if youre worried about a man in the middle attack but still want a poor
man's hosting you could get a one month trial certificate from
rapidssl.com for practically any domain (including dynamic ones like
mysite.no-ip.com.) during the trial period (they basically set the
certificate to expire in a month's time) you can be free of m-i-t-m
attacks. but even after the trial period all you have is an expired
certificate - which except for the date and the browser pop-up which
says that the cert has expired is still free from m-i-t-m attacks. im sorry i didnt follow the entire thread so am not sure if the above will help you in anyway. it would be nice if each message from the list would include a http link to a message thread somewhere... SithLord wrote: --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. SeeOn Tuesday 25 July 2006 03:18, Joshua Slive wrote:First, SSL without a valid certificate trusted by the client is not any safer than plain-text in the end. A "man-in-the-middle" could sit on the wire, provide your clients with a bogus certificate, and decrypt all the traffic on the way back and forth to the server. Since your clients are used to hitting "ignore" on the certificate error warnings, they would be none-the-wiser.You're absolutely right but I don't have any "clients". These services are not for public use. This isn't a production service available to real clients/customers. I have some services at home I like/need to have available from outside. Moreover, there is nothing absolutely critical and most of these services could be available through plain HTTP. Remember that I talked about a "poor's man" HTTPS virtual hosting, nothing related to production use.Second, what you want is not possible in any released version of apache. mod_ifenv wouldn't do it, since I'm fairly sure it cues off env variables set at apache start time, not off dynamic per-request env variables. That kind of per-request configuration is only possible if individual env variables support it.That's interesting! There's nothing in the ifenv module which indicates that the env vars are dynamically called and examined. You have a big point here.As luck would have it, I believe there is some action on the development list about making it possible to use env variables in ProxyPassReverse. But it isn't in any released version, and likely won't be for some time.Thanks for the information I wasn't aware of that :-) I can test that. |