[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [cobalt-users] SSL is driving me crazy

Subject: RE: [cobalt-users] SSL is driving me crazy
From: Rickard Osser <ricky@xxxxxxxx>
Date: Sun Jan 30 06:34:48 2000
Quoting Liz <daldog@xxxxxxxx>:

> Tony...
> 
> Thanks for the claification on the RaQ model.  No doubt this
> is going to be a TOTAL WASTE of IP addresses for RaQ3
> owners, plus an added cost to any ecommerce sites that are
> hosted on this server.  Is Cobalt in kahoots with
> Thawte/Verisign??  Hmm.
> 
> When I have to justify to my provider why I need yet another
> bank of 10 or 20 more IPs this week, I'll just tell them to
> contact Cobalt Support for that answer.

Liz, this has absolutely nothing to do with Cobalt/
Redhat SSL or Thawte/Verisign...

It's a function of how the SSL-layer is implemented. SSL 
has no concept of virtual hosting itself, it only knows 
how to encrypt between 2 ip-addresses with a certificate 
connected to the IP-address of the server. Verisign and 
Thawte are both younger companies than SSL itself and 
virtualhosting is a lot younger than SSL aswell.

Best regards,

Rickard Osser




> Liz
> 
> 
> 
> ------Original Message------
> From: "Tony" <isplists@xxxxxxxxxxxx>
> To: cobalt-users@xxxxxxxxxxxxxxx
> Sent: January 30, 2000 7:27:15 AM GMT
> Subject: RE: [cobalt-users] SSL is driving me crazy
> 
> 
> oops..no...Raq2 only. I just started configuring my Raq3i
> and there are
> some major differences. I still have to get the Raq1 cobwebs
> out of my head.
> Seems like Cobalt went back to using the srm.conf and
> access.conf files
> where on the RaQ2 all directory containers and directives
> are in the
> httpd.conf and httpd-ssl.conf files.
> 
> Since the RaQ3 uses the GUI in a big way to enable SSL I
> don't think it
> will be possible to do the symlink method anymore. The raq3
> 'manual'
> mentions
> that SSL can only be used on 1 virtual name-based site.
> Seems everything
> will be handled by the main httpd.conf file.
> 
> Also seems like the best way to go on Raq3 is to have an
> IP-based virtual
> site for every domain that requires SSL, require the site
> owner to shell out
> the $125 for their own Thawte cert and use the GUI to
> administer it.
> 
> I'm really not fond of the symlink/share-the-ISP-Cert method
> actually.
> If a client is serious about e-commerce it should not be
> hard to point
> out the advantage of their customers seeing this in their
> browsers:
> 
> https://www.mydomain.com/cgi-bin/gimmeyourcash.cgi
> 
> instead of
> 
> https://secure.isp.net/cgi-bin/mydomain/gimmeyourcash.cgi
> 
> Tony
> 
> -----Original Message-----
> From: cobalt-users-admin@xxxxxxxxxxxxxxx
> [mailto:cobalt-users-admin@xxxxxxxxxxxxxxx]On Behalf Of Liz
> Sent: Sunday, January 30, 2000 12:51 AM
> To: cobalt-users@xxxxxxxxxxxxxxx
> Subject: RE: [cobalt-users] SSL is driving me crazy
> 
> 
> Tony,
> 
> Thanks a bunch for the details.  Your instructions apply to
> a RaQ3, correct?
> 
> Reason why I ask, I don't have a "httpd-ssl.conf" file.  Did
> a "find" but that was the only file that was not found.  All
> it found was a "ssl.conf" file in etc/admserv/conf/ ..and
> there is no <Directory> directive in that file at all.  Just
> a bunch of other stuff like Sessions and the like.  If your
> instructions are for a RaQ2 then I'm probably sunk without
> the httpd-ssl.conf.  The httpd.conf has various lines of
> Perl code doing something with the SSL before the
> <VirtualHost> sections.  Comments in the code refer to
> "build new section in the conf file for SSL sections" and
> then it does stuff with RewriteRules and Cond's.
> 
> I have an O'Reilly book for Apache but it doesn't have
> anything pertaining to SSL.  My copy was published before
> Apache 1.3, so it's current worth is probably best suited as
> kindling for the fireplace.
> 
> Liz
> 
> 
> ------Original Message------
> From: "Tony" <isplists@xxxxxxxxxxxx>
> To: cobalt-users@xxxxxxxxxxxxxxx
> Sent: January 28, 2000 5:34:21 PM GMT
> Subject: RE: [cobalt-users] SSL is driving me crazy
> 
> 
> Most likely this a httpd-ssl.conf error. Make sure you have
> your <directory> container correct.
> It needs this line:
> Options FollowSymLinks Includes ExecCGI
> 
> As for ownership it should be root with the SSL site as
> group.
> You should be able to cd to the link in telnet.
> 
