You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Josh Gooding <jo...@gmail.com> on 2009/08/06 22:04:02 UTC
[users@httpd] Need some SSL help please.
Greetings folks, I've ran into a little SSL snag here. Currently I have
Apache 2.2 and Tomcat 6.0 configured to run and talk to each other. It
seems to work even though I have ONE static page in the entire project for
right now.
What I want to do:
Run the Login.jsp through SSL, after successful login, drop the SSL. The
entire session doesn't need encrypted, only the login and password. I was
directed over here from the Tomcat Mailing list. I figured that I'd ask. I
am using the Tomcat's built in j_security_check to authenticate users
login's. I'm very new to SSL so please forgive me if I am asking some very
basic questions.
My question: Is it possible to do the above scenario? Is it practical? Am
I wasting my time on this if there is a better way of doing this?
Thank you.
- Josh
Re: [users@httpd] Re: Need some SSL help please.
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
On 07.08.09 15:27, Mike -- EMAIL IGNORED wrote:
> Please read my recent thread "excessive DNS slows httpd".
> The bottom line: I recently introduced SSL to part of my
> web site, and it slowed considerably. Using iptables
> (on a Linux system),I blocked all DNS, and speed of
> response is better than ever, 8 meg photo files
> notwithstanding.
It would be much better to configure apache/applications not to use DNS than
to block it. Also, it highly depends on type of blocking - using DROP rules
will cause apps to run even slower if any part of DNS works...
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Quantum mechanics: The dreams stuff is made of.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Re: Need some SSL help please.
Posted by Josh Gooding <jo...@gmail.com>.
I had an idea... what about putting the domain in the configuration file and
doing a "hard" redirect upon proper authentication? Would this be
feasible? Doable in httpd?
On Fri, Aug 7, 2009 at 2:08 PM, Josh Gooding <jo...@gmail.com> wrote:
> No, my understanding is login's weren't encrypted unless SSL was used.
>
> Scott, I'm not a sysadmin, but does win2k3 server have something like
> iptables? That MIGHT be a little more helpful, I'll have to research it
> more, however, I still need to figure out how to drop SSL after the login
> screen. Let me do some more digging around the internet.
>
> The login password is encrypted with MD5 before checking the DB and stored
> in the DB as an MD5 hash, so with that being said, is SSL even neccessary on
> the login to the software?
>
> Thank you again for all the responses and advice. It is highly
> appreciated.
>
> - Josh
>
>
> On Fri, Aug 7, 2009 at 11:27 AM, Mike -- EMAIL IGNORED <
> m_d_berger_1900@yahoo.com> wrote:
>
>> On Fri, 07 Aug 2009 08:40:55 -0400, Josh Gooding wrote:
>>
>> > Thanks for the reply Krist,
>> >
>> > Let me give you a little background on what I did (and still doing). I
>> > created a video training software that is now internet based. Nothing
>> > inside of the training needs to be across HTTPS, except the login page.
>> > Client's said they would "like" to see it done. Which is were I am at
>> > right now. I always thought that HTTPS is noticeably slower than
>> > regular HTTP, which is why I would not want HTTPS on the entire site,
>> > since video and graphics tend to be more bandwidth and CPU intensive.
>> >
>> > In essence I am trying to keep the lag to as little as possible and only
>> > encrypt what needs to be encrypted.
>> >
>> > - Josh
>> >
>> [...]
>>
>> Please read my recent thread "excessive DNS slows httpd".
>> The bottom line: I recently introduced SSL to part of my
>> web site, and it slowed considerably. Using iptables
>> (on a Linux system),I blocked all DNS, and speed of
>> response is better than ever, 8 meg photo files
>> notwithstanding.
>>
>> Additionally, I thought sign-in is encrypted even when
>> SSL is not in use. Is this not true?
>>
>> Mike.
>>
>>
>> ---------------------------------------------------------------------
>> The official User-To-User support forum of the Apache HTTP Server Project.
