Re: SSL and Apache

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
MCarl Parrish at <-
M 
Attachments:
Message as email
+ (text/plain)
Delete this message
Reply to this message
Author: Alex Dean
Date:  
To: discussion list Main
Subject: Re: SSL and Apache

On Mar 9, 2006, at 11:49 AM, Carl Parrish wrote:

> Alex Dean wrote:
>
>> It's not so bad. The main things are :
>>
>> - You can't have more than 1 SSL site per IP:port combination.
>> - You have to specify a port for every virtual host (80, 443, or
>> otherwise) in the <VirtualHost>. There are differences in using
>> named virtual hosts vs. ip-based virtual hosts that can be
>> confusing, but if you only have 1 IP <VirtualHost *:80> or
>> <VirtualHost *:443> will do fine.
>>
>> The only directives you need in the VirtualHost are :
>> SSLEngine On
>> SSLCertificateFile file.crt
>> SSLCertificateKeyFile file.key
>>
>> Other directives may be desireable/useful, but those 3 will make
>> it 'go'.
>>
>> alex
>> .
>>
> Alex,
> I currently only have one IP on this computer but I need to set up
> 3 secure virtual hosts. Would it be better / safer / easier to
> change ip addresses or port numbers for the others? I've added IP
> addresses before so its not *that* big of a deal but please keep in
> mind I'm more of a programmer than a system admin.

Me, too. :) I've learned Apache configuration out of necessity.

From a web-only perspective, I'd say that if you've got the extra
IPs, use 'em. Non-standard ports are hard for users and search
engines. But setting up extra IPs is work in itself (router/firewall
stuff you wouldn't need to do with only 1 IP). If these are private
sites with small userbases, 3 goofy ports on a single IP is probably
no big deal. I don't think either approach has any specific security
implications, since the encryption is the same either way. (But the
more security-knowlegeable on this list might know something I don't
in this respect.)

'apachectl configtest' is really useful. If you don't get anything
from 'configtest' and it's still not working, skim through the apache
error logs. 'configtest' only knows about syntax errors, so
underlying ssl problems (like an incorrect key file) won't be caught
until you actually restart the server. If you do have problems, be
sure to check both your main log and the virtual-host specific ones.
If you have to do this a lot, it can be nice to have a 2nd console
window open running 'tail -f /your/apache/error.log'. You'll see the
new log entries as they are written.

alex
.



---------------------------------------------------
PLUG-discuss mailing list -
To subscribe, unsubscribe, or to change you mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss

This message was posted to the following mailing lists:
Plug Discuss
Mailing List Info | Nearby Messages		<-Re: svn+ssh on alternate ssh portfc5->
Some Mailing List Archive administrated by UnconfiguredLurker (version 2.3)