headers
Hans | 1 Nov 2007 08:38

Re: problem with NAT, Public IP's and SSL cert

Matus UHLAR - fantomas wrote:
>> On 10/27/07, Hans <hans <at> ezpear.com> wrote:
>>     
>>> In last week our customer requested to put new ssl cert for him with his
>>> own IP. I created VIP and forwarded to ports:80 and 443.
>>> But I have problem with configuration.
>>>
>>> Before few words about my future conf, during next few weeks I will
>>> install Load Balancing enviroment with 2 identical active/active
>>> webservers which conf created is automatically from mysql database. Both
>>> machine will be behind NAT and need to use only public IP's is
>>> configuration for virtual hosts. I cannot use for virtualhost eg.
>>> 192.168.2.10,192.168.2.11(because for vhost generated will be only
>>> public IP 65.65.65.65).
>>>       
>
> There's no problem with load-balancing if you configure it properly. We are
> running many vhosts (some SSL'ed, but wildcarded on the same IP/port with
> the same cert) behind loadbalancer.
>
> Our balancer does DNAT, so the servers don't know that it's there, they see
> connections coming to them. 
>
> The problem is, that if you want to have multiple SSL vhosts (with multiple
> certs), you have to configure each of them on servers and balancer
> (but you can do e.g. multiple ports with different certs on hosts, and the
> same port on multiple IPs on balancer).
>
>   
>>> So back to my question. I wanted change confiuguration from *:80 (*:443)
(Continue reading)

Permalink | Reply | 7 comments |
headers
Malka Cymbalista | 1 Nov 2007 09:10
Picon
Picon
Favicon

Authenticating via a secure LDAP server

Hello All,
We are running  Apache/2.2.6  with mod_ssl/2.2.6,  OpenSSL/0.9.7a,  PHP/5.2.4,  mod_perl/2.0.3 and  
Perl/v5.8.5 on Red Hat Enterprise Linux AS release 4  machine. 
We compiled Apache with the follwing options to configure:
--prefix=/WWW/httpd --with-ldap --enable-ldap --enable-authnz-ldap --enable-rewrite 
--enable-speling --enable-auth-digest --enable-ssl  --with-ssl=/usr/share/ssl
--with-mpm=prefork --enable-so --enable-proxy

We want to use ldap authentication via a remote ldap server that is running in secure mode.

My question is whether we have to install an LDAP SDK and APR. The apache 2.0 documentation for mod_ldap
states very clearly:
SSL support requires that mod_ldap be linked with one of the following LDAP SDKs....

However, the apache 2.2 documentation for mod_ldap is not as clear.  It says:
To enable this module, LDAP support must be compiled into apr-util. This is achieved by adding the
--with-ldap flag to the configure script.... 
SSL/TLS support is dependant on which LDAP toolkit has been linked to APR

We configured apache with   --with-ldap.  Is this enough or do we need other options for configure?  Do we have
download and install APR in addition?  Do we then have to install an LDAP SDK?  If we install APR and LDAP SDK,
will the documentation explain how to link them together?

I am a bit confused and would appreciate any clarification.
Thanks in advance for any help.

--

-- 

Malka Cymbalista
Webmaster, Weizmann Institute of Science
(Continue reading)

Permalink | Reply | 0 comments |
headers
Krist van Besien | 1 Nov 2007 10:36
Picon

Re: problem with NAT, Public IP's and SSL cert

On Nov 1, 2007 8:38 AM, Hans <hans <at> ezpear.com> wrote:

> So in your config you have only <Public_IP:80 (443)> or
> <Private_IP:80(443) Public_ip:80(443)>.

No. In your config you have:
Several of either
<VirtualHost *:80>
or
<VirtualHost private_ip:80>
(After "VirtualHost" you need to put exactly the same thing you've put
after your  NameVirtualHost statement.)

