[CLUE-Tech] apache ssl only on non-well-known port?

Angelo Bertolli angelo at freeshell.org
Fri Apr 2 14:16:40 MST 2004 

On Fri, 2 Apr 2004, Chris Schock wrote:

> Date: Fri, 2 Apr 2004 12:36:34 -0700 (MST)
> From: Chris Schock <black at clapthreetimes.com>
> Reply-To: clue-tech at clue.denver.co.us
> To: clue-tech at clue.denver.co.us
> Subject: Re: [CLUE-Tech] apache ssl only on non-well-known port?
>
> I'd love to see it, just for another example of how people configured SSL.

Actually to me the hardest part was understanding all the intricacies of
SSL:  using keys, generating certificates, etc.  That was the part that
took the most time to set up, esp if you want to have a trusted CA issue
you a certificate (we got one from thawte.com).  After that, the
configuration under Linux/Apache is pretty simple.  (I noticed that during
the process there were mentions on thawte.com about various warnings not
to do such-and-such if you were using IIS--luckily none of those apply ;)

Angelo

Here's the summary (not including the installation of mod_ssl, which
is usually already there):

<IfDefine HAVE_SSL>
Listen 80
Listen 443
</IfDefine>

<IfDefine HAVE_SSL>
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl    .crl
</IfDefine>

<IfDefine HAVE_SSL>
<VirtualHost 192.168.1.75:443>
DocumentRoot /var/www/secure/htdocs
ServerName mysecuresite.com
ServerAdmin admin at mysecuresite.com
ScriptAlias /cgi-bin/ /var/www/secure/cgi-bin/
TransferLog /var/www/secure/logs/access_log
ErrorLog /var/www/secure/logs/error_log
SSLCertificateFile /etc/httpd/conf/ssl.crt/mysecuresite.com.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/mysecuresite.com.key
SSLCACertificateFile /etc/httpd/conf/ssl.crt/ca_new.txt
SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
    SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/secure/cgi-bin">
    SSLOptions +StdEnvVars
</Directory>
SetEnvIf User-Agent ".*MSIE.*" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
<Directory /var/www/secure/htdocs>
Options ExecCGI FollowSymLinks Includes -Indexes
</Directory>
</VirtualHost>

More information about the clue-tech mailing list