[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [cobalt-users] SSL is driving me crazy

Subject: RE: [cobalt-users] SSL is driving me crazy
From: "Tony" <isplists@xxxxxxxxxxxx>
Date: Fri Jan 28 13:30:31 2000
Most likely this a httpd-ssl.conf error. Make sure you have
your <directory> container correct.
It needs this line:
Options FollowSymLinks Includes ExecCGI

As for ownership it should be root with the SSL site as group.
You should be able to cd to the link in telnet.

I had to make quite a few changes to get this to work properly.
First, a secure link is useless without cgi-support since most
sites need this for shopping cart use.

The first thing I do is disable cgi-wrap by using the include
statement in httpd.conf along with an extra conf file for the site.
Just the revelant parts are included here:

In the main httpd.conf:

<VirtualHost xxx.xxx.xxx.xxx>
Include /etc/httpd/conf/site22.conf
xxxxxx
#AddHandler cgi-wrapper .cgi
#AddHandler cgi-wrapper .pl
</VirtualHost>

In site22.conf:

Options Indexes FollowSymLinks Includes ExecCGI
AddHandler cgi-script .cgi
AddHandler cgi-script .pl
ScriptAlias /cgi-bin/ /home/sites/site22/cgi-bin/

[container tags not needed]

The httpd-ssl.conf has a cgi-bin configured through
the Script-Alias directive:

ScriptAlias /cgi-bin/ /home/sites/ssl/cgi-bin/

[note the trailing slash!]

Followed by a Directory Container:

<Directory /home/sites/ssl/cgi-bin/>
Options FollowSymLinks Includes ExecCGI
    AllowOverride ALL
    Order allow,deny
    Allow from all
</Directory>

You should actually use FollowSymLinksIfOwnerMatch
though to make it more secure on a multi-user box
and chown the symlink to the virtual site.

Now you can make the symlink in either the
web or cgi-bin of the ssl site.

ln -s /home/sites/siteX/web nameofdomain.com

results in this:

1 root     site1          22 Jan 28 11:20 nameofdomain.com ->
/home/sites/siteX/web

I use the above naming scheme because it's cleaner
when doing html links. The URL would be:
https://secure.domain.com/nameofdomain.com/document.html

Do the same thing in the cgi-bin of the secure site:

ln -s /home/sites/siteX/cgi-bin nameofdomain.com

and the final URL should be:

https://secure.domain.com/cgi-bin/nameofdomain.com/nameofscript.cgi


I highly recommend getting the O'Reilly Apache book..ISBN 1-56592-250-6
by Ben & Peter Laurie.

Tony



-----Original Message-----
From: cobalt-users-admin@xxxxxxxxxxxxxxx
[mailto:cobalt-users-admin@xxxxxxxxxxxxxxx]On Behalf Of Liz
Sent: Friday, January 28, 2000 12:52 AM
To: cobalt-users@xxxxxxxxxxxxxxx
Subject: Re: [cobalt-users] SSL is driving me crazy


Cool, thanks for the detailed instructions!  Still no such
luck, tho. :-(

I setup the symbolic link exactly how it was spelled out
below, but now I'm getting a 403 FORBIDDEN when I try to
visit URL...
https://www.domain.com/www.otherdomain.com/web/filename.html

Even if I remove the "s" as in..
http://www.domain.com/www.otherdomain.com/web/filename.html
I still get the same error.

The symblink owner is site1 where the CA is setup for secure
stuff.  After getting the 403 I tried chgrp'ing the symblink
to site7 (the crash test dummy site who happens to be on
their own IP) along with chown'ing to a user of
site7...still received the same 403 error.  Who will be the
owner/group of the symblink, site1 or site7..???

Is there something else I'm may be missing?

Liz

------Original Message------
From: John Bush <jbush@xxxxxxxxxxxxxxx>
To: cobalt-users@xxxxxxxxxxxxxxx
Sent: January 26, 2000 5:16:12 AM GMT
Subject: Re: [cobalt-users] SSL is driving me crazy


you need to make symbolic links from your main site to that
of other
sites:

For instance, your site is at
/home/sites/www.maindomain.com/web
Theirsite is at /home/sites/www.theirsite.com/web

Telnet to your server and type:

ln -s /home/sites/www.theirsite.com/web
/home/sites/www.maindomain.com/web/theirsite

That will make a symbolic link in your main site's web space
to the
other virtual site.

