[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Sks-devel] Question: serving two different SSL certificates under A
|
From: |
John Zaitseff |
|
Subject: |
Re: [Sks-devel] Question: serving two different SSL certificates under Apache? |
|
Date: |
Mon, 2 Jun 2014 11:45:57 +1000 |
|
User-agent: |
Mutt/1.5.21 (2010-09-15) |
Hi, Phil et al.,
> > To clarify: I want to serve my own ZAP Group certificate when HTTPS
> > queries come to keyserver.zap.org.au, and the sks-keyservers.net
> > certificate when queries come to *.sks-keyservers.net. Can I do
> > this with ONE <VirtualHost> block in Apache, or must I use two?
>
> I can't definitively say that one block might not be made to work:
> never discount human ingenuity. I can say that it would be
> "interesting" to see.
In the end, I ended up with TWO <VirtualHost> blocks in the Apache
config after all. All works now, as long as you remember to add
"NameVirtualHost *:443"!
For reference, the following is my full Apache config for HTTPS on
keyserver.zap.org.au:
# /etc/apache2/sites-available/zapgroup-keyserver-ssl: Keyserver website
server configuration
# [JNZ] Modified 02-Jun-2014 for keyserver.zap.org.au
Listen *:11372
Listen *:443
NameVirtualHost *:11372
NameVirtualHost *:443
<VirtualHost *:11372 *:443>
ServerAdmin address@hidden
ServerName keyserver.zap.org.au
SSLEngine on
# Only allow secure ciphers and protocols: SSLv3 and TLSv1
SSLCipherSuite HIGH:MEDIUM:!ADH
SSLProtocol all -SSLv2
SSLCertificateFile /etc/ssl/certs/keyserver.pem
SSLCertificateKeyFile /etc/ssl/private/keyserver.pem
SSLCACertificateFile /etc/ssl/certs/ZAP_Group_CA_Root.pem
<Proxy *>
Order allow,deny
Allow from all
</Proxy>
ProxyPass / http://127.0.0.1:11371/
ProxyPassReverse / http://127.0.0.1:11371/
ProxyVia On
SetEnv proxy-nokeepalive 1
#RequestHeader unset Expect early
ErrorLog ${APACHE_LOG_DIR}/hosted/keyserver.zap.org.au-ssl--error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/hosted/keyserver.zap.org.au-ssl--access.log
combined_ssl
ServerSignature On
# Work around SSL (and other) problems in Microsoft Internet Explorer
# (see default-ssl and /usr/share/doc/apache2.2-common/README.Debian.gz
# for more information).
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
# MSIE 7 and newer should be able to use keepalive
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>
<VirtualHost *:11372 *:443>
ServerAdmin address@hidden
ServerName hkps.pool.sks-keyservers.net
ServerAlias *.pool.sks-keyservers.net *.sks-keyservers.net
SSLEngine on
# Only allow secure ciphers and protocols: SSLv3 and TLSv1
SSLCipherSuite HIGH:MEDIUM:!ADH
SSLProtocol all -SSLv2
SSLCertificateFile /etc/ssl/certs/keyserver-sks.pem
SSLCertificateKeyFile /etc/ssl/private/keyserver.pem
SSLCACertificateFile /etc/ssl/certs/sks-keyservers.netCA.pem
<Proxy *>
Order allow,deny
Allow from all
</Proxy>
ProxyPass / http://127.0.0.1:11371/
ProxyPassReverse / http://127.0.0.1:11371/
ProxyVia On
SetEnv proxy-nokeepalive 1
#RequestHeader unset Expect early
ErrorLog ${APACHE_LOG_DIR}/hosted/keyserver.zap.org.au-ssl-hkps--error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog
${APACHE_LOG_DIR}/hosted/keyserver.zap.org.au-ssl-hkps--access.log combined_ssl
ServerSignature On
# Work around SSL (and other) problems in Microsoft Internet Explorer
# (see default-ssl and /usr/share/doc/apache2.2-common/README.Debian.gz
# for more information).
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
# MSIE 7 and newer should be able to use keepalive
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>
Yours truly,
John Zaitseff
--
John Zaitseff ,--_|\ The ZAP Group
Phone: +61 2 9643 7737 / \ Sydney, Australia
E-mail: address@hidden \_,--._* http://www.zap.org.au/
v