[solved] Apache settings

10 posts / 0 new
Last post
#1 Wed, 03/26/2008 - 04:13
desperatedcoolman

[solved] Apache settings

Using virtualmin released about a month ago

  1. Is it possible to limit the bandwidth and total traffic per month for each domain? I want to limit these on both http and ftp.

  2. Where can I select the global SSL cert for https to be used for all domain names? I have only one IP address for all domain names. I have modified the default SSL cert to be used for apache in the Apache section in Webmin, but after i created a new virtual host, an auto generated cert for this domain name overrode the default cert i chose.

Thanks very much for your time!<br><br>Post edited by: desperatedcoolman, at: 2008/04/04 10:00

Wed, 03/26/2008 - 15:52
Joe
Joe's picture

<div class='quote'>Using virtualmin released about a month ago</div>

You should always be running the latest version. We don't roll them out for our health. We build new versions because they fix bugs and add new features. ;-)

<div class='quote'>1. Is it possible to limit the bandwidth and total traffic per month for each domain? I want to limit these on both http and ftp.</div>

Look at the Bandwidth Monitoring page. There is an option there labeled &quot;Disable servers that exceed limit?&quot;

<div class='quote'>2. Where can I select the global SSL cert for https to be used for all domain names? I have only one IP address for all domain names. I have modified the default SSL cert to be used for apache in the Apache section in Webmin, but after i created a new virtual host, an auto generated cert for this domain name overrode the default cert i chose.</div>

You can't. Actually, you can, but you're imagining it works differently than it does. SSL needs an IP per domain--I'm not sure what you mean when you say &quot;an auto-generated cert&quot;, as Virtualmin won't create more than one SSL virtual server on a single IP. Apache has no way to decide what certificate to send--so it's always going to send the one for the first VirtualHost that matches the port/address. Any such cert is no better than an auto-generated cert for hostnames other than the one for which it was created...identity is unknown in either case.

So, let me see if I can make this more clear:

When a client connects to your server at IP 192.168.1.1 (for example) on port 443, Apache looks at its VirtualHost configuration sections, and finds the first one that matches those criteria. It sends out the SSL certificate, and the client verifies it with the issuer (or not and pops up a warning). Then, the hostname and request data are passed from the client to the server. Notice that the hostname is unknown to Apache until AFTER the certificate has been verified. You can't send a different one for different host names. What happens after that is irrelevant with regard to SSL--the connection is already established with the certificate that was sent based on the IP and port.

So, if Virtualmin is letting you create more than one SSL VirtualHost on a single IP address, it's a bug.

In short, if you need SSL on multiple domain names, you need multiple IP addresses. We're not going to make it easy to break SSL in order to pretend like you don't need an IP per domain for secure hosting.

(Oh, yeah, I know about the new protocol that allows name-based SSL hosting. This is not standard in any Apache version we support, yet, so it's not a factor in this discussion. We'll support it when Apache does. Security is not an area where we're willing to use experimental tools.)

--

Check out the forum guidelines!

Thu, 03/27/2008 - 00:09 (Reply to #2)
desperatedcoolman

yeah, I will update virtualmin soon.

Your explanation is very clear!! I understand it now! Actually I have just created only one SSL virtual host and so Virtualmin created a self signed cert for it (what i meant an auto generated cert).

I don't know whether virtualmin would allow me to create one more SSL virtual host. Later i would probably need to create some more SSL virtual host. Is there any trick to do these (I would still have only one IP address) ?

Thanks!

Thu, 03/27/2008 - 00:14 (Reply to #3)
Joe
Joe's picture

<div class='quote'>Is there any trick to do these (I would still have only one IP address) ?</div>

No. Re-read my explanation above, and hopefully it will become clear why it is impossible for there to be a &quot;trick&quot;. Only one certificate can be used for any specific IP:port combination. If you want to use another certificate, you MUST use a different IP or port. It's not optional, it's not something to be worked around, it's how the SSL protocol currently works.

--

Check out the forum guidelines!

Fri, 03/28/2008 - 19:45 (Reply to #4)
desperatedcoolman

Thanks.

But actually I just want a https connection between browsers and the server so that the data transferred is encrypted. I do not concern of the phishing site problem so, it doesn't matter if browsers show warning about incorrect cert.

I remember that another domain management tool &quot;Pxxsk&quot; allows users to create multiple SSL sites sharing the same cert, so I believe the more powerful virtualmin can do it.

Maybe my concept is incorrect, but I can't think of another way to secure the data transmission (say, password) between browsers and server. (not by using another port or another IP address)

Thanks very much for your time.

Sun, 03/30/2008 - 08:25 (Reply to #5)
desperatedcoolman

UP.

I've found the monitoring section which allows me to limit the max traffic per year, month, week or day. But, does virtualmin also install the apache mod to limit the transfer rate (for ftp as well?) ? say, max 50Kbps per connection and maximum 5 connections.

Thanks very much for your time!

Sun, 03/30/2008 - 16:03 (Reply to #6)
Joe
Joe's picture

Nope.

The only non-standard Apache module we currently ship and configure is mod_fcgid. And, of course, an Apache module can't do anything about FTP (FTP service is provided by a completely different daemon, ProFTPd, which has its own bandwidth management tool--which can be configured in the Webmin ProFTPd module, but FTP in a virtual host environment is rarely domain-based, so you have to specify limits based on the user rather than a &quot;virtual host&quot;).

We haven't had a lot of demand for bandwidth management within individual services. The problem with this is that you would have to use independent limits--you couldn't say &quot;I want to limit Virtualmin.com to 200GB of transfer per month&quot;, you could only say, &quot;I want to limit Virtualmin.com web traffic to 150GB of transfer per month, FTP traffic to 20GB per month, and mail traffic to 30GB per month&quot;. This would be kinda hostile to your users, if you've told them they have 200GB of transfer, but they actually start bumping into limits long before that for some services...or you could allow all services to max out at 200GB, but the Virtualmin limit would ALWAYS kick in first and either send an overage warning or shut down the site or both, depending on how you've configured it. I do understand the desire for throttling and fair queueing, but I'm not sure how to implement that within the Virtualmin framework--it really depends on so many factors that it seems like everybody would have very different requirements. Any &quot;one size fits all&quot; approach we took to the problem would be doomed to failure, I think.

But, I'll look into the existing bandwidth management products for Apache out there and see if one is smart enough to be able to deal with a generic set of rules that gets applied to everybody (with per-domain limits or priorities).

--

Check out the forum guidelines!

Sun, 03/30/2008 - 16:05 (Reply to #7)
Joe
Joe's picture

BTW-It's a good idea to start a new thread when you want to bring up a new topic. We've got thirty or forty active threads going at any one time, and it's difficult to provide good answers concisely when I can't easily figure out what the subject of the thread is.

--

Check out the forum guidelines!

Sun, 03/30/2008 - 16:20 (Reply to #8)
Joe
Joe's picture

<div class='quote'>I remember that another domain management tool &quot;Pxxsk&quot; allows users to create multiple SSL sites sharing the same cert, so I believe the more powerful virtualmin can do it.</div>

They're wrong for doing so. ;-)

But you can pretend like it's OK by adding an SSL configuration something like this:

[code:1]
&lt;VirtualHost 192.168.1.1:443&gt;
ServerName example.com
SSLEngine on
SSLCertificateFile /path/to/your.cert
SSLCertificateKeyFile /path/to/your.key

DocumentRoot /home/example/public_html
&lt;/VirtualHost&gt;
[/code:1]

Note that I'm not recommending this. I'm actually recommending against it. But, if you really want to use SSL without identity verification, this is the way you'd do it.

Doing this automatically is actually harder than I'd first assumed...You can't just add a section like this to the Server Templates Apache Website field, as it'll get double-wrapped in a VirtualHost section, which will fail.

I guess I don't actually have a good answer for how to do this. It's really not a good idea, and newer browsers are going to fight you on it, more aggressively each day, as identity is becoming more and more of a security concern.

--

Check out the forum guidelines!

Fri, 04/04/2008 - 09:59 (Reply to #9)
desperatedcoolman

Thanks very much!
Waiting for your new module about limiting traffic!