You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Vincent Bray <no...@gmail.com> on 2006/08/02 11:31:19 UTC
Re: [users@httpd] Vitualhosts ssl and apache2
On 8/2/06, David Pratt <fa...@eastlink.ca> wrote:
> Hi I have a couple of questions. I am trying to set up my ssl on zope3
> with apache2. I have zope (twisted) running on port 8080 and a secure
> server running on port 8443. My sites are folders in the zope root. The
> virtual host setup is below. The virtual hosts work fine on port 80
> using www.mydomain.com and www.mydomain1.com
[snip]
Hi,
You have many problems here.. First you don't seem to have any
NameVirtualHost directives to tell apache to use name virtual hosts.
Second, when you sort that out you'll find that your vhosts aren't
even running ssl (no SSLEngine On). Then, you're proxying to
http://127.0.0.1:8443 meaning that you're speaking the wrong protocol
to the backend. Of course, you also can't use name virtual hosts over
ssl on the same ip/port.
Some suggested reading:
http://www.onlamp.com/pub/a/apache/2005/02/17/apacheckbk.html
http://httpd.apache.org/docs/2.2/vhosts/
http://httpd.apache.org/docs/2.2/ssl/ssl_faq.html#vhosts
--
noodl
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Vitualhosts ssl and apache2
Posted by David Pratt <fa...@eastlink.ca>.
This seems to be working for me testing the domain using a RewriteCond.
It brings up the message that the cert is not right for host but I am
not bothered by this at the moment. I simply want secure exchange for
login etc until I go from a virtual server with one ip to dedicated with
several ips.
Here I am rewriting from 8080 (regular port) as opposed to 8443 which is
the port the secure twisted server is running on. I can separate this
into separate virtual servers which would likely be best as you have
pointed out.
Regards
David
Vincent Bray wrote:
> On 8/2/06, David Pratt <fa...@eastlink.ca> wrote:
>> Hi Vincent, ok - I am trying something else that I have partially
>> working but I need something to fix my regex to catch to domain
>> properly. So may have need a RewriteCond that can compare domain name
>> coming in.
>>
>> Here is what I have got so far but since my regex is not right for
>> domains - it moves on to the last RewriteRule that I have set up which
>> places it in the zope root - but good thing is that ssl works properly.
>> So I need a proper regex that will catch the domain so it will land on
>> the right rewrite rule. Many thanks.
>
> Hi again,
> It's entirely unclear what you're trying to do here, and why you are
> using mod_rewrite to do it. If you need to differentiate the proxy
> address based on the host name, then you should be using multiple
> vhosts instead. As pointed out earlier though, this can't work on a
> single ip/port.
>
> In any case, if you really want to do this wrong, then
> RewriteCond %{HTTP_HOST} (.+)
> .. will allow you to read the hostname, putting the result in %1 for
> the following rule.
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: Re: [users@httpd] Vitualhosts ssl and apache2
Posted by Vincent Bray <no...@gmail.com>.
On 8/2/06, David Pratt <fa...@eastlink.ca> wrote:
> Hi Vincent, ok - I am trying something else that I have partially
> working but I need something to fix my regex to catch to domain
> properly. So may have need a RewriteCond that can compare domain name
> coming in.
>
> Here is what I have got so far but since my regex is not right for
> domains - it moves on to the last RewriteRule that I have set up which
> places it in the zope root - but good thing is that ssl works properly.
> So I need a proper regex that will catch the domain so it will land on
> the right rewrite rule. Many thanks.
Hi again,
It's entirely unclear what you're trying to do here, and why you are
using mod_rewrite to do it. If you need to differentiate the proxy
address based on the host name, then you should be using multiple
vhosts instead. As pointed out earlier though, this can't work on a
single ip/port.
In any case, if you really want to do this wrong, then
RewriteCond %{HTTP_HOST} (.+)
.. will allow you to read the hostname, putting the result in %1 for
the following rule.
--
noodl
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Vitualhosts ssl and apache2
Posted by David Pratt <fa...@eastlink.ca>.