> I had to make quite a few changes to get this to work
> properly.
> First, a secure link is useless without cgi-support since
> most
> sites need this for shopping cart use.
> 
> The first thing I do is disable cgi-wrap by using the
> include
> statement in httpd.conf along with an extra conf file for
> the site.
> Just the revelant parts are included here:
> 
> In the main httpd.conf:
> 
> <VirtualHost xxx.xxx.xxx.xxx>
> Include /etc/httpd/conf/site22.conf
> xxxxxx
> #AddHandler cgi-wrapper .cgi
> #AddHandler cgi-wrapper .pl
> </VirtualHost>
> 
> In site22.conf:
> 
> Options Indexes FollowSymLinks Includes ExecCGI
> AddHandler cgi-script .cgi
> AddHandler cgi-script .pl
> ScriptAlias /cgi-bin/ /home/sites/site22/cgi-bin/
> 
> [container tags not needed]
> 
> The httpd-ssl.conf has a cgi-bin configured through
> the Script-Alias directive:
> 
> ScriptAlias /cgi-bin/ /home/sites/ssl/cgi-bin/
> 
> [note the trailing slash!]
> 
> Followed by a Directory Container:
> 
> <Directory /home/sites/ssl/cgi-bin/>
> Options FollowSymLinks Includes ExecCGI
> AllowOverride ALL
> Order allow,deny
> Allow from all
> </Directory>
> 
> You should actually use FollowSymLinksIfOwnerMatch
> though to make it more secure on a multi-user box
> and chown the symlink to the virtual site.
> 
> Now you can make the symlink in either the
> web or cgi-bin of the ssl site.
> 
> ln -s /home/sites/siteX/web nameofdomain.com
> 
> results in this:
> 
> 1 root     site1          22 Jan 28 11:20 nameofdomain.com
> ->
> /home/sites/siteX/web
> 
> I use the above naming scheme because it's cleaner
> when doing html links. The URL would be:
> https://secure.domain.com/nameofdomain.com/document.html
> 
> Do the same thing in the cgi-bin of the secure site:
> 
> ln -s /home/sites/siteX/cgi-bin nameofdomain.com
> 
> and the final URL should be:
> 
> https://secure.domain.com/cgi-bin/nameofdomain.com/nameofscript.cgi
> 
> 
> I highly recommend getting the O'Reilly Apache book..ISBN
> 1-56592-250-6
> by Ben & Peter Laurie.
> 
> Tony
> 
> 
> 
> -----Original Message-----
> From: cobalt-users-admin@xxxxxxxxxxxxxxx
> [mailto:cobalt-users-admin@xxxxxxxxxxxxxxx]On Behalf Of Liz
> Sent: Friday, January 28, 2000 12:52 AM
> To: cobalt-users@xxxxxxxxxxxxxxx
> Subject: Re: [cobalt-users] SSL is driving me crazy
> 
> 
> Cool, thanks for the detailed instructions!  Still no such
> luck, tho. :-(
> 
> I setup the symbolic link exactly how it was spelled out
> below, but now I'm getting a 403 FORBIDDEN when I try to
> visit URL...
> https://www.domain.com/www.otherdomain.com/web/filename.html
> 
> Even if I remove the "s" as in..
> http://www.domain.com/www.otherdomain.com/web/filename.html
> I still get the same error.
> 
> The symblink owner is site1 where the CA is setup for secure
> stuff.  After getting the 403 I tried chgrp'ing the symblink
> to site7 (the crash test dummy site who happens to be on
> their own IP) along with chown'ing to a user of
> site7...still received the same 403 error.  Who will be the
> owner/group of the symblink, site1 or site7..???
> 
> Is there something else I'm may be missing?
> 
> Liz
> 
> ------Original Message------
> From: John Bush <jbush@xxxxxxxxxxxxxxx>
> To: cobalt-users@xxxxxxxxxxxxxxx
> Sent: January 26, 2000 5:16:12 AM GMT
> Subject: Re: [cobalt-users] SSL is driving me crazy
> 
> 
> you need to make symbolic links from your main site to that
> of other
> sites:
> 
> For instance, your site is at
> /home/sites/www.maindomain.com/web
> Theirsite is at /home/sites/www.theirsite.com/web
> 
> Telnet to your server and type:
> 
> ln -s /home/sites/www.theirsite.com/web
> /home/sites/www.maindomain.com/web/theirsite
> 
> That will make a symbolic link in your main site's web space
> to the
> other virtual site.
> 
> Then to call theirsite securely, you would access:
> https://www.maindomain.com/theirsite/filename.html
> 
> This way you won't have to copy any files or create any more
> users.
> You may have to do some ownership and group fiddling to get
> cgi scripts
> to work, that is my personal task for tomorrow.
> 
> Liz wrote:
> 
> > I tired doing something similar to
> > "secure.yoursite.com/theirsite1" but no such luck. I'm not
> > using "secure.domain.com"...just a regular
> "www.domain.com"
> > as my SSL domain name which has a certificate.  Maybe
> that's
> > why I'm having problems?
> >
