httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Yehuda Katz <yeh...@ymkatz.net>
Subject Re: [users@httpd] More ssh setup question
Date Thu, 03 May 2018 14:11:24 GMT
On Thu, May 3, 2018 at 9:29 AM Dunson, Jarrell R <jrdu235@g.uky.edu> wrote:

> Ok ... some of the guidance I see/hear refers to the setting up a
> .ssh/authorized_keys directory for each user that logs in ...   However, if
> I understand correctly (?) this would be the case for individuals...
> logging onto some other remote server?
>
Correct. SSH keys are for logging into the server directly. (There are some
situations when you would want to be able to log in as the use HTTPD is
running as - for example, some continous deployment schemes, but that isn't
usually necessary.)

> For the set up of a https-enabled website, then, you are saying I don't
> need to set up an .ssh/authorized_keys file?
>
> In other words, for Apache, I would  *only *need to use something like
> this in my httpd-vhosts.conf file
>
> NameVirtualHost *:443
>
> <VirtualHost *:443>
> ServerName www.yoursite.com
> DocumentRoot /var/www/site
> SSLEngine on
> SSLCertificateFile /path/to/www_yoursite_com.crt
> SSLCertificateKeyFile /path/to/www_yoursite_com.key
> SSLCertificateChainFile /path/to/DigiCertCA.crt
> </VirtualHost>
>
>
You didn't say which version of HTTPD you are using, but NameVirtualHost
isn't used in 2.4.
That does look like a reasonable starter configuration.
You might want to make sure you have logging enabled - many people like to
have separate logs for each vhost.

> ErrorLog ${APACHE_LOG_DIR}/sitename_error.log

CustomLog ${APACHE_LOG_DIR}/sitename_access.log combined

If your SSLCertificateFile has the chain in it (LetsEncrypt certificates do
by default), then you don't need SSLCertificateChainFile.
There are some other security settings you might want to change. You can
check your site at https://www.ssllabs.com/ssltest/ to see how secure it is.

> Also, it seem some administrators include / configure the httpd-ssl.conf
> file, and others do not... they just use the httpd-vhosts.conf file (?) ...
> do we need to use httpd-ssl.conf ?
>

You can put any configuration in any file you want. Debian/Ubuntu recommend
having one file for each site you are serving.


> For instance, one Youtube ( https://www.youtube.com/watch?v=TH6evGKgy20 )
> says use Mod SSL:
>
>
>
>
You do need mod_ssl to be loaded, but that is usually in the main config
file - or for Debian/Ubuntu, in a separate config file for the specific
module.


> Any guidance would help...
>  thanks
>  Jarrell
>
>
> On 5/2/2018 4:59 PM, Eric Covener wrote:
>
> On Wed, May 2, 2018 at 4:53 PM, Dunson, Jarrell R <jrdu235@g.uky.edu> <jrdu235@g.uky.edu>
wrote:
>
> Hey all,
>
>  for a new web server, so we need to create a .ssh directory and store the
> public key in
>
> .ssh/authorized_keys? If so, where does doe the directory need to be placed
> - underneath DocumentRoot?
>
> Your ssh setup shouldn't have anything to do with your webserver.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
> --
> Jarrell R. Dunson, III
> Associate Director, Information Services
> University of Kentucky Office of Philanthropy
> Lexington, KY 40506-0015
> 859-257-5613 www.uky.edu/philanthropy
>
>

Mime
View raw message