httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dr James A Smith <...@sanger.ac.uk>
Subject Re: [users@httpd] SSL Certificate Validation
Date Fri, 09 Feb 2018 09:19:19 GMT
The whole point of virtual hosts is you can have multiple of them - that 
is the whole way Apache configuration works to have multiple sites being 
served from the same server... currently I have servers with 20+ 
virtualhost configurations.

Having a single virtual host is OK - but if you have more than one 
virtualhost (or you have multiple domains for a single virtualhost - we 
do on sandbox/dev/staging/live sites) you would need to write a long set 
of rewritecond entries..

The configuration I set up is the simplest extensible one...



On 08/02/2018 17:51, Houser, Rick wrote:
>
> I didn’t think you could have two virtualhost entries with the same 
> IP/port.  I would probably do this within with a single VirtualHost, 
> myself.  Something like this combined with the RewriteRule:
>
> RewriteCond %{HTTP_HOST} !^THE.CORRECT.HOSTNAME$
>
> Rick Houser
>
> Web Engineer
>
> *From:*Dr James A Smith [mailto:js5@sanger.ac.uk]
> *Sent:* Thursday, February 08, 2018 12:18
> *To:* users@httpd.apache.org
> *Subject:* Re: [users@httpd] SSL Certificate Validation
>
> *EXTERNAL EMAIL*
>
> The easiest way to do this is to make sure you have the correct 
> hostname in the virtual host - the one that matches your certificate 
> and another virtual host which has no hostname in it to catch all the 
> other requests.
>
> <VirtualHost *:*>
>   .... return a forbidden response for all requests!
>   RewriteEngine On
>   RewriteRule ^(.*)$ - [L,F]
> </VirtualHost>
>
> <VirtualHost *:*>
>   ServerName your.real.host.com
>   ... real config...
> </VirtualHost>
>
> On 08/02/2018 16:46, Houser, Rick wrote:
>
>     In addition to fixing your certificate, you may have a reason to
>     make sure the host header they send is correct.  If they are
>     reaching you via an alternate hostname or something that’s getting
>     them to the correct IP, but shouldn’t be supported for your
>     service, stopping them from doing that might take aware the
>     incentive they see to disabling the hostname verification in the
>     first place.
>
>     Rick Houser
>
>     Web Engineer
>
>     *From:* Eric Covener [mailto:covener@gmail.com]
>     *Sent:* Thursday, February 08, 2018 11:19
>     *To:* users@httpd.apache.org <mailto:users@httpd.apache.org>
>     *Subject:* Re: [users@httpd] SSL Certificate Validation
>
>     *EXTERNAL EMAIL*
>
>
>     On Thu, Feb 8, 2018 at 7:36 AM, Belmona, Nizar
>     <nbelmona@cscgroup.com <mailto:nbelmona@cscgroup.com>> wrote:
>
>         Thanks Rainer and Daniel.
>
>         Sorry for the confusion and please let me clarify.
>
>         We have a web server with Apache 2.2.22 with OpenSSL 0.9.8t,
>         the Apache service launches fine and the users/developers are
>         able to connect however developers through their code bypass
>         the Server SSL certificate verification. I am not worried
>         about the client certificate validation since we are not using
>         it,  all the concern is we need to stop users bypassing the
>         Server SSL verification who are claiming they have to bypass
>         it since the certificate name doesn’t match the server name in
>         the link being called. Kindly note that configuration in
>         hhtpd.conf is:
>
>     ​You can't stop them unless you control the client.  You only
>     control the server. The only thing you could do is provide a
>     better certificate.
>
>     ​
>
>
>
> -- The Wellcome Sanger Institute is operated by Genome Research 
> Limited, a charity registered in England with number 1021457 and a 
> company registered in England with number 2742969, whose registered 
> office is 215 Euston Road, London, NW1 2BE.
>




-- 
 The Wellcome Sanger Institute is operated by Genome Research 
 Limited, a charity registered in England with number 1021457 and a 
 company registered in England with number 2742969, whose registered 
 office is 215 Euston Road, London, NW1 2BE. 
Mime
View raw message