> > It seems the only other option I'm stuck with is to create
> a
> > user for each site where the URL would be...
> > https://www.domain.com/~user/
> > I'm not crazy about doing this at all since I would prefer
> > it if all user files remained within their own directory
> > structure.
> >
> > I was informed today that Cobalt didn't make a SSL patch
> for
> > the RaQ3 as they did for the RaQ2.  Until that's available
> > the following isn't suppose to work
> > https://www.domain.com/site#/
> > Please share how you got your's working! :)
> >
> > ------Original Message------
> > From: Jeff Lasman <jblists@xxxxxxxxxxxxx>
> > To: cobalt-users@xxxxxxxxxxxxxxx
> > Sent: January 21, 2000 9:00:10 PM GMT
> > Subject: Re: [cobalt-users] SSL is driving me crazy
> >
> > At 10:43 AM 1/21/00  Liz wrote:
> > >I'm seriously lost on this SSL stuff and am hoping
> someone
> > >in this group can help answer the following...
> > >
> > >What the best way to setup the RaQ3 so each virtual site
> > can
> > >share one common ssl certificate?
> >
> > There's only one "real" way to do this without each
> virtual
> > site customer
> > getting a warning each time they  enter the site:
> >
> > secure.yoursite.com/theirsite1
> > secure.yoursite.com/theirsite2
> >
> > Both Verisign and Thawte will tell you this is a violation
> > of their
> > license.  However, they'll also tell you (under duress,
> but
> > they will) that
> > everyone does it.
> >
> > So, yoursite.com gets the stand-alone IP# and the
> > certificate.  The rest is
> > all subdirectories.
> >
> > >Is it required that each virtual site must have it's own
> IP
> > >address in order to share, or can it work with name-based
> > >hosting?
> >
> > Theirsite1.com and theirsite2.com, etc., can have
> name-based
> > hosting.  Secure.yoursite.com needs its own IP#.
> >
> > Jeff
> >
> > --
> > Jeff Lasman, nobaloney.net
> > <jblists@xxxxxxxxxxxxx>
> > <www.nobaloney.net>, <www.mailtraqna.com>,
> > <www.email-lists.com>
> >
> > _______________________________________________
> > cobalt-users mailing list
> > cobalt-users@xxxxxxxxxxxxxxx
> > http://list.cobalt.com/mailman/listinfo/cobalt-users
> >
> > ______________________________________________
> > FREE Personalized Email at Mail.com
> > Sign up at http://www.mail.com?sr=mc.mk.mcm.tag001
> >
> > _______________________________________________
> > cobalt-users mailing list
> > cobalt-users@xxxxxxxxxxxxxxx
> > http://list.cobalt.com/mailman/listinfo/cobalt-users
> 
> --
> John Bush
> Systems Administrator
> Apex Web Technologies
> http://apexhosting.com
> Toll Free (877) 377-APEX
> 
> 
> 
> _______________________________________________
> cobalt-users mailing list
> cobalt-users@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-users
> 
> ______________________________________________
> FREE Personalized Email at Mail.com
> Sign up at http://www.mail.com?sr=mc.mk.mcm.tag001
> 
> 
> _______________________________________________
> cobalt-users mailing list
> cobalt-users@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-users
> 
> 
> _______________________________________________
> cobalt-users mailing list
> cobalt-users@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-users
> 
> ______________________________________________
> FREE Personalized Email at Mail.com
> Sign up at http://www.mail.com?sr=mc.mk.mcm.tag001
> 
> 
> _______________________________________________
> cobalt-users mailing list
> cobalt-users@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-users
> 
> 
> _______________________________________________
> cobalt-users mailing list
> cobalt-users@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-users
> 
> ______________________________________________
> FREE Personalized Email at Mail.com
> Sign up at http://www.mail.com?sr=mc.mk.mcm.tag001
> 
> 
> _______________________________________________
> cobalt-users mailing list
> cobalt-users@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-users
>
References:
- RE: [cobalt-users] SSL is driving me crazy
  - From: Liz
Prev by Date: RE: Re[2]: [cobalt-users] Help with simple CGI.
Next by Date: RE: [cobalt-users] SSL is driving me crazy
Previous by thread: RE: [cobalt-users] SSL is driving me crazy
Next by thread: RE: [cobalt-users] SSL is driving me crazy
Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index