Re: [users@httpd] Virtual Hosting and SSL

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Boyle Owen wrote:
First, the lecture:

"...just to include SSL." is your wrongthink.

It's not wrongthink. I don't know what users are going to want to protect, and what they aren't. I make everything potentially protected by SSL and I'll let them use .htaccess and SSLRequireSSL to protect the things they want protected.

SSL (or to be more accurate, HTTPS) is an additional layer on top of HTTP so it is like it is a different protocol. Therefore your question is a bit like, "Do I have to install Sendmail, just to include SMTP?"

SSL operates above the protocol. The analogy doesn't work. It's more like the telco requiring a separate phone number if you want to speak French over the line.

For HTTPS to work, it needs a unique TCP/IP socket on which to begin the HTTPS negotiation. That is conventionally port 443. Happily, apache (using mod_ssl) can be configured to handle an HTTPS session, but it requires a virtual host to be configured to handle the requests once they are decrypted. This VH then includes all the SSL directives (eg, SSLEngine on) so it can't be used for plain HTTP.

Which is why it seems like it shouldn't need a separate container. It is already separated from regular HTTP by port.

I think the underlying problem is that you want a site that automatically works in HTTP or HTTPS with identical content under each. I'm sure you have your reasons, but have you thought through exactly why you want this? SSL is used to protect data when it's on the public part of the route between the client and server. This would either be private data submitted by the client (eg, credit card number) or sent by the server (eg, personal user data held on a server). Why would you want these resources also available under plain HTTP? If people used the HTTP URLs, the data would not be protected. It's a bit like phoning your bank up and asking them to send you some money and, depending on the number you call, they either send it round in an armoured car or post it in the mail in a see-through envelope.

To continue the armored-car analogy, it's like wanting to buy a car with locks that don't *have* to be locked. Instead of having one car with no locks and no armor, and another with armor and locks that are always locked, I want a car that has the armor and locks, but can be left unlocked if I so choose. It's not unusual at all.

--
Jerry Baker

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
  "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx



[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux