Date: Sun, 22 Feb 1998 18:19:52 +0100 From: Andreas Klemm <andreas@klemm.gtn.com> To: Mark Murray <mark@grondar.za>, Steve Price <steve@FreeBSD.ORG> Cc: cvs-committers@FreeBSD.ORG, cvs-all@FreeBSD.ORG, cvs-ports@FreeBSD.ORG Subject: Re: cvs commit: ports/www/apache-ssl/patches patch-ad Message-ID: <19980222181952.65257@klemm.gtn.com> In-Reply-To: <199802182104.XAA03988@greenpeace.grondar.za>; from Mark Murray on Wed, Feb 18, 1998 at 11:04:46PM %2B0200 References: <199802182104.XAA03988@greenpeace.grondar.za>
next in thread | previous in thread | raw e-mail | index | archive | help
--sdtB3X0nJg68CQEu
Content-Type: text/plain; charset=us-ascii
Some wishes for the apache ssl port.
a) install a _working_ httpd.conf file in ${PREFIX}/etc/apache-SSL
instead of installing the default 1.2.5 config file and the
really _small_ config file from the apache SSL configuration.
I have merged both files to something useable, I send it to you
in the attachement.
b) I see problems with port dependencies.
People who want to install apache-ssl (httpsd) as their default
webserver will trap into the problem, that all ports that run on
top of apache, will try to install apache additionally, because
the some ports (like my bb port) have the following
port dependencies:
BUILD_DEPENDS= ${PREFIX}/sbin/httpd:${PORTSDIR}/www/apache
and *not*
BUILD_DEPENDS= ${PREFIX}/sbin/httpsd:${PORTSDIR}/www/apache-ssl
^--- !
One more thing ... Some applications - like eperl - automatically
do some configuration in the apache config file:
${PREFIX}/etc/apache/srm.conf
and *not*
${PREFIX}/etc/apache-SSL/srm.conf
^^^^----- !
This nice level of user friendlyness breaks somehow the ports scheme.
Other ports that have port dependencies to apache:
lang/eperl
net/bb
www/wwwstat
What do you think would be a gentle way to get rid of this problem ?
A) Remove the port dependency on the apache port, since there are
other Webserver in the ports collection as well, and nobody knows,
which one the user prefers ?
I personally dislike the idea, since I think the apache Webserver
is *first choice* as the webserver survey shows ... And I like the
user friendly installation of bb, eperl and such ....
B) Make the ports aware of apache and apache-SSL !
Use a global make variable in /etc/make.conf, that could be called
#LOCAL_WEBSERVER=apache|apache-ssl|...
LOCAL_WEBSERVER=apache
We could then rewrite the ports that are looking for an apache
webserver like this:
.if ${LOCAL_WEBSERVER} == apache
BUILD_DEPENDS= ${PREFIX}/sbin/httpd:${PORTSDIR}/www/apache
.else
BUILD_DEPENDS= ${PREFIX}/sbin/httpsd:${PORTSDIR}/www/apache-ssl
.endif
The necessary modifications for ports to find the correct
apache config file directory would be more difficult.
So I'd vote for having apache and apache-ssl use the same
config directory -> ${PREFIX}/etc/apache !
What do you think of this ?
Andreas ///
--
Andreas Klemm
powered by ,,symmetric multiprocessor FreeBSD''
--sdtB3X0nJg68CQEu
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="httpd.conf"
--- httpd.conf.orig Sun Feb 22 16:36:29 1998
+++ httpd.conf Sun Feb 22 17:11:44 1998
@@ -7,6 +7,8 @@
# Originally by Rob McCool
+# apache-SSL specific configuration added by Andreas Klemm <andreas@FreeBSD.ORG>
+
# ServerType is either inetd, or standalone.
ServerType standalone
@@ -16,7 +18,59 @@
# Port: The port the standalone listens to. For ports < 1023, you will
# need httpd to be run as root initially.
-Port 80
+#
+# SSL specific configuration
+#
+
+# Secure server defaults to port 443
+Port 443
+
+# Bind apache to portnumbers for normal and secure operations
+Listen 80
+Listen 443
+
+# disable ssl on normal webserver port
+<VirtualHost titan.klemm.gtn.com:80>
+SSLDisable
+</VirtualHost>
+
+SSLCACertificatePath /usr/local/certs
+SSLCACertificateFile /usr/local/certs/cert.pem
+SSLCertificateFile /usr/local/certs/cert.pem
+
+# If the key is not combined with the certificate, use this directive to
+# point at the key file. If this starts with a '/' it specifies an absolute
+# path, otherwise it is relative to the default certificate area. That is, it
+# means "<default>/private/<keyfile>".
+#SSLCertificateKeyFile /some/place/with/your.key
+
+# Set SSLVerifyClient to:
+# 0 if no certicate is required
+# 1 if the client may present a valid certificate
+# 2 if the client must present a valid certificate
+# 3 if the client may present a valid certificate but it is not required to
+# have a valid CA
+SSLVerifyClient 0
+# How deeply to verify before deciding they don't have a valid certificate
+SSLVerifyDepth 10
+
+# Translate the client X509 into a Basic authorisation. This means that the
+# standard Auth/DBMAuth methods can be used for access control. The user name
+# is the "one line" version of the client's X509 certificate. Note that no
+# password is obtained from the user. Every entry in the user file needs this
+# password: xxj31ZMTZzkVA. See the code for further explanation.
+SSLFakeBasicAuth
+
+# A home for miscellaneous rubbish generated by SSL. Much of it is duplicated
+# in the error log file.
+SSLLogFile /tmp/ssl.log
+
+# Custom logging
+CustomLog /var/log/apache-ssl.log "%t %{version}c %{cipher}c %{clientcert}c"
+
+#
+# EOF SSL specific configuration
+#
# HostnameLookups: Log the names of clients or just their IP numbers
# e.g. www.apache.org (on) or 204.62.129.132 (off)
@@ -49,7 +103,7 @@
# ServerRoot: The directory the server's config, error, and log files
# are kept in
-ServerRoot /usr/local/etc/apache
+ServerRoot /usr/local/etc/apache-SSL
# BindAddress: You can support virtual hosts with this option. This option
# is used to tell the server which IP address to listen to. It can either
@@ -189,5 +243,3 @@
#ErrorLog /var/log/host.some_domain.com-error_log
#TransferLog /var/log/host.some_domain.com-access_log
#</VirtualHost>
-
-
--sdtB3X0nJg68CQEu--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19980222181952.65257>