mail: users-help@httpd.apache.org
>
>
Diese E-mail ist eine private und persönliche Kommunikation. Sie hat
keinen Bezug zur Börsen- bzw. Geschäftstätigkeit der SWX Swiss Exchange.
This e-mail is of a private and personal nature. It is not related to
the exchange or business activities of the SWX Swiss Exchange. Le
présent e-mail est un message privé et personnel, sans rapport avec
l'activité boursière de la SWX Swiss Exchange

This message is for the named person's use only. It may contain
confidential, proprietary or legally privileged information. No
confidentiality or privilege is waived or lost by any mistransmission.
If you receive this message in error, please notify the sender urgently
and then immediately delete the message and any copies of it from your
system. Please also immediately destroy any hardcopies of the message.
You must not, directly or indirectly, use, disclose, distribute, print,
or copy any part of this message if you are not the intended recipient.
The sender's company reserves the right to monitor all e-mail
communications through their networks. Any views expressed in this
message are those of the individual sender, except where the message
states otherwise and the sender is authorised to state them to be the
views of the sender's company. 



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message