SSL Part 1: httpd.conf

Revision as of 17:38, 9 June 2008 by Ric (talk | contribs) (New page: <span id="top"></span> <div style="padding:0;margin:0; border-bottom:3px inset #000000"> {| | MPG UniCenter || SSL Part 1: Home | [[...)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

mod_ssl Configuration httpd.conf
Uniform Server 3.5-Apollo

You will notice there are two-configuration files httpd.conf and ssl.conf this separation is significant. It allows secure and none secure configuration independence, divide and conquer or in this case separation with real advantages. You can test the main server configuration before enabling the secure configuration making it easier to fault find.

  httpd.conf  

This is the main Apache configuration file and should not contain any secure directives. Comment out the line as shown #LoadModule ssl_module modules/mod_ssl.so and Apache will function solely as a non-secure server.

Uncomment the above line and Apache loads module mod_ssl.so this in turn instructs Apache to load the configuration file ssl.conf. If you wish you can place all the directives into the main configuration file it just makes fault finding more difficult.

 

  ssl.conf  

This configuration file isolates all secure directives it normally contains a single secure virtual host. This limitation is protocol imposed however running a personal server it is possible with some limitations to run more than one name based virtual host ( I cover this later)

Before looking at the configuration files first define your site architecture and obtain a domain name.

Define sites and obtain a domain name

One of the most important things to have is a domain name, for general testing and experimentation DynDNS provide an excellent free service. If you do not have a static IP address download a Windows update client I found their DynDNS Updater easy to use and versatile. When you set-up an account enable the wildcard option.

For this write-up I have chosen the domain unicenter.gotdns.org With wildcards enabled I use Vhosts and have split my test sites as follows:

The main root folder www contains the following site root folders.

Main Root Folder www Domain Comments

default_unsecure

*.unicenter.gotdns.org

Contains a single index.html page this is descriptive for all non secured sites hosted. A user can mistype an address name hence may reach this page by mistake

site1

unicenter.gotdns.org

This is my main site unsecured and is accessed using '''http://'''unicenter.gotdns.org

site2

news.unicenter.gotdns.org

A virtualhost site containing news, accessed using http://news.unicenter.gotdns.org .

To host more sites create a new root folder (foe example site4) and choose a new wildcard name (card) add a new vhost section to the config file a user would access this site using http://cars.unicenter.gotdns.org

site3

unicenter.gotdns.org

This is the secured site containing a recipe for pumpkin cake. Note it shares the common host name unicenter.gotdns.org however the site is access using https://unicenter.gotdns.org

Because the recipe has been handed down and a family secret the site has been password protected.

There are no restrictions on folder names choose whatever you like. I avoid names with spaces, some FTP programs fall over when they come across these. You can if you wish use the main root folder www as default however my personal preference is to have separate folders and never serve from main root.

With the server sites defined and a domain name obtained we are ready to modify the server template.

Top

Put your servers on-line

A clean install locks down Uniform server to Localhost access only, we will be testing live, hence the servers need putting on-line. Open the file .htaccess in folder www and comment the lines as shown highlight in bold:

  .htaccess  

# This file provides security to the server limiting access to the localhost only.
# Comment to deactivate.

#Order Deny,Allow
#Deny from all
#Allow from 127.0.0.1

# To allow execution of cgi scripts in this directory uncomment next two lines.

AddHandler cgi-script .pl .cgi
Options +ExecCGI

#--
# Activate this to use the Private Server Feature!
#--
# To lock server, uncomment the next 4 lines.
# Defaults: Username - root; Password - root

#AuthName "Uniform Server - Server Access"
#AuthType Basic
#AuthUserFile /htpasswd/www/.htpasswd
#Require valid-user

Top

httpd.conf and Vhosts

We need to set-up Apache to server pages from our various none secure sites. For this you can use “apanel” to create your Vhosts this will provide a basic structure and save you some typing however the format requires changing. Open file httpd.conf located in folder *\Uniform Server\udrive\usr\local\apache2\conf the Vhosts are located at the bottom of this file.

For our NEW sites make the changes highlighted in bold.

Note: Original are Vhosts included in httpd.conf as examples (you can delete these or modify as shown this saves typing)

Original NEW Comments

#######VIRTUAL HOST SETUP#######

NameVirtualHost *:80

<VirtualHost _default_:80>
 DocumentRoot /www/default_unsecure
</VirtualHost>

#######VIRTUAL HOST SETUP#######

NameVirtualHost *:80

<VirtualHost _default_:80>
 DocumentRoot /www/default_unsecure
</VirtualHost>

There is no need to change this Vhost, however you probably will want to change the document root folder name from default_unsecure to a more suitable name (true for all other root folders).

It is a catch all Vhost uses _default_ which instructs Apache to serve pages from folder default_unsecure when it cannot find a match after looking at all the other Vhosts.

#######VIRTUAL HOST SETUP#######

<VirtualHost *:80>
 ServerName unicenterdemo.dyndns.org
 DocumentRoot /www/site1
</VirtualHost>

#######VIRTUAL HOST SETUP#######

<VirtualHost *:80>
 ServerName unicenter.dyndns.org
 DocumentRoot /www/site1
</VirtualHost>

This Vhost is your main web site; it is the only Vhost that uses your real domain name.

Interestingly it is not a true domain name but is itself a wildcard (virtual) domain. The true domain name is dyndns.org I was allocated the virtual domain unicenter.dyndns.org which to all intense and purpose operates like a real domain, in that it maps to my unique IP address.

When you purchase a real domain name it will look something like my_domain.com

#######VIRTUAL HOST SETUP#######

<VirtualHost *:80>
 ServerName www.unicenterdemo.dyndns.org
 DocumentRoot /www/site2
</VirtualHost>

#######VIRTUAL HOST SETUP#######

<VirtualHost *:80>
 ServerName news.unicenter.dyndns.org
 DocumentRoot /www/site2
</VirtualHost>

When I set-up my DynDNS account I enabled wild cards. This allows me to host as many sites as I like simply by having a different name for the wildcard part, in this case news.

Like news all sites that use www are merely wildcards hence I could have used www.unicenter.dyndns.org and server my pages from sit1 by changing the root folder to DocumentRoot /www/site1

Note 1

If you are not using the template make sure you have only one NameVirtualHost line at the start of the Vhost section search the file for any others and delete them. This single line NameVirtualHost *:80 instructs Apache what follows is a section containing name based virtual hosts, every name arriving only on port 80 is to have it’s name checked against the hosts in this section.

Note 2

Each virtual host starts with <VirtualHost IP-address:Port> we are not being choosey what IP-address we use hence accept any using “*” however we are being very selective with what port to use in our case port 80. {In general the port would default to 80 I personally like to see the numbers} Note 3

A general note, each virtual host inherits from the main server configuration, if you want to tailor each host put any new directives between <VirtualHost *:80> and < /VirtualHost>.

Summary

For testing and experimentation you need only make minor changes to the template. If you are wondering why the site root folders are placed in the main root folder www its one of connivance.

You can locate these root folders anywhere you like however consider the implications for example, if placed on a different drive then you server will not be portable.



Top


  Ric