Re: mod_status over SSL?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi,

TLS should work.

what you need is a tls/ssl config, see below example.

Include what you need in virtualhost :*443
Of course: you need a private key/tls (ssl) certificate/chain. If possible, I can recommend letsencrypt. Simply configure TLS, and update with your settings after this works correctly.

# generated 2021-09-07, Mozilla Guideline v5.6, Apache 2.4.48, OpenSSL 1.1.1d, intermediate configuration
# https://ssl-config.mozilla.org/#server=apache&version=2.4.48&config=intermediate&openssl=1.1.1d&guideline=5.6

# this configuration requires mod_ssl, mod_socache_shmcb, mod_rewrite, and mod_headers
<VirtualHost *:80>
    RewriteEngine On
    RewriteCond %{REQUEST_URI} !^/\.well\-known/acme\-challenge/
    RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301,L]
</VirtualHost>

<VirtualHost *:443>
    SSLEngine on

    # curl https://ssl-config.mozilla.org/ffdhe2048.txt >> /path/to/signed_cert_and_intermediate_certs_and_dhparams
    SSLCertificateFile      /path/to/signed_cert_and_intermediate_certs_and_dhparams
    SSLCertificateKeyFile   /path/to/private_key

    # enable HTTP/2, if available
    Protocols h2 http/1.1

    # HTTP Strict Transport Security (mod_headers is required) (63072000 seconds)
    Header always set Strict-Transport-Security "max-age=63072000"
</VirtualHost>

# intermediate configuration
SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
SSLHonorCipherOrder     off
SSLSessionTickets       off

SSLUseStapling On
SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"

Regards,
Harrie

On Tue, 7 Sep 2021, 23:18 Dave Wreski, <dwreski@xxxxxxxxxxxxxxxxxxx.invalid> wrote:

Hi,

I have an apache-2.4.48 server on fedora34 and would like to enable mod_status to be able to obtain server status information. However, the docs appear to say the only way to access it is over port 80, not SSL. Is that correct?

Chrome is also expecting the site to be over SSL, of course.

https://httpd.apache.org/docs/2.4/mod/mod_status.html

Here is my virtual host entry on port 80:

<VirtualHost 209.216.111.156:80>
  ServerName darwin-perf.example.com
  ServerAdmin admin@xxxxxxxxxxx

  ErrorLog /var/www/otherdomains-443/logs/error_log
  CustomLog /var/www/otherdomains-443/logs/access_log timing
  LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\" %T/%D %I/%O/%B H:%H U:%U dp80 s:%s V:%V v:%v" timing

    <Location /server-status>
        SetHandler server-status
        Order deny,allow
        Deny from all
        Allow from 127.0.0.1 localhost 192.168.1.0/24
    </Location>

    <Location /server-info>
        SetHandler server-info
        Order Deny,Allow
        Allow from ip 127.0.0.1 localhost 192.168.1.0/24
    </Location>

    <Location /perl-status>
      SetHandler perl-script
      PerlResponseHandler Apache2::Status
      Order deny,allow
      Deny from all
      Allow from ip 127.0.0.1 localhost 192.168.1.0/24
    </Location>

    <FilesMatch "^ping|status-fpm$">                                                      
      RewriteEngine Off
      SetHandler "proxy:unix:/run/php-fpm/linuxsecurity.sock|fcgi://localhost"
    </FilesMatch>

</VirtualHost>



[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux