[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [cobalt-users] SSL is driving me crazy
- Subject: RE: [cobalt-users] SSL is driving me crazy
- From: "Tony" <isplists@xxxxxxxxxxxx>
- Date: Sun Jan 30 10:20:40 2000
Liz,
I went through the same argument about IP's with my upstream.
At the time the Raq2 has just come out had ISP's drooling over
200 Domains/1 IP concept. Full SSL though has always required
a site to have it's own ip. 3 years ago Name based hosting was
the way those $2.99 a month hosters managed to host 1500 domains
per machine. IMHO, a quality virtual hosting account gets it's
own IP. A cheaper loss-leader account with half the features gets
to share via name-based. The pros & cons are many on both sides.
Tony
-----Original Message-----
From: cobalt-users-admin@xxxxxxxxxxxxxxx
[mailto:cobalt-users-admin@xxxxxxxxxxxxxxx]On Behalf Of Liz
Sent: Sunday, January 30, 2000 2:28 AM
To: cobalt-users@xxxxxxxxxxxxxxx
Subject: RE: [cobalt-users] SSL is driving me crazy
Tony...
Thanks for the claification on the RaQ model. No doubt this
is going to be a TOTAL WASTE of IP addresses for RaQ3
owners, plus an added cost to any ecommerce sites that are
hosted on this server. Is Cobalt in kahoots with
Thawte/Verisign?? Hmm.
When I have to justify to my provider why I need yet another
bank of 10 or 20 more IPs this week, I'll just tell them to
contact Cobalt Support for that answer.
Liz
------Original Message------
From: "Tony" <isplists@xxxxxxxxxxxx>
To: cobalt-users@xxxxxxxxxxxxxxx
Sent: January 30, 2000 7:27:15 AM GMT
Subject: RE: [cobalt-users] SSL is driving me crazy
oops..no...Raq2 only. I just started configuring my Raq3i
and there are
some major differences. I still have to get the Raq1 cobwebs
out of my head.
Seems like Cobalt went back to using the srm.conf and
access.conf files
where on the RaQ2 all directory containers and directives
are in the
httpd.conf and httpd-ssl.conf files.
Since the RaQ3 uses the GUI in a big way to enable SSL I
don't think it
will be possible to do the symlink method anymore. The raq3
'manual'
mentions
that SSL can only be used on 1 virtual name-based site.
Seems everything
will be handled by the main httpd.conf file.
Also seems like the best way to go on Raq3 is to have an
IP-based virtual
site for every domain that requires SSL, require the site
owner to shell out
the $125 for their own Thawte cert and use the GUI to
administer it.
I'm really not fond of the symlink/share-the-ISP-Cert method
actually.
If a client is serious about e-commerce it should not be
hard to point
out the advantage of their customers seeing this in their
browsers:
https://www.mydomain.com/cgi-bin/gimmeyourcash.cgi
instead of
https://secure.isp.net/cgi-bin/mydomain/gimmeyourcash.cgi
Tony
-----Original Message-----
From: cobalt-users-admin@xxxxxxxxxxxxxxx
[mailto:cobalt-users-admin@xxxxxxxxxxxxxxx]On Behalf Of Liz
Sent: Sunday, January 30, 2000 12:51 AM
To: cobalt-users@xxxxxxxxxxxxxxx
Subject: RE: [cobalt-users] SSL is driving me crazy
Tony,
Thanks a bunch for the details. Your instructions apply to
a RaQ3, correct?
Reason why I ask, I don't have a "httpd-ssl.conf" file. Did
a "find" but that was the only file that was not found. All
it found was a "ssl.conf" file in etc/admserv/conf/ ..and
there is no <Directory> directive in that file at all. Just
a bunch of other stuff like Sessions and the like. If your
instructions are for a RaQ2 then I'm probably sunk without
the httpd-ssl.conf. The httpd.conf has various lines of
Perl code doing something with the SSL before the
<VirtualHost> sections. Comments in the code refer to
"build new section in the conf file for SSL sections" and
then it does stuff with RewriteRules and Cond's.
I have an O'Reilly book for Apache but it doesn't have
anything pertaining to SSL. My copy was published before
Apache 1.3, so it's current worth is probably best suited as
kindling for the fireplace.
