If you are planning on serving both SSL and non-SSL connections, then yes, a separate virtual host is necessary for one of the two.
The fact is that the SSLEngine directive is only valid in a server or virtual host context. I do not know the reason for that, but I am sure there is one.
The most important things you need to configure are "SSLEngine On",
These are the overall settings I use for SSL. Replace everything enclosed in %% by actual values.
#
SSLSessionCache shm:%%SERVER_ROOT%%/logs/ssl_scache
SSLSessionCacheTimeout 300
## On Solaris, I use pthread. I think it works on SuSE as well.
SSLMutex pthread
## Your system may not have /dev/random. In that case you may just use builtin for startup.
SSLRandomSeed startup file:/dev/random 1024
SSLRandomSeed connect builtin
SSLProtocol All -SSLv2
SSLCipherSuite ALL:!ADH:!EXP:!aNULL:!eNULL:!LOW:RC4+RSA:+HIGH:+MEDIUM
SSLVerifyDepth 3
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
SSLCACertificatePath %%X509_ROOT%%/ssl.crt
<Directory "%%SERVER_ROOT%%/cgi-bin">
SSLOptions +ExportCertData +StdEnvVars
</Directory>
For the virtual host itself, I generally use the follwing template:
Listen %%HTTP_ADDR%%:%%HTTPS_PORT%%
<VirtualHost %%HTTP_ADDR%%:%%HTTPS_PORT%%>
ServerName %%PUBLIC_NAME%%:%%HTTPS_PORT%%
SSLCertificateFile %%X509_ROOT%%/ssl.crt/%%PUBLIC_NAME%%.crt
SSLCertificateKeyFile %%X509_ROOT%%/ssl.key/%%PUBLIC_NAME%%.key
SSLEngine on
DocumentRoot %%SERVER_ROOT%%/htdocs
ErrorLog %%SERVER_LOGS%%/reverse_error_log
CustomLog %%SERVER_LOGS%%/reverse_access_log combined env=!dontlog
## Add whatever you need here
</VirtualHost>
You can then specify the parameters for the non-SSL connections at server level. What you need is a Listen directives, some log specifications...
-ascs
-----Original Message-----
From: Andrew Clarke [mailto:aclarke@xxxxxxxxxxxxx]
Sent: Tuesday, October 04, 2005 2:26 AM
To: Apache Users
Subject: [users@httpd] adding SSL - is a distinct virtual host mandatory?
SuSE 9.3 hosting Apache 2.0.53 (the build from SuSE installs) and Firefox
1.0.6 for a self-contained server and workstation on a laptop.
I'm working on getting https working for the first time, and keep reading hints that it's usual to make another virtual host to carry the SSL. Is this required, or just "a good idea"? If it's a good idea, why?
On a closely related topic, I eventually reached the point of creating a self-certified CA and have made my server keys, but the first response I get from an https://localhost access is an alert box from the browser:
"the connection to myserver has terminated unexpectedly.
Some data may have been transferred".
I do not even get an alert asking if I want to accept a self-certified certificate, so the problem has to be very early in the sequence.
Of course I'm going to assume that there's a few SSL config parameters I need to set, but I was hoping that the default .conf supplied by SuSE/Apache would only need the certificates plugging in and it would just work. Are there any SSL config parameters I MUST set before it will work?
The documentation lacks a clear tutorial (that I've been able to find) so I'd really appreciate it if someone could enumerate the essential parameters. I'll find out what they all mean from there.
Thanks in advance,
A Clarke.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
" from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|