You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by Chris Jölly <ch...@unycom.com> on 2010/02/16 15:06:40 UTC

[users@httpd] Passing SSL client certificates via mod_proxy_ajp to Tomcat ...

Hello,

 

is there a possibility to pass a SSL client certificate via mod_proxy_ajp 

to Tomcat, ideally the same way mod_jk did so Tomcat is able to extract

the certificate and add it as attribute to the request?

 

Thanks,

 

Chris

RE: [users@httpd] SSL redirect browsers if weak encryption to a warning page

Posted by Renato Oliveira <re...@grant.co.uk>.

Eric,

Thank you for the reply?
I am sorry I don't understand it, sorry. I don't want to protect the directory, I want to have a redirect of the 403 error to a warning page.

Do you mean for me to remove the
<Directory "/"> directive?

Thank you very much

Best regards

Renato



Renato Oliveira
Systems Administrator
e-mail: renato.oliveira@grant.co.uk

Tel: +44 (0)1763 260811
Fax: +44 (0)1763 262410
http://www.grant.co.uk/

Grant Instruments (Cambridge) Ltd

Company registered in England, registration number 658133

Registered office address:
29 Station Road,
Shepreth,
CAMBS SG8 6GB
UK

-----Original Message-----


From: Eric Covener [mailto:covener@gmail.com]
Sent: 16 February 2010 15:03
To: users@httpd.apache.org
Subject: Re: [users@httpd] SSL redirect browsers if weak encryption to a warning page

n Tue, Feb 16, 2010 at 9:50 AM, Renato Oliveira
<re...@grant.co.uk> wrote:
> Dear all,
>
>
>
> I am using Apache Server version: Apache/2.2.3 on Centos 5.4 (Test
> environment)
>
> On Production Redhat 4 Server version: Apache/2.0.52
>
>
>
> I have been looking for a way of:
>
> 1 - Prevent browsers with lower encryption to use my site, which I can do
> with the two directives below
>
> SSLProtocol all -SSLv2
>
> SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
>
>
>
> 2 - Redirect them to a warning page
>
> <Directory "/">
>
>     SSLRequireSSL
>
>     SSLRequire (%{SSL_PROTOCOL} != "SSLv2" and %{SSL_CIPHER_USEKEYSIZE} >=
> 128) or %{REQUEST_URI} =~ m:^/errors/:
>
>     ErrorDocument 403 /errors/403-ssl.html
>
> </Directory>
>
>
>
> When I use IE5 to access the site I get the following error:
>
>
>
> Forbidden
>
> You don't have permission to access / on this server.
>
>
>
> Additionally, a 403 Forbidden error was encountered while trying to use an
> ErrorDocument to handle the request.

Don't protect the directory with your ErrorDocuments if you know the
SSL connection is already forbidden.

--
Eric Covener
covener@gmail.com

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org




-----Original Message-----


P Please consider the environment before printing this email
CONFIDENTIALITY: The information in this e-mail and any attachments is confidential. It is intended only for the named recipients(s). If you are not the named recipient please notify the sender immediately and do not disclose the contents to another person or take copies.

VIRUSES: The contents of this e-mail or attachment(s) may contain viruses which could damage your own computer system. Whilst Grant Instruments (Cambridge) Ltd has taken every reasonable precaution to minimise this risk, we cannot accept liability for any damage which you sustain as a result of software viruses. You should therefore carry out your own virus checks before opening the attachment(s).

OpenXML: For information about the OpenXML file format in use within Grant Instruments please visit our http://www.grant.co.uk/Support/openxml.html


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] SSL redirect browsers if weak encryption to a warning page

Posted by Eric Covener <co...@gmail.com>.

