sks-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Sks-devel] Re: details to configure SKS https web interface

From: Phil Pennock
Subject: Re: [Sks-devel] Re: details to configure SKS https web interface
Date: Mon, 16 Mar 2009 02:20:44 -0700 
On 2009-03-16 at 09:13 +0100, Jan Kesten wrote:
> Hi Daniel,
> 
> should be something like this:
> 
> <VirtualHost foo.bar.com:443>
>    ServerAdmin address@hidden
>    DocumentRoot /var/www/
>    SSLEngine on
>    ServerName foo.bar.com
>    SSLCertificateKeyFile /etc/apache2/ssl/apache.pem
>    SSLCertificateFile /etc/apache2/ssl/apache.crt
>    SSLProtocol all
>    SSLCipherSuite HIGH:MEDIUM
>    SSLProxyEngine On
>    <Location /pks>
>         ProxyPass http://127.0.0.1:11371/pks
>         ProxyPassReverse http://127.0.0.1:11371/pks
>    </Location>
> </VirtualHost>
> 
> Of course you need mod_proxy and mod_ssl ;-)

And one of:

 * a dedicated IP address, to do IP-based vhosting

 * the SSLCertificateFile using subjectAltName extensions, so that the
   same certificate is used for every vhost on that IP

 * serverNameIndication support in Apache *and* every web-browser you
   care about

The SNI support will let you do true vhosting of SSL sites, without an
IP-per-vhost but it won't work with MSIE on Windows XP (requires Vista,
AIUI).  See  https://sni.velox.ch/  for a test site, which includes
links to the relevant modules.

I use both of the first two options for SSL vhosting; the former where I
can get away with IPv6-only, the latter for the rest, and just rely upon
the sites being fairly equivalent in trust status.  (I don't use
mod_proxy at the current time though, so held off on providing config
snippets).

-Phil

Attachment: pgpAMxTIGbciE.pgp
Description: PGP signature

reply via email to
[Prev in Thread] Current Thread [Next in Thread]