>> See <URL:http://httpd.apache.org/userslist.html> for more info.
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> " from the digest: users-digest-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>>
>
[users@httpd] Re: Need some SSL help please.
Posted by Mike -- EMAIL IGNORED <m_...@yahoo.com>.
On Tue, 11 Aug 2009 07:50:17 +0200, Krist van Besien wrote:
> On Sat, Aug 8, 2009 at 4:19 AM, Mike -- EMAIL
> IGNORED<m_...@yahoo.com> wrote:
>
>> One additional but important point. When things slowed substantially
>> after adding SSL to part of my tree, everything slowed, even the parts
>> that were not doing SSL at all. Again, the slowness was caused by the
>> DNS, not the encryption. This was verified with WireShark.
>
> Enabling SSL in itself should not lead to increased DNS traffic from
> Apache. You might have made other changes that caused Apache to do name
> lookups.
>
> Krist
>
[...]
Unfortunately, I did make numerous changes. While I do not
see that they should increase DNS, I could easily be
missing something. See my new suggestion I am about to post.
Mike.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Re: Need some SSL help please.
Posted by Krist van Besien <kr...@gmail.com>.
On Sat, Aug 8, 2009 at 4:19 AM, Mike -- EMAIL
IGNORED<m_...@yahoo.com> wrote:
> One additional but important point. When things slowed substantially
> after adding SSL to part of my tree, everything slowed, even the parts
> that were not doing SSL at all. Again, the slowness was caused by the
> DNS, not the encryption. This was verified with WireShark.
Enabling SSL in itself should not lead to increased DNS traffic from
Apache. You might have made other changes that caused Apache to do
name lookups.
Krist
--
krist.vanbesien@gmail.com
krist@vanbesien.org
Bremgarten b. Bern, Switzerland
--
A: It reverses the normal flow of conversation.
Q: What's wrong with top-posting?
A: Top-posting.
Q: What's the biggest scourge on plain text email discussions?
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
[users@httpd] Re: Need some SSL help please.
Posted by Mike -- EMAIL IGNORED <m_...@yahoo.com>.
On Sat, 08 Aug 2009 01:59:34 +0000, Mike -- EMAIL IGNORED wrote:
> On Fri, 07 Aug 2009 20:46:35 -0400, Josh Gooding wrote:
>
>> Mike,
>>
>> If it was up to me, I wouldn't use a Windows based server either,
>> however, what the client bought is what I had to use. KWIM? I can't
>> block DNS on this server due to it having a .com tied to it. I looked
>> this afternoon and no dice. I can look into it more in depth on the
>> httpd site. What a perplexing thing I'm trying to do.
>>
>> - Josh
>>
> [...]
>
> I think the Rewrite example I gave is like:
> Require valid-user
>
> I still do not see the way but note:
> 1 . I think t is possible to construct a directory tree where
> the root uses SSL but the others do not.
> 2. Maybe non-SSL directories can be made to reject in there
> is no valid user, but not with a login request.
> 3. The root directory would respond with the normal login.
> This is how I would start. It places a restriction on the user to first
> access the root directory.
>
> FWIW, this is all I can think of now. It might require the use of
> environment variables. (See Apache "Access Control").
>
> This is an interesting problem but after this post, I go on travel and
> will have little or no Internet access for a week. I will look back when
> I return, hoping to see what was finally done.
>
> Mike.
>
One additional but important point. When things slowed substantially
after adding SSL to part of my tree, everything slowed, even the parts
that were not doing SSL at all. Again, the slowness was caused by the
DNS, not the encryption. This was verified with WireShark.
Long ago I learned that it is often cheaper to buy another piece
of hardware, than to solve a subtle problem with software. In
this case, a Linux box wherein you could easily block DNS is probably
the cheapest and most user-friendly solution.
Bedtime at -0400.
HTH.
Mike.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
[users@httpd] Re: Need some SSL help please.