n Tue, Feb 16, 2010 at 9:50 AM, Renato Oliveira
<re...@grant.co.uk> wrote:
> Dear all,
>
>
>
> I am using Apache Server version: Apache/2.2.3 on Centos 5.4 (Test
> environment)
>
> On Production Redhat 4 Server version: Apache/2.0.52
>
>
>
> I have been looking for a way of:
>
> 1 – Prevent browsers with lower encryption to use my site, which I can do
> with the two directives below
>
> SSLProtocol all -SSLv2
>
> SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
>
>
>
> 2 – Redirect them to a warning page
>
> <Directory "/">
>
>     SSLRequireSSL
>
>     SSLRequire (%{SSL_PROTOCOL} != "SSLv2" and %{SSL_CIPHER_USEKEYSIZE} >=
> 128) or %{REQUEST_URI} =~ m:^/errors/:
>
>     ErrorDocument 403 /errors/403-ssl.html
>
> </Directory>
>
>
>
> When I use IE5 to access the site I get the following error:
>
>
>
> Forbidden
>
> You don't have permission to access / on this server.
>
>
>
> Additionally, a 403 Forbidden error was encountered while trying to use an
> ErrorDocument to handle the request.

Don't protect the directory with your ErrorDocuments if you know the
SSL connection is already forbidden.

-- 
Eric Covener
covener@gmail.com

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

[users@httpd] SSL redirect browsers if weak encryption to a warning page

Posted by Renato Oliveira <re...@grant.co.uk>.

Dear all,

I am using Apache Server version: Apache/2.2.3 on Centos 5.4 (Test environment)
On Production Redhat 4 Server version: Apache/2.0.52

I have been looking for a way of:
1 - Prevent browsers with lower encryption to use my site, which I can do with the two directives below
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP

2 - Redirect them to a warning page

<Directory "/">

    SSLRequireSSL

    SSLRequire (%{SSL_PROTOCOL} != "SSLv2" and %{SSL_CIPHER_USEKEYSIZE} >= 128) or %{REQUEST_URI} =~ m:^/errors/:

    ErrorDocument 403 /errors/403-ssl.html

</Directory>

When I use IE5 to access the site I get the following error:

Forbidden
You don't have permission to access / on this server.

Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request.


--------------------------------------------------------------------------------

Apache/2.2.3 (CentOS) Server at secure01.grant.co.uk Port 443

Bellow is my Virtual Host:
NameVirtualHost 192.168.8.40:443
<VirtualHost 192.168.8.40:443>
        Serveradmin renato.oliveira@grant.co.uk
        DocumentRoot "/var/www/secure"
        ServerName secure01.granted.co.uk
        ErrorLog logs/secure01-error_log
        CustomLog logs/secure01.granted.co.uk-access_log common
        SSLEngine on

    <Directory "/">
        SSLRequireSSL
       SSLRequire (%{SSL_PROTOCOL} != "SSLv2" and %{SSL_CIPHER_USEKEYSIZE} >= 128) or %{REQUEST_URI} =~ m:^/errors/:
        ErrorDocument 403 "Your Browser Does not support 128 Bit Encryption"
   </Directory>


       SSLProtocol all -SSLv2
       SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP

       SSLCertificateFile /etc/httpd/conf/certs/server.crt
       SSLCertificateKeyFile /etc/httpd/conf/certs/server.key
</VirtualHost>

If anyone could help me or point to the right direction, give a clue it would be very much appreciated.
I have search loads before posting this question here.

Thank you very much in advance

Renato

Renato Oliveira
Systems Administrator
e-mail: renato.oliveira@grant.co.uk

Tel: +44 (0)1763 260811
Fax: +44 (0)1763 262410
www.grant.co.uk<http://www.grant.co.uk/>

Grant Instruments (Cambridge) Ltd

Company registered in England, registration number 658133

Registered office address:
29 Station Road,
Shepreth,
CAMBS SG8 6GB
UK





P Please consider the environment before printing this email
CONFIDENTIALITY: The information in this e-mail and any attachments is confidential. It is intended only for the named recipients(s). If you are not the named recipient please notify the sender immediately and do not disclose the contents to another person or take copies.

VIRUSES: The contents of this e-mail or attachment(s) may contain viruses which could damage your own computer system. Whilst Grant Instruments (Cambridge) Ltd has taken every reasonable precaution to minimise this risk, we cannot accept liability for any damage which you sustain as a result of software viruses. You should therefore carry out your own virus checks before opening the attachment(s).

OpenXML: For information about the OpenXML file format in use within Grant Instruments please visit our website<http://www.grant.co.uk/Support/openxml.html>