Then to call theirsite securely, you would access:
https://www.maindomain.com/theirsite/filename.html

This way you won't have to copy any files or create any more
users.
You may have to do some ownership and group fiddling to get
cgi scripts
to work, that is my personal task for tomorrow.

Liz wrote:

> I tired doing something similar to
> "secure.yoursite.com/theirsite1" but no such luck. I'm not
> using "secure.domain.com"...just a regular
"www.domain.com"
> as my SSL domain name which has a certificate.  Maybe
that's
> why I'm having problems?
>
> It seems the only other option I'm stuck with is to create
a
> user for each site where the URL would be...
> https://www.domain.com/~user/
> I'm not crazy about doing this at all since I would prefer
> it if all user files remained within their own directory
> structure.
>
> I was informed today that Cobalt didn't make a SSL patch
for
> the RaQ3 as they did for the RaQ2.  Until that's available
> the following isn't suppose to work
> https://www.domain.com/site#/
> Please share how you got your's working! :)
>
> ------Original Message------
> From: Jeff Lasman <jblists@xxxxxxxxxxxxx>
> To: cobalt-users@xxxxxxxxxxxxxxx
> Sent: January 21, 2000 9:00:10 PM GMT
> Subject: Re: [cobalt-users] SSL is driving me crazy
>
> At 10:43 AM 1/21/00  Liz wrote:
> >I'm seriously lost on this SSL stuff and am hoping
someone
> >in this group can help answer the following...
> >
> >What the best way to setup the RaQ3 so each virtual site
> can
> >share one common ssl certificate?
>
> There's only one "real" way to do this without each
virtual
> site customer
> getting a warning each time they  enter the site:
>
> secure.yoursite.com/theirsite1
> secure.yoursite.com/theirsite2
>
> Both Verisign and Thawte will tell you this is a violation
> of their
> license.  However, they'll also tell you (under duress,
but
> they will) that
> everyone does it.
>
> So, yoursite.com gets the stand-alone IP# and the
> certificate.  The rest is
> all subdirectories.
>
> >Is it required that each virtual site must have it's own
IP
> >address in order to share, or can it work with name-based
> >hosting?
>
> Theirsite1.com and theirsite2.com, etc., can have
name-based
> hosting.  Secure.yoursite.com needs its own IP#.
>
> Jeff
>
> --
> Jeff Lasman, nobaloney.net
> <jblists@xxxxxxxxxxxxx>
> <www.nobaloney.net>, <www.mailtraqna.com>,
> <www.email-lists.com>
>
> _______________________________________________
> cobalt-users mailing list
> cobalt-users@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-users
>
> ______________________________________________
> FREE Personalized Email at Mail.com
> Sign up at http://www.mail.com?sr=mc.mk.mcm.tag001
>
> _______________________________________________
> cobalt-users mailing list
> cobalt-users@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-users

--
John Bush
Systems Administrator
Apex Web Technologies
http://apexhosting.com
Toll Free (877) 377-APEX



_______________________________________________
cobalt-users mailing list
cobalt-users@xxxxxxxxxxxxxxx
http://list.cobalt.com/mailman/listinfo/cobalt-users

______________________________________________
FREE Personalized Email at Mail.com
Sign up at http://www.mail.com?sr=mc.mk.mcm.tag001


_______________________________________________
cobalt-users mailing list
cobalt-users@xxxxxxxxxxxxxxx
http://list.cobalt.com/mailman/listinfo/cobalt-users
References:
- Re: [cobalt-users] SSL is driving me crazy
  - From: Liz
Prev by Date: Cobalt for Dummies (Was: RE: [cobalt-users] RaQ3 v. RaQ2 (was: Cname))
Next by Date: [cobalt-users] massadduser
Previous by thread: Re: [cobalt-users] SSL is driving me crazy
Next by thread: RE: [cobalt-users] SSL is driving me crazy
Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index