Posted by Mike -- EMAIL IGNORED <m_...@yahoo.com>.
On Fri, 07 Aug 2009 20:46:35 -0400, Josh Gooding wrote:
> Mike,
>
> If it was up to me, I wouldn't use a Windows based server either,
> however, what the client bought is what I had to use. KWIM? I can't
> block DNS on this server due to it having a .com tied to it. I looked
> this afternoon and no dice. I can look into it more in depth on the
> httpd site. What a perplexing thing I'm trying to do.
>
> - Josh
>
[...]
I think the Rewrite example I gave is like:
Require valid-user
I still do not see the way but note:
1 . I think t is possible to construct a directory tree where
the root uses SSL but the others do not.
2. Maybe non-SSL directories can be made to reject in there
is no valid user, but not with a login request.
3. The root directory would respond with the normal login.
This is how I would start. It places a restriction on the user to
first access the root directory.
FWIW, this is all I can think of now. It might require the use of
environment variables. (See Apache "Access Control").
This is an interesting problem but after this post, I go on
travel and will have little or no Internet access for a week.
I will look back when I return, hoping to see what was finally
done.
Mike.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Re: Need some SSL help please.
Posted by Josh Gooding <jo...@gmail.com>.
Mike,
If it was up to me, I wouldn't use a Windows based server either, however,
what the client bought is what I had to use. KWIM?
I can't block DNS on this server due to it having a .com tied to it. I
looked this afternoon and no dice. I can look into it more in depth on the
httpd site. What a perplexing thing I'm trying to do.
- Josh
On Fri, Aug 7, 2009 at 5:47 PM, Mike -- EMAIL IGNORED <
m_d_berger_1900@yahoo.com> wrote:
> On Fri, 07 Aug 2009 14:08:27 -0400, Josh Gooding wrote:
>
> > No, my understanding is login's weren't encrypted unless SSL was used.
> >
> > Scott, I'm not a sysadmin, but does win2k3 server have something like
> > iptables? That MIGHT be a little more helpful, I'll have to research it
> > more, however, I still need to figure out how to drop SSL after the
> > login screen. Let me do some more digging around the internet.
> >
> > The login password is encrypted with MD5 before checking the DB and
> > stored in the DB as an MD5 hash, so with that being said, is SSL even
> > neccessary on the login to the software?
> >
> > Thank you again for all the responses and advice. It is highly
> > appreciated.
> >
> > - Josh
> >
> [...]
>
> I'm not sure I would block DNS on a Windows system, certainly
> if it is doing anything else but being a server. But then
> I would not use a Windows system for a server.
>
> I suspect that what you want to do can be accomplished
> with mod_ssl, mod_rewrite, <Directory> and <VirtualHost>.
> I don't see my way right to it, but, for example,
> RewriteCond %{REMOTE_USER} !^.+$
> RewriteRule $.*$ - [F]
> or some such thing properly placed might be useful.
>
> Detailed tutorials for these capabilities can be found on
> the Apache web site. Some study would be required.
>
> HTH.
> Mike.
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
[users@httpd] Re: Need some SSL help please.
Posted by Mike -- EMAIL IGNORED <m_...@yahoo.com>.
On Fri, 07 Aug 2009 14:08:27 -0400, Josh Gooding wrote:
> No, my understanding is login's weren't encrypted unless SSL was used.
>
> Scott, I'm not a sysadmin, but does win2k3 server have something like
> iptables? That MIGHT be a little more helpful, I'll have to research it
> more, however, I still need to figure out how to drop SSL after the
> login screen. Let me do some more digging around the internet.
>
> The login password is encrypted with MD5 before checking the DB and
> stored in the DB as an MD5 hash, so with that being said, is SSL even
> neccessary on the login to the software?
>
> Thank you again for all the responses and advice. It is highly
> appreciated.
>
> - Josh
>
[...]