Hi Vincent, ok - I am trying something else that I have partially
working but I need something to fix my regex to catch to domain
properly. So may have need a RewriteCond that can compare domain name
coming in.
Here is what I have got so far but since my regex is not right for
domains - it moves on to the last RewriteRule that I have set up which
places it in the zope root - but good thing is that ssl works properly.
So I need a proper regex that will catch the domain so it will land on
the right rewrite rule. Many thanks.
Regards,
David
<VirtualHost *:443>
RewriteEngine On
RewriteRule ^.*mydomain\.com/(.*)
http://127.0.0.1:8080/am11727372/++vh++https:www.mydomain.com:443/++/$1
[L,P]
RewriteRule ^.*mydomain1\.com/(.*)
http://127.0.0.1:8080/am12704055/++vh++https:www.mydomain1.com:443/++/$1
[L,P]
RewriteRule ^/(.*)
http://127.0.0.1:8080/++vh++https:%{HTTP_HOST}:443/++/$1 [L,P]
SSLEngine on
SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /usr/local/etc/apache2/ssl.crt/self_signed.cert
SSLCertificateKeyFile /usr/local/etc/apache2/ssl.key/self_signed.key
SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
<Directory /usr/local/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
</VirtualHost>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: Re: [users@httpd] Vitualhosts ssl and apache2
Posted by Vincent Bray <no...@gmail.com>.
On 8/2/06, David Pratt <fa...@eastlink.ca> wrote:
> Hi Vincent. I had found this example searching more but not sure it is
> of any value.
It may be of value but you should understand what it's doing. With
this setup there are two distinct ssl conversations going on. As
pointed out by the message linked to earier, this is usually
pointless.
--
noodl
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Vitualhosts ssl and apache2
Posted by David Pratt <fa...@eastlink.ca>.
Hi Vincent. I had found this example searching more but not sure it is
of any value.
Regards,
David
<VirtualHost 1.2.3.4:80>
ServerName webmail.example.org
DocumentRoot /var/www/html/exchange
RedirectMatch ^/(index.html?)$
https://webmail.example.org/exchange/
RedirectMatch ^/exchange$ https://webmail.example.org/exchange/
</VirtualHost>
<VirtualHost 1.2.3.4:443>
# This secures the server from being used as a third party
# proxy server
ProxyRequests Off
# Allows the proxying of a SSL connection
SSLProxyEngine On
ProxyVia On
DocumentRoot /home/user/mail_proxy/html/
RequestHeader set Front-End-Https "On"
ServerName mail
# Set up SSL to work with this host
SSLEngine On
SSLCertificateFile /etc/apache/webmail-proxy/server.crt
SSLCertificateKeyFile /etc/apache/webmail-proxy/server.key
SSLProxyMachineCertificateFile
/etc/apache/webmail-proxy/certnew.cer
ProxyPass /exchange/ https://mail-internal/exchange/
ProxyPassReverse /exchange/ https://mail-internal/exchange/
ProxyPass /exchweb/ https://mail-internal/exchweb/
ProxyPassReverse /exchweb/ https://mail-internal/exchweb/
ProxyPass /public/ https://mail-internal/public/
ProxyPassReverse /public/ https://mail-internal/public/
ProxyPreserveHost On
</VirtualHost>
Vincent Bray wrote:
> On 8/2/06, Vincent Bray <no...@gmail.com> wrote:
>> On 8/2/06, David Pratt <fa...@eastlink.ca> wrote:
>> > Hi Vincent. I have NameVirtualHost(s) set up as follows.
>> >
>> > NameVirtualHost *:80
>> > NameVirtualHost *.443
>> >
>> > Sorry I did not include this in my previous message. The twisted SSL
>> > server is pretty much stand alone and uses its own certificate source.
>> > What I want to do is have the server running on localhost:8443 proxied
>> > on 443 for a particular path. Will I still need Apache's SSLEngine for
>> > this?
