I have a python application listening on port 9001 for HTTP traffic. I’m trying to configure Apache (or anything, really) to listen on port 443 for HTTPS connections, and then forward the connection, sans encryption, to port 9001 on the same machine. My application would then reply via the proxy, where the encryption would be reapplied, and returned to the client transparently. I’m not doing anything crazy with the site names and SSL certs, I [...]

(Please note: this question is one of many “why don’t you just try it?” questions. I certainly will, but since I haven’t found an obvious answer by googling, I thought I might as well make it easier for someone who might need this later by asking on ServerFault) My web application is served over HTTPS behind some load balancers and allows users to authenticate using client certificates in some cases. Now I’m being asked whether [...]

I would like subdomain.mydomain.com to invisibly redirect to https://[myServerIP]:2083. (There is an SSL issue here). So far I managed to do it, but the redirection is visible and I don’t want it: RewriteCond %{HTTPS} off RewriteCond %{HTTP_HOST} ^subdomain.\.mydomain\.com$ RewriteRule ^ https://[myServerIP]:2083/ Would it be a way to achieve the same redirection while maintaining permanently my beautiful “subdomain.mydomain.com” in the address bar? EDIT with the ProxyPass directive: I tried some variations with ProxyPass but it will [...]

Recently I installed a watchguard xtm 21 appliance. Everything went fine until I updated from Office 2007 to Office 2010. Behind my watchguard appliance I’ve got an Exchange 2007 server, which I was able to reach with Outlook 2007 (when working remote over ssl vpn connection). Now with Outlook 2010, working remote over ssl vpn, I’m not able to reach my Exchange server. Do I need to change some settings, (port configuration?) specific for Outlook [...]

Warning: so far I have only learnt how to use nginx to serve apps with their own domain and server block. But I think its time to dive a little deeper. To mitigate the need for multiple SSL certificates or expensive wildcard certificates I would like to serve multiple apps (e.g. rails apps, php apps, node.js apps) from one nginx server_name. e.g. rooturl/railsapp rooturl/nodejsapp rooturl/phpshop rooturl/phpblog I am unsure on ideal strategy. Some examples I [...]

I’m running an Apache server on Ubuntu. When I restart it, it asks me for a pass phrase; here’s what the dialog looks like: Apache/2.2.16 mod_ssl/2.2.16 (Pass Phrase Dialog) Some of your private key files are encrypted for security reasons. In order to read them you have to provide the pass phrases. Server 127.0.0.1:443 (RSA) Enter pass phrase: I’ve already worked out how to remove the pass phrase from the key file in question, but [...]

Our PCI compliance vendor requires that we disable all but RC4 encryption on our web server. Currently our apache config file looks like this: SSLHonorCipherOrder On SSLCipherSuite RC4-SHA:HIGH:!ADH:!AES256-SHA:!ECDHE-RSA-AES256-SHA384:!AES128-SHA:!DES-CBC:!aNull:!eNull:!LOW:!SSLv2 However, https://www.ssllabs.com reports the following ciphers are allowed: TLS_RSA_WITH_RC4_128_SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA How can I configure apache to only allow RC4? Asked by Daniel Turns out it was pretty easy. The “High” option in my original question was including the other ciphers. By reducing it to [...]

I am tasked with designing a server setup for a site that has to handle about 5k requests per minute (80 – 90 per second). The only constraints that I am aware of are that the site probably will be written in Django and most, if not all, of the traffic will be encrypted. Will the following server setup be enough to handle these requirements? With this being my first such serious job I would [...]

Is there any simple way of monitoring the amount of available entropy (random data) on windows? I’m using Windows server 2008R2 and apache+ssl on vmware, and I’m a bit worried about starving the entropy pool. On linux, this is available via /proc/sys/kernel/random/entropy_avail Asked by Tommy Windows has always enough entropy in PRNG. Question is quality of this entropy. This document and this document describe this topic very deeply. To improve quality of entropy is good [...]

I have created certificates based on this tutorial: http://ondrej.wordpress.com/2010/01/24/iis-7-and-client-certificates/ Then I have imported “MyPersonalCA.cer” on IIS host server based on this tutorial: http://www.networksolutions.com/support/installation-of-an-ssl-on-certificate-microsoft-iis-7-x/ I had to import the certificate via MMC, because IIS is giving me an error: “Cannot find the certificate request associated with this certificate file. A certificate request must be completed on the computer where it was created.” As stated this is a known bug, but i cant get pass the error. [...]