Virtualni SSL-servery APACHE
Pavel Vrzal
pavel.vrzal na unimontex.cz
Pondělí Březen 18 08:45:44 CET 2002
Vazeni pritomni,
vyskytl se u nas maly problem.
Na nasem WWW-serveru provozujeme nekolik virtualnich serveru dcerinych
spolecnosti. Vsechno pracovalo jak ma.
Nyni jsem chtel z duvodu zvyseni bezpecnosti nainstalovat SSL-certifikaty
pro jednotlive virtualni servery.
Problem mam v tom, ze jednotlive SSL-virtualni servery si neberou
SSL-certifikat ze sve directivy, ale vzdy ze serveru, ktery je ulozen
nejdrive v souboru HTTPD.CONF. V tomto pripade je to server
email.unimontex.cz.
Prosim nasmerujte me, co bych mel prohlednout. V Log souborech jsem
smysluplnou chybu, ktere bych se mohl chytit nenasel.
Vypis z httpd.conf>>>
NameVirtualHost 172.17.88.3:443
<VirtualHost 172.17.88.3:443>
DocumentRoot "/var/www/html_virtual/email.cz"
ServerName email.unimontex.cz
ServerAdmin root na unimontex.cz
ErrorLog /etc/httpd/logs/virtual/email_cz_error_ssl_log
SSLEngine on
SSLCertificateFile /etc/httpd/conf/ssl.crt/email.unimontex.cz.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/email.unimontex.cz.key
SSLCertificateChainFile /etc/httpd/conf/ssl.crt/ca.crt
<Files ~ "\.(cgi|shtml)$">
SSLOptions +StdEnvVars
</Files>
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
CustomLog /var/log/httpd/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
<VirtualHost 172.17.88.3:443>
DocumentRoot "/var/www/html"
ServerName www.unimontex.cz
ServerAdmin root na unimontex.cz
ErrorLog /etc/httpd/logs/error_ssl_log
SSLEngine on
#SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt
#SSLCertificateFile /etc/httpd/conf/ssl.crt/server-dsa.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key
#SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server-dsa.key
SSLCertificateChainFile /etc/httpd/conf/ssl.crt/ca.crt
#SSLCACertificatePath /etc/httpd/conf/ssl.crt
#SSLCACertificateFile /etc/httpd/conf/ssl.crt/ca-bundle.crt
#SSLCARevocationPath /etc/httpd/conf/ssl.crl
#SSLCARevocationFile /etc/httpd/conf/ssl.crl/ca-bundle.crl
#SSLVerifyClient require
#SSLVerifyDepth 10
#<Location />
#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)-/ \
# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
#</Location>
#SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire
<Files ~ "\.(cgi|shtml)$">
SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
CustomLog /var/log/httpd/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
--
s pozdravem
Pavel Vrzal
e-mail: pavel.vrzal na unimontex.cz
Další informace o konferenci Linux