I'm not sure I would block DNS on a Windows system, certainly
if it is doing anything else but being a server. But then
I would not use a Windows system for a server.
I suspect that what you want to do can be accomplished
with mod_ssl, mod_rewrite, <Directory> and <VirtualHost>.
I don't see my way right to it, but, for example,
RewriteCond %{REMOTE_USER} !^.+$
RewriteRule $.*$ - [F]
or some such thing properly placed might be useful.
Detailed tutorials for these capabilities can be found on
the Apache web site. Some study would be required.
HTH.
Mike.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Re: Need some SSL help please.
Posted by Josh Gooding <jo...@gmail.com>.
No, my understanding is login's weren't encrypted unless SSL was used.
Scott, I'm not a sysadmin, but does win2k3 server have something like
iptables? That MIGHT be a little more helpful, I'll have to research it
more, however, I still need to figure out how to drop SSL after the login
screen. Let me do some more digging around the internet.
The login password is encrypted with MD5 before checking the DB and stored
in the DB as an MD5 hash, so with that being said, is SSL even neccessary on
the login to the software?
Thank you again for all the responses and advice. It is highly appreciated.
- Josh
On Fri, Aug 7, 2009 at 11:27 AM, Mike -- EMAIL IGNORED <
m_d_berger_1900@yahoo.com> wrote:
> On Fri, 07 Aug 2009 08:40:55 -0400, Josh Gooding wrote:
>
> > Thanks for the reply Krist,
> >
> > Let me give you a little background on what I did (and still doing). I
> > created a video training software that is now internet based. Nothing
> > inside of the training needs to be across HTTPS, except the login page.
> > Client's said they would "like" to see it done. Which is were I am at
> > right now. I always thought that HTTPS is noticeably slower than
> > regular HTTP, which is why I would not want HTTPS on the entire site,
> > since video and graphics tend to be more bandwidth and CPU intensive.
> >
> > In essence I am trying to keep the lag to as little as possible and only
> > encrypt what needs to be encrypted.
> >
> > - Josh
> >
> [...]
>
> Please read my recent thread "excessive DNS slows httpd".
> The bottom line: I recently introduced SSL to part of my
> web site, and it slowed considerably. Using iptables
> (on a Linux system),I blocked all DNS, and speed of
> response is better than ever, 8 meg photo files
> notwithstanding.
>
> Additionally, I thought sign-in is encrypted even when
> SSL is not in use. Is this not true?
>
> Mike.
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
Re: [users@httpd] Re: Need some SSL help please.
Posted by Dan Poirier <po...@pobox.com>.
On 08/07/2009 11:27 AM, Mike -- EMAIL IGNORED wrote:
> Additionally, I thought sign-in is encrypted even when
> SSL is not in use. Is this not true?
>
That is not true. Sign-in is not encrypted unless you use SSL.
--
Dan Poirier <po...@pobox.com>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
[users@httpd] Re: Need some SSL help please.
Posted by Mike -- EMAIL IGNORED <m_...@yahoo.com>.
On Fri, 07 Aug 2009 08:40:55 -0400, Josh Gooding wrote:
> Thanks for the reply Krist,
>
> Let me give you a little background on what I did (and still doing). I
> created a video training software that is now internet based. Nothing
> inside of the training needs to be across HTTPS, except the login page.
> Client's said they would "like" to see it done. Which is were I am at
> right now. I always thought that HTTPS is noticeably slower than
> regular HTTP, which is why I would not want HTTPS on the entire site,
> since video and graphics tend to be more bandwidth and CPU intensive.
>
> In essence I am trying to keep the lag to as little as possible and only
> encrypt what needs to be encrypted.
>
> - Josh
>
[...]
Please read my recent thread "excessive DNS slows httpd".
The bottom line: I recently introduced SSL to part of my
web site, and it slowed considerably. Using iptables
(on a Linux system),I blocked all DNS, and speed of
response is better than ever, 8 meg photo files
notwithstanding.