And you can have one
<VirtualHost *:443> blockt
or one
<VirtualHost IP:443> block for each IP _your server has_

But what you want, based on your description in your first post, is
not possible.
It is not possible to have multiple SSL based hosts each with their
own certificate on one IP address. This is not a limitation of Apache,
this is a limitation of the SSL protocol. If you want to know why,
read this: http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#vhosts

Krist

--

-- 
krist.vanbesien <at> gmail.com
krist <at> vanbesien.org
(Continue reading)

Permalink | Reply | 5 comments |
headers
Krist van Besien | 1 Nov 2007 10:41
Picon

Re: problem with NAT, Public IP's and SSL cert

On Nov 1, 2007 10:36 AM, Krist van Besien <krist.vanbesien <at> gmail.com> wrote:
> On Nov 1, 2007 8:38 AM, Hans <hans <at> ezpear.com> wrote:
>
> > So in your config you have only <Public_IP:80 (443)> or
> > <Private_IP:80(443) Public_ip:80(443)>.
>
> No. In your config you have:
> Several of either
> <VirtualHost *:80>
> or
> <VirtualHost private_ip:80>
> (After "VirtualHost" you need to put exactly the same thing you've put
> after your  NameVirtualHost statement.)
>
> And you can have one
> <VirtualHost *:443> blockt
> or one
> <VirtualHost IP:443> block for each IP _your server has_
>
> But what you want, based on your description in your first post, is
> not possible.
> It is not possible to have multiple SSL based hosts each with their
> own certificate on one IP address. This is not a limitation of Apache,
> this is a limitation of the SSL protocol. If you want to know why,
> read this: http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#vhosts

Just another question, (I just reread your original post) what do you
mean that you got another VIP for your customer? Does that mean that
your firewall has a separate IP for your customer?
(Continue reading)

Permalink | Reply | 4 comments |
headers
Hans | 1 Nov 2007 11:14

Re: problem with NAT, Public IP's and SSL cert

Krist van Besien wrote:
> On Nov 1, 2007 10:36 AM, Krist van Besien <krist.vanbesien <at> gmail.com> wrote:
>   
>> On Nov 1, 2007 8:38 AM, Hans <hans <at> ezpear.com> wrote:
>>
>>     
>>> So in your config you have only <Public_IP:80 (443)> or
>>> <Private_IP:80(443) Public_ip:80(443)>.
>>>       
>> No. In your config you have:
>> Several of either
>> <VirtualHost *:80>
>> or
>> <VirtualHost private_ip:80>
>> (After "VirtualHost" you need to put exactly the same thing you've put
>> after your  NameVirtualHost statement.)
>>
>> And you can have one
>> <VirtualHost *:443> blockt
>> or one
>> <VirtualHost IP:443> block for each IP _your server has_
>>
>> But what you want, based on your description in your first post, is
>> not possible.
>> It is not possible to have multiple SSL based hosts each with their
>> own certificate on one IP address. This is not a limitation of Apache,
>> this is a limitation of the SSL protocol. If you want to know why,
>> read this: http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#vhosts
>>     
>
(Continue reading)

Permalink | Reply | 3 comments |
headers
Krist van Besien | 1 Nov 2007 13:10
Picon

Re: problem with NAT, Public IP's and SSL cert

On Nov 1, 2007 11:14 AM, Hans <hans <at> ezpear.com> wrote:

> I have one main VIP 65.65.65.65 for vhosts which share that IP, and if
> customer needs(like in the case of ssl) he will get another IP e.g.
> 65.65.65.66. I always thought that for ssl is important public IP not
> private on host. I think that it is some limitation of Apache that it
> cannot listen on virtual public IP, but only on IP's which host directly
> uses.

This is not a limitation of apache, but a limitation of the IP protocol.
You must realise how NAT works. IP packets with a destination address
of 65.65.65.65 get (based on how you configure your NAT device) their
destination address rewritten to eg. 192.168.2.1. There is no way for
the apache server to know that the original destination IP was, so
there is no way for the apache server to act on this info.
There isusually also no _need_ for this.

