[PLUG] Configuring Apache modules for better security
Keith Lofstrom
keithl at kl-ic.com
Fri Jan 21 19:02:26 UTC 2011
> Keith Lofstrom wrote:
> >I have an apache server with about 7 virtual hosts, some wikis,
> >some mailing lists, some svn code repositories. Sorta just grew.
> ...
> >What I am using: moinmoin (python) with jsmath and some
> >passworded access, mailman with pipermail (python), svn with
> >viewcvs (python). A few home-made Perl scripts, some of
> >which interface to some C++ number crunching programs. All
> >the Python and Perl stuff is running with mod_cgi, not
> >mod_perl nor mod_python. No PHP. Some rewriting rules and
> >redirects. I have nightly backups for years, so breakage and
> >security problems are fixable. I will be using HTTPS for
> >access to a new wiki.
On Fri, Jan 21, 2011 at 10:25:39AM -0800, Galen Seitz wrote:
> HTTPS plus wiki or wikis? Unless something has changed, it's not
> possible to share an IP among virtual hosts that are using HTTPS.
I will be renting another IP address from my provider for that,
perhaps using the same instance of apache or second instance.
IIRC, one instance of apache can connect different IP addresses
to different virtuals. But a second instance might be better,
because I hope to sell the business using that URL and wiki.
For those not knowing what Galen and I are talking about, HTTPS
requires certificates that validate a particular URL website name.
Browsers get cranky when the reverse DNS (IP address to URL) doesn't
match the one in the certificate, and the TLS/SSL handshake doesn't
proceed correctly. Without a proper certificate trail, transactions
are subject to DNS spoofing and "man in the middle" attacks.
This will take me up to 3 IP addresses on my server - one is used
to tunnel other protocols through ports 80 (http) and 443 (https)
from sites that block other outbound ports (such as the public
wifi at the hospitals in the Providence system).
Keith
--
Keith Lofstrom keithl at keithl.com Voice (503)-520-1993
KLIC --- Keith Lofstrom Integrated Circuits --- "Your Ideas in Silicon"
Design Contracting in Bipolar and CMOS - Analog, Digital, and Scan ICs
More information about the PLUG
mailing list