[TriLUG] Apache2 SSL - misconfig followup..

Jonathan Woodbury jpwoodbu at mybox.org
Tue Apr 18 11:26:08 EDT 2006


The use of an <IfDefine> directive when it comes to HTTPS has typically been
to allow the admin to easily switch the HTTPS service on or off, often
through the use of the apacheclt script being sent either a "start" or a
"startssl" argument. Under the hood of the apacheclt script, it
conditionally is adding "-DSSL" to command line used to start apache.
Incidentally, the 2.2 branch of apache web server has done away with the
"startssl" option in the apacheclt script (at least under the hood),
probably since most people don't switch that service on and off all that
much.

If you are intending to have apache host both HTTP and HTTPS at the same
time you essentially have to make use of a port based virtual host so the
SSL directives will only apply to requests coming in on a particular port.
This usually looks like this:

<VirtualHost _default_:443>
    SSLEngine On
    SSLCertificateFile /the/path/to/your/cert
    SSLCertificateKeyFile /the/path/to/your/key
    # the SSLCertificateKeyFile is somewhat optional in that you can put
both the certifcate and the key in the file passed to the SSLCertificateFile
directive.
    # then of course the standard stuff like ServerAdmin, ServerName, log
directives, docroot, etc.
</VirtualHost>

Of course, you'll need to be sure you're loading the SSL module and
listening on port 443 (which I don't believe can be put inside a VirtualHost
directive).

As this is my first message to this list I hope I got it right and moreover,
I hope this helped! :)

Jonathan

On 4/17/06, Myrhillion <lug at blackwizard.net> wrote:
>
>
> Okay, I'm not terribly familiar with https...  so bearing that..
>
> If the Listen 443 is in listen.conf, but the flag isn't set in apache...
>
> Does this mean https:// is just serving http on 443 without actual
> encrypting the session?
> Visually in the browser how is this signalled,  no lock?
>
> I'm mostly curious for signs of misconfiguration than anything.
> I am just taking a class that sort of touches on https but doesn't give
> specifics of implementation.
> I was contemplating setting one up to get some hands on..
>
> As I understand it, https is usually 3 things to an end-user.
>
> 1. A web server running on 443 typically.
>     Is this just done by the browser trying to connect to a web server
> on port 443 if https:// is used?
>     I also assume the port can be changed as usual, (e.g.
> https://securedwebserver.com:<unusual port number>)
>
> 2. A guarantee that this web server will encrypt traffic with the client
> browser, usually signalled by a lock icon in the browser.
>    Otherwise it is regular http protocol traffic.
>
> 3. Verification of a certificate through a trusted third party like
> Verisign.
>
> Finally, I understand the specific encryption implementations might vary
> between web servers.
>
> I didn't find any site that touches on common misconfigurations or their
> avoidance.
> Anyway, thanks for help on correcting my perceptions/comprehension at
> this point.
>
> Doug Taggart
>
> Brian Blater (BBList) wrote:
>
> >Thanks,
> >
> >It is in the /etc/sysconfig/apache2 file and it is called
> APACHE_SERVER_FLAGS= on SLES9.
> >
> >Brian
> >
> >
> >
> >>>>On Mon, Apr 17, 2006 at 11:56 am, in message
> >>>>
> >>>>
> ><20060417155631.GA12388 at mail.trilug.org>, oberry at trilug.org wrote:
> >
> >
> >>I can't comment on SLES 9, but on a RHEL 4 box I have
> >>/etc/sysconfig/httpd, which has a section as follows:
> >>
> >># To pass additional options (for instance, - D definitions) to the
> >># httpd binary at startup, set OPTIONS here.
> >>#
> >>#OPTIONS=
> >>
> >>Maybe you have the same system config file, or similar?
> >>
> >>Owen
> >>
> >>On Mon, Apr 17, 2006 at 10:59:40AM - 0400, Brian Blater (BBList) wrote:
> >>
> >>
> >>>I have a SLES 9 box running Apache 2.0.54 happily. However, I would
> like to
> >>>
> >>>
> >>setup SSL an be able to access pages on the box using https://. Easy
> enough I
> >>thought. I looked in the listen.conf file and saw the following:
> >>
> >>
> >>>Listen 80
> >>>
> >>><IfDefine SSL>
> >>>    <IfDefine !NOSSL>
> >>>        <IfModule mod_ssl.c>
> >>>            Listen 443
> >>>        </IfModule>
> >>>    </IfDefine>
> >>></IfDefine>
> >>>
> >>>This should mean that the server will listen on port 443, however it
> isn't.
> >>>
> >>>
> >>If I add a Listen 443 right under the Listen 80 it works. So, that got
> me
> >>wondering what this <ifdefine ssl> does and why it wasn't working. I did
> the
> >>google search and found a couple of things, one which mentioned apache2
> >>should be started with the - DSSL option (as seen in a ps awx | grep
> http), but
> >>I just see the following:
> >>
> >>
> >>>21671 ?        Ss     0:00 /usr/sbin/httpd2- prefork - f
> /etc/apache2/httpd.conf
> >>>
> >>>So, what do I need to do to get apache2 to start on SLES with SSL
> support? I
> >>>
> >>>
> >>know I can just add the Listen 443 option manually, but this has become
> more
> >>of a quest for learning what the <ifdefine ssl> is for and why it isn't
> >>working.
> >>
> >>
> >>>Thanks for your help.
> >>>Brian
> >>>
> >>>
> >>>
> >
> >
> >
>
> --
> TriLUG mailing list        : http://www.trilug.org/mailman/listinfo/trilug
> TriLUG Organizational FAQ  : http://trilug.org/faq/
> TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
>



More information about the TriLUG mailing list