> I wonder how other hosting companies with load balance solved that
> problem. I cannot believe that somebody with 200 domains and lets say
> 150IP plays with port numbers.

They either do that, work with ports, or what is more common,
terminate SSL on the loadbalancer. In this scenario the cert gets
installed on the loadbalancer, which does the SSL handshake and
decoding, and then forward it to port 80 on one or several backend
http server. There name based virtualhosts will work just fine.

Krist

--

--
(Continue reading)

Permalink | Reply | 2 comments |
headers
Melanie Pfefer | 1 Nov 2007 13:34
Picon
Favicon

AuthLDAPUrl

hi,

AuthLDAPUrl can have multiple values?

AuthLDAPUrl ldap://..... , ldap://.....

or this form?
AuthLDAPUrl ldap://...
AuthLDAPUrl ldap://...??

thanks.

      ___________________________________________________________ 
Want ideas for reducing your carbon footprint? Visit Yahoo! For Good  http://uk.promotions.yahoo.com/forgood/environment.html

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe <at> httpd.apache.org
   "   from the digest: users-digest-unsubscribe <at> httpd.apache.org
For additional commands, e-mail: users-help <at> httpd.apache.org
Permalink | Reply | 2 comments |
headers
Tony Stevenson | 1 Nov 2007 15:00
Gravatar

Re: AuthLDAPUrl

On Thu, November 1, 2007 12:34 pm, Melanie Pfefer wrote:
> hi,
>
> AuthLDAPUrl can have multiple values?
>
>
> AuthLDAPUrl ldap://..... , ldap://.....
>
This is correct. If you use your last method, the last entry will
overwrite the previous values. This is how it should look:

AuthLDAPUrl ldap://a.b.c ldap://d.e.f ldap://g.h.i

You get the idea.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe <at> httpd.apache.org
   "   from the digest: users-digest-unsubscribe <at> httpd.apache.org
For additional commands, e-mail: users-help <at> httpd.apache.org
Permalink | Reply | 1 comment |
headers
Neville Hillyer | 1 Nov 2007 15:12
Picon
Picon
Favicon

Re: Re: software to put a counter on a page

At 14:06 +0000 30/10/2007, Nick Kew wrote:
>On Tue, 30 Oct 2007 13:57:31 +0000
>Neville Hillyer <n.hillyer <at> open.ac.uk> wrote:
>
>>  Please let me know if you discover a better text counter.
>
>Yeah, Randal Schwartz wrote one, many years ago.  I expect
>google could find it.
>
>--
>Nick Kew

>>>>>  "Neville" == Neville Hillyer <n.hillyer <at> open.ac.uk> writes:

Neville> Is the following remark from an Apache mail list correct? ie 
did you write a
Neville> better text counter than http://www.dan.co.jp/webcounter/ ?

I wrote one that generated a random number, since that was just as accurate as
the "accurate" ones.

--
Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095
<merlyn <at> stonehenge.com> <URL:http://www.stonehenge.com/merlyn/>

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe <at> httpd.apache.org
   "   from the digest: users-digest-unsubscribe <at> httpd.apache.org
(Continue reading)

Permalink | Reply | 0 comments |
headers
Melanie Pfefer | 1 Nov 2007 15:55
Picon
Favicon

run apache as non-root user

hi

the way i usually do that is to compile and install
apache as root. Then, chown -R user:group apache2/

Is there a different method? (such as ./configure and
make and make install as non-root user??)

coz sometimes stop and start scripts do not work well
if run as normal user...

thanks

      ___________________________________________________________ 
Want ideas for reducing your carbon footprint? Visit Yahoo! For Good  http://uk.promotions.yahoo.com/forgood/environment.html

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe <at> httpd.apache.org
   "   from the digest: users-digest-unsubscribe <at> httpd.apache.org
For additional commands, e-mail: users-help <at> httpd.apache.org
Permalink | Reply | 0 comments |

Gmane