> Hi,
> Looking in to this a little further (thanks google) has confirmed what
> I thought; that reverse proxying ssl is largely pointless. This rather
> old message explains the scenario:
>
> http://www.squid-cache.org/mail-archive/squid-users/200005/0744.html
>
> That leaves you either, a) forgetting about ssl authentication between
> the user agent and zope, b) exposing zope to the client directly, or
> c) using something at the tcp level to forward the encrypted
> connection to zope's port.
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: Re: Re: [users@httpd] Vitualhosts ssl and apache2
Posted by Vincent Bray <no...@gmail.com>.
On 8/2/06, Vincent Bray <no...@gmail.com> wrote:
> On 8/2/06, David Pratt <fa...@eastlink.ca> wrote:
> > Hi Vincent. I have NameVirtualHost(s) set up as follows.
> >
> > NameVirtualHost *:80
> > NameVirtualHost *.443
> >
> > Sorry I did not include this in my previous message. The twisted SSL
> > server is pretty much stand alone and uses its own certificate source.
> > What I want to do is have the server running on localhost:8443 proxied
> > on 443 for a particular path. Will I still need Apache's SSLEngine for
> > this?
Hi,
Looking in to this a little further (thanks google) has confirmed what
I thought; that reverse proxying ssl is largely pointless. This rather
old message explains the scenario:
http://www.squid-cache.org/mail-archive/squid-users/200005/0744.html
That leaves you either, a) forgetting about ssl authentication between
the user agent and zope, b) exposing zope to the client directly, or
c) using something at the tcp level to forward the encrypted
connection to zope's port.
--
noodl
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: Re: [users@httpd] Vitualhosts ssl and apache2
Posted by Vincent Bray <no...@gmail.com>.
On 8/2/06, David Pratt <fa...@eastlink.ca> wrote:
> Hi Vincent. I have NameVirtualHost(s) set up as follows.
>
> NameVirtualHost *:80
> NameVirtualHost *.443
>
> Sorry I did not include this in my previous message. The twisted SSL
> server is pretty much stand alone and uses its own certificate source.
> What I want to do is have the server running on localhost:8443 proxied
> on 443 for a particular path. Will I still need Apache's SSLEngine for
> this?
Yes you will, as the connection to apache uses the ssl protocol. I
don't know the details of setting up reverse ssl proxies, but I gather
there are extra steps involving SSLProxyEngine. Hopefully somebody
clueful on this subject will jump in now..
--
noodl
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Vitualhosts ssl and apache2
Posted by David Pratt <fa...@eastlink.ca>.
Hi Vincent. I have NameVirtualHost(s) set up as follows.
NameVirtualHost *:80
NameVirtualHost *.443
Sorry I did not include this in my previous message. The twisted SSL
server is pretty much stand alone and uses its own certificate source.
What I want to do is have the server running on localhost:8443 proxied
on 443 for a particular path. Will I still need Apache's SSLEngine for
this?
Regards,
David
Vincent Bray wrote:
> On 8/2/06, David Pratt <fa...@eastlink.ca> wrote:
>> Hi I have a couple of questions. I am trying to set up my ssl on zope3
>> with apache2. I have zope (twisted) running on port 8080 and a secure
>> server running on port 8443. My sites are folders in the zope root. The
>> virtual host setup is below. The virtual hosts work fine on port 80
>> using www.mydomain.com and www.mydomain1.com
>
> [snip]
>
> Hi,
> You have many problems here.. First you don't seem to have any
> NameVirtualHost directives to tell apache to use name virtual hosts.
> Second, when you sort that out you'll find that your vhosts aren't
> even running ssl (no SSLEngine On). Then, you're proxying to
> http://127.0.0.1:8443 meaning that you're speaking the wrong protocol
> to the backend. Of course, you also can't use name virtual hosts over
> ssl on the same ip/port.
>
> Some suggested reading:
> http://www.onlamp.com/pub/a/apache/2005/02/17/apacheckbk.html
> http://httpd.apache.org/docs/2.2/vhosts/
> http://httpd.apache.org/docs/2.2/ssl/ssl_faq.html#vhosts
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org