+ added a "ssl with apache" section (draft)
This commit is contained in:
parent
7afbfadc42
commit
46ae889df4
|
@ -680,6 +680,62 @@ parse these strings.
|
||||||
a complaint.
|
a complaint.
|
||||||
\end{desc}
|
\end{desc}
|
||||||
|
|
||||||
|
\section{SSL encryption with Apache}
|
||||||
|
|
||||||
|
Network traffic with a HTTP server is usually encrypted and protected
|
||||||
|
from manipulation using the cryptographic algorithm provided by an
|
||||||
|
implementation of the \textit{secure socket layer}, SSL for short.
|
||||||
|
SUNet does not have support for SSL yet. However, an Apache
|
||||||
|
web-server with SSL support can be configured as a proxy. In this
|
||||||
|
setup the Apache web-server accepts encrypted requests and forwards
|
||||||
|
them to a SUNet web-server running locally. This section describes
|
||||||
|
how to set up Apache as an encrypting proxy, assuming the reader has
|
||||||
|
basic knowledge about Apache and its configuration directives.
|
||||||
|
|
||||||
|
The following excerpt shows a minimalist SSL virtual host that
|
||||||
|
forwards requests to a SUNet server.
|
||||||
|
|
||||||
|
\begin{alltt}
|
||||||
|
<VirtualHost 134.2.12.82:443>
|
||||||
|
DocumentRoot "/www/some-domain/htdocs"
|
||||||
|
ServerName www.some-domain.de
|
||||||
|
ServerAdmin admin@some-domain.de
|
||||||
|
ErrorLog /www/some-domain/logs/error_log
|
||||||
|
|
||||||
|
ProxyRequests off
|
||||||
|
ProxyPass / http://localhost:8080/
|
||||||
|
ProxyPassReverse / http://localhost:8080/
|
||||||
|
|
||||||
|
SSLEngine on
|
||||||
|
SSLRequireSSL
|
||||||
|
|
||||||
|
SSLCertificateFile /www/some-domain/cert/some-domain.cert
|
||||||
|
SSLCertificateKeyFile /www/some-domain/cert/some-domain.key
|
||||||
|
</VirtualHost>
|
||||||
|
\end{alltt}
|
||||||
|
|
||||||
|
First, a virtual host is added to Apache's configuration file. This
|
||||||
|
virtual host listens for incoming connections on port 443, which is
|
||||||
|
the standard port for encrypted HTTP traffic. \texttt{SSLRequireSSL}
|
||||||
|
ensures that server accepts encrypted connections only.
|
||||||
|
|
||||||
|
In terms of the Apache documentation, the the web-server acts as a so
|
||||||
|
called \textit{reverse proxy}. The option \texttt{ProxyRequests} has
|
||||||
|
a misleading name. Setting this option to off does only turns off
|
||||||
|
Apache's facility to act as a \textit{forward proxy} and has no effect
|
||||||
|
on the configuration directives for reverse proxies. Actually,
|
||||||
|
turning on \texttt{ProxyRequests} is dangerous, because this turns
|
||||||
|
Apache into a proxy server that can be used from anywhere to access
|
||||||
|
any site that is accessible to the Apache server.
|
||||||
|
|
||||||
|
In this setting, all requests get forwarded to a SUNet web-server
|
||||||
|
which listens for incoming connections on localhost port 8080 only,
|
||||||
|
thus, it is not reachable from a remote machine. Apache forwards all
|
||||||
|
requests to the host and port specified by the \texttt{ProxyPass}
|
||||||
|
directive. \texttt{ProxyPassReverse} specifies how
|
||||||
|
\texttt{Location}-Header fields of HTTP redirect messages send by the
|
||||||
|
SUNet server are translated.
|
||||||
|
|
||||||
%%% Local Variables:
|
%%% Local Variables:
|
||||||
%%% mode: latex
|
%%% mode: latex
|
||||||
%%% TeX-master: "man"
|
%%% TeX-master: "man"
|
||||||
|
|
Loading…
Reference in New Issue