Additionally, I thought sign-in is encrypted even when
SSL is not in use. Is this not true?
Mike.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Need some SSL help please.
Posted by Krist van Besien <kr...@gmail.com>.
On Fri, Aug 7, 2009 at 2:40 PM, Josh Gooding<jo...@gmail.com> wrote:
> I always thought that HTTPS is noticeably slower than regular HTTP,
> which is why I would not want HTTPS on the entire site, since video and
> graphics tend to be more bandwidth and CPU intensive.
In a time when most computers run 99% idle 90% of the time I don't
worry about performance anymore. Nowadays the cheapest solution to any
performance problem is to buy a bigger server.
Krist
--
krist.vanbesien@gmail.com
krist@vanbesien.org
Bremgarten b. Bern, Switzerland
--
A: It reverses the normal flow of conversation.
Q: What's wrong with top-posting?
A: Top-posting.
Q: What's the biggest scourge on plain text email discussions?
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Need some SSL help please.
Posted by Josh Gooding <jo...@gmail.com>.
Thanks for the reply Krist,
Let me give you a little background on what I did (and still doing). I
created a video training software that is now internet based. Nothing
inside of the training needs to be across HTTPS, except the login page.
Client's said they would "like" to see it done. Which is were I am at right
now. I always thought that HTTPS is noticeably slower than regular HTTP,
which is why I would not want HTTPS on the entire site, since video and
graphics tend to be more bandwidth and CPU intensive.
In essence I am trying to keep the lag to as little as possible and only
encrypt what needs to be encrypted.
- Josh
On Fri, Aug 7, 2009 at 1:48 AM, Krist van Besien
<kr...@gmail.com>wrote:
> On Thu, Aug 6, 2009 at 10:04 PM, Josh Gooding<jo...@gmail.com>
> wrote:
>
> > Run the Login.jsp through SSL, after successful login, drop the SSL.
>
> Why do you want to drop the SSL after logging in? It is a lot easier
> to just run the whole site over https. This way all you need to do is
> to configure SSL for your whole server.
>
> Krist
>
>
> --
> krist.vanbesien@gmail.com
> krist@vanbesien.org
> Bremgarten b. Bern, Switzerland
> --
> A: It reverses the normal flow of conversation.
> Q: What's wrong with top-posting?
> A: Top-posting.
> Q: What's the biggest scourge on plain text email discussions?
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
Re: [users@httpd] Need some SSL help please.
Posted by Krist van Besien <kr...@gmail.com>.
On Thu, Aug 6, 2009 at 10:04 PM, Josh Gooding<jo...@gmail.com> wrote:
> Run the Login.jsp through SSL, after successful login, drop the SSL.
Why do you want to drop the SSL after logging in? It is a lot easier
to just run the whole site over https. This way all you need to do is
to configure SSL for your whole server.
Krist
--
krist.vanbesien@gmail.com
krist@vanbesien.org
Bremgarten b. Bern, Switzerland
--
A: It reverses the normal flow of conversation.
Q: What's wrong with top-posting?
A: Top-posting.
Q: What's the biggest scourge on plain text email discussions?
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Need some SSL help please.
Posted by Scott Gifford <sg...@suspectclass.com>.
Josh Gooding <jo...@gmail.com> writes:
[...]
> Run the Login.jsp through SSL, after successful login, drop the SSL. The
> entire session doesn't need encrypted, only the login and password.
Sure, that's possible. The general strategy is to accept the username
and password on a secure connection, and if they are correct generate
a session ID which can be used for future authentication. You can
return this to the browser in a form or the URL (maybe in a cookie,
not sure if cookies can be passed between HTTP and HTTPS sites), and
the non-encrypted part of your application would just check that the
session ID is valid.
I don't know of an Apache module that will do this for you, and I
don't know anything about Tomcat, but at a high level that's a common
approach.
Hope this helps,
----Scott.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org