Liz
------Original Message------
From: "Tony" <isplists@xxxxxxxxxxxx>
To: cobalt-users@xxxxxxxxxxxxxxx
Sent: January 28, 2000 5:34:21 PM GMT
Subject: RE: [cobalt-users] SSL is driving me crazy
Most likely this a httpd-ssl.conf error. Make sure you have
your <directory> container correct.
It needs this line:
Options FollowSymLinks Includes ExecCGI
As for ownership it should be root with the SSL site as
group.
You should be able to cd to the link in telnet.
I had to make quite a few changes to get this to work
properly.
First, a secure link is useless without cgi-support since
most
sites need this for shopping cart use.
The first thing I do is disable cgi-wrap by using the
include
statement in httpd.conf along with an extra conf file for
the site.
Just the revelant parts are included here:
In the main httpd.conf:
<VirtualHost xxx.xxx.xxx.xxx>
Include /etc/httpd/conf/site22.conf
xxxxxx
#AddHandler cgi-wrapper .cgi
#AddHandler cgi-wrapper .pl
</VirtualHost>
In site22.conf:
Options Indexes FollowSymLinks Includes ExecCGI
AddHandler cgi-script .cgi
AddHandler cgi-script .pl
ScriptAlias /cgi-bin/ /home/sites/site22/cgi-bin/
[container tags not needed]
The httpd-ssl.conf has a cgi-bin configured through
the Script-Alias directive:
ScriptAlias /cgi-bin/ /home/sites/ssl/cgi-bin/
[note the trailing slash!]
Followed by a Directory Container:
<Directory /home/sites/ssl/cgi-bin/>
Options FollowSymLinks Includes ExecCGI
AllowOverride ALL
Order allow,deny
Allow from all
</Directory>
You should actually use FollowSymLinksIfOwnerMatch
though to make it more secure on a multi-user box
and chown the symlink to the virtual site.
Now you can make the symlink in either the
web or cgi-bin of the ssl site.
ln -s /home/sites/siteX/web nameofdomain.com
results in this:
1 root site1 22 Jan 28 11:20 nameofdomain.com
->
/home/sites/siteX/web
I use the above naming scheme because it's cleaner
when doing html links. The URL would be:
https://secure.domain.com/nameofdomain.com/document.html
Do the same thing in the cgi-bin of the secure site:
ln -s /home/sites/siteX/cgi-bin nameofdomain.com
and the final URL should be:
https://secure.domain.com/cgi-bin/nameofdomain.com/nameofscript.cgi
I highly recommend getting the O'Reilly Apache book..ISBN
1-56592-250-6
by Ben & Peter Laurie.
Tony
-----Original Message-----
From: cobalt-users-admin@xxxxxxxxxxxxxxx
[mailto:cobalt-users-admin@xxxxxxxxxxxxxxx]On Behalf Of Liz
Sent: Friday, January 28, 2000 12:52 AM
To: cobalt-users@xxxxxxxxxxxxxxx
Subject: Re: [cobalt-users] SSL is driving me crazy
Cool, thanks for the detailed instructions! Still no such
luck, tho. :-(
I setup the symbolic link exactly how it was spelled out
below, but now I'm getting a 403 FORBIDDEN when I try to
visit URL...
https://www.domain.com/www.otherdomain.com/web/filename.html
Even if I remove the "s" as in..
http://www.domain.com/www.otherdomain.com/web/filename.html
I still get the same error.
The symblink owner is site1 where the CA is setup for secure
stuff. After getting the 403 I tried chgrp'ing the symblink
to site7 (the crash test dummy site who happens to be on
their own IP) along with chown'ing to a user of
site7...still received the same 403 error. Who will be the
owner/group of the symblink, site1 or site7..???
Is there something else I'm may be missing?
Liz
------Original Message------
From: John Bush <jbush@xxxxxxxxxxxxxxx>
To: cobalt-users@xxxxxxxxxxxxxxx
Sent: January 26, 2000 5:16:12 AM GMT
Subject: Re: [cobalt-users] SSL is driving me crazy
you need to make symbolic links from your main site to that
of other
sites:
For instance, your site is at
/home/sites/www.maindomain.com/web
Theirsite is at /home/sites/www.theirsite.com/web
Telnet to your server and type:
ln -s /home/sites/www.theirsite.com/web
/home/sites/www.maindomain.com/web/theirsite
That will make a symbolic link in your main site's web space
to the
other virtual site.
