[thelist] Apache SSL setup

Dave Merrill dmerrill at usa.net
Mon May 23 07:15:07 CDT 2005


Robert Gormley wrote

> Dave Merrill wrote:
>
> >Let me try to describe my question better:
> >
> >For non-ssl operation, the port being used is set in
> >[apache_root]/conf/httpd.conf, by the line:
> >	Listen [port_number]
> >...where [port_number] is usually 80, but it's not in my case.
> I'm running
> >on a non-standard port, for a variety of reasons. There's at
> least one other
> >place in that file that needs to match that setting too.
> >
> >
> Down near the virtual hosts line - do a search from the
> "NameVirtualHost" directive

Thanks, but I wasn't trying to ask that, just saying I knew there was more
than one place where the non-ssl port gets mentioned, so people wouldn't
think that was my problem (:-).


> >For ssl operation, the port being used is set in
> >[apache_root]/conf/ssl/ssl.conf, by the line:
> >	Listen [port_number]
> >...where [port_number] is usually 443.
> >
> >What I'd like is to only accept ssl connections on [port_number], so it
> >seems clear that the ssl port should be [port_number].
> >
> >What should I use for the non-ssl port (or other config
> setting), so that it
> >allows only ssl connections on [port_number]? I tried port 0, but apache
> >complains and won't start.
> >
> >The one thing I tried that seems to work is:
> >	Listen 0.0.0.0:80
> >
> >
> You could try 81. Bear in mind though that you have two issues now -
> that a lot of corporate firewalls will either straight block or block
> via stateful inspection connections to either of the two URL 'schemes'
> you'll now be using, ie:
>
> https://www.example.com:80/
> http://www.example.com:81/
>
> >Bearing in mind that I have no intention of responding to
> straight port 80
> >http requests at any url, is that a sensible thing to do? Or a nonsense
> >config that accidentally works, so far? Is there an official way
> to do this?
> >
> >
> "Sensible" depends on you reasoning, and ability to deal with
> situations, such as above.

I think I'm not being clear.

I don't care about :80 or :81 at all. I want to block, i.e., not respond to,
*any* non-ssl connections on *any* port. The interesting part of "Listen
0.0.0.0:80" isn't ":80", it's "0.0.0.0", which I'm hoping is an impossible
url that can't ever get routed to this machine, effectively making the
ssl-spec'd port the only one we respond to.

Make sense? How else do you require ssl for *all* connections?

Dave Merrill




More information about the thelist mailing list