Then to call theirsite securely, you would access:
https://www.maindomain.com/theirsite/filename.html
This way you won't have to copy any files or create any more
users.
You may have to do some ownership and group fiddling to get
cgi scripts
to work, that is my personal task for tomorrow.
Liz wrote:
> I tired doing something similar to
> "secure.yoursite.com/theirsite1" but no such luck. I'm not
> using "secure.domain.com"...just a regular
"www.domain.com"
> as my SSL domain name which has a certificate. Maybe
that's
> why I'm having problems?
>
> It seems the only other option I'm stuck with is to create
a
> user for each site where the URL would be...
> https://www.domain.com/~user/
> I'm not crazy about doing this at all since I would prefer
> it if all user files remained within their own directory
> structure.
>
> I was informed today that Cobalt didn't make a SSL patch
for
> the RaQ3 as they did for the RaQ2. Until that's available
> the following isn't suppose to work
> https://www.domain.com/site#/
> Please share how you got your's working! :)
>
> ------Original Message------
> From: Jeff Lasman <jblists@xxxxxxxxxxxxx>
> To: cobalt-users@xxxxxxxxxxxxxxx
> Sent: January 21, 2000 9:00:10 PM GMT
> Subject: Re: [cobalt-users] SSL is driving me crazy
>
> At 10:43 AM 1/21/00 Liz wrote:
> >I'm seriously lost on this SSL stuff and am hoping
someone
> >in this group can help answer the following...
> >
> >What the best way to setup the RaQ3 so each virtual site
> can
> >share one common ssl certificate?
>
> There's only one "real" way to do this without each
virtual
> site customer
> getting a warning each time they enter the site:
>
> secure.yoursite.com/theirsite1
> secure.yoursite.com/theirsite2
>
> Both Verisign and Thawte will tell you this is a violation
> of their
> license. However, they'll also tell you (under duress,
but
> they will) that
> everyone does it.
>
> So, yoursite.com gets the stand-alone IP# and the
> certificate. The rest is
> all subdirectories.
>
> >Is it required that each virtual site must have it's own
IP
> >address in order to share, or can it work with name-based
> >hosting?
>
> Theirsite1.com and theirsite2.com, etc., can have
name-based
> hosting. Secure.yoursite.com needs its own IP#.
>
> Jeff
>
> --
> Jeff Lasman, nobaloney.net
> <jblists@xxxxxxxxxxxxx>
> <www.nobaloney.net>, <www.mailtraqna.com>,
> <www.email-lists.com>
>
> _______________________________________________
> cobalt-users mailing list
> cobalt-users@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-users
>
> ______________________________________________
> FREE Personalized Email at Mail.com
> Sign up at http://www.mail.com?sr=mc.mk.mcm.tag001
>
> _______________________________________________
> cobalt-users mailing list
> cobalt-users@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-users
--
John Bush
Systems Administrator
Apex Web Technologies
http://apexhosting.com
Toll Free (877) 377-APEX
_______________________________________________
cobalt-users mailing list
cobalt-users@xxxxxxxxxxxxxxx
http://list.cobalt.com/mailman/listinfo/cobalt-users
______________________________________________
FREE Personalized Email at Mail.com
Sign up at http://www.mail.com?sr=mc.mk.mcm.tag001
_______________________________________________
cobalt-users mailing list
cobalt-users@xxxxxxxxxxxxxxx
http://list.cobalt.com/mailman/listinfo/cobalt-users
_______________________________________________
cobalt-users mailing list
cobalt-users@xxxxxxxxxxxxxxx
http://list.cobalt.com/mailman/listinfo/cobalt-users
______________________________________________
FREE Personalized Email at Mail.com
Sign up at http://www.mail.com?sr=mc.mk.mcm.tag001
_______________________________________________
cobalt-users mailing list
cobalt-users@xxxxxxxxxxxxxxx
http://list.cobalt.com/mailman/listinfo/cobalt-users
_______________________________________________
cobalt-users mailing list
cobalt-users@xxxxxxxxxxxxxxx
http://list.cobalt.com/mailman/listinfo/cobalt-users
______________________________________________
FREE Personalized Email at Mail.com
Sign up at http://www.mail.com?sr=mc.mk.mcm.tag001
_______________________________________________
cobalt-users mailing list
cobalt-users@xxxxxxxxxxxxxxx
http://list.cobalt.com/mailman/listinfo/cobalt-users