World: r3wp
[!Cheyenne] Discussions about the Cheyenne Web Server
older newer | first last |
Janko 22-Aug-2009 [5561x2] | So far the faster static serving is not so cruicial to me.. I want the more reliable and less complicated option .. neither seem very complicated from lookign at it |
Doc: did you use the stunnel config like it's in that example link I gave? | |
Dockimbel 22-Aug-2009 [5563] | Yes, like the one in section "10. Running the server". You need also to block direct access on port 80 for your SSL protected resources. There are various way to achieve that like using a local firewall to block incoming traffic on port 80 from outside (but not from localhost), or in per webapp, using a custom 'on-page-start handler testing the server port of the incoming request (and rejecting it if port<>443). |
Janko 22-Aug-2009 [5564] | I was thinking of giving users a choice to use or not use http or https .. so I would leave both open (if that doesn't mean something bad which I don't know) |
Dockimbel 22-Aug-2009 [5565] | If the choice is up to the user, then both ports will stay open, that should be the easiest way to handle it, AFAICT. |
Janko 22-Aug-2009 [5566x2] | ok, then I will go that way |
thanks | |
Graham 22-Aug-2009 [5568] | How does it work with virtual hosts? Do you need a certificate for each host? |
Janko 23-Aug-2009 [5569x2] | I think you need a certificate per domain (more than one subdomains can be handeled by 1 so called wildcard cert.) |
I got response from them on my mail with company data.. they couldn't validate me yet because I bought the domain on my personal name and cert is on company .. I need to change that in whois info (I hope it's even possible) | |
Graham 23-Aug-2009 [5571] | so does stunnel handle multiple certificates? Anyone know? |
Gabriele 23-Aug-2009 [5572] | Graham, TLS allows for "virtual hosting" so that you can have multiple certificates on the same IP address. however, older clients (SSL) don't know about that, so in general, it's "one IP address for each certificate". |
Graham 23-Aug-2009 [5573] | Stunnel can provide both SSL and TLS ... not clear though if it will do the job |
Janko 23-Aug-2009 [5574] | I got the comodo certificate now .. I got my crt and 4 immediate crts and 1 root crt .. got to figure out how to use this with stunnel now .. the example shows that you have .pem file |
Graham 23-Aug-2009 [5575] | Looks like stunnel supports multiple certificates. |
Janko 23-Aug-2009 [5576x10] | I read here .. I concatenated them together accordingly , now I get --- 2009.08.23 10:51:23 LOG3[17421:139883801568992]: SSL_CTX_use_RSAPrivateKey_file: B080074: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch |
according to this: http://www.aprelium.com/forum/viewtopic.php?p=57622 | |
I concated all these cerst + put private key at the top but it seems it doesn't work... anyone knows more about this, should I use just one intermeddiate CA or all of them , is the order important? * Root CA Certificate - AddTrustExternalCARoot.crt * Intermediate CA Certificate - UTNAddTrustSGCCA.crt * Intermediate CA Certificate - ComodoUTNSGCCA.crt * Intermediate CA Certificate - ComodoHighAssuranceSecureServerCA.crt * Your Comodo InstantSSL Certificate - www_cebelca_biz.crt | |
I keep getting key values missmatch nomatter what I tried so far... I found out this.. the key/cert/CAfile in conf doesn't seem to matter as it checks /etc/stunnel/stunnel.pem anyway .. so I commented them out. If I delete the pem file I get appropriate erros , so it checks for this file.. If I remove RSA PRIV KEY from first line I get Error saying something about RSA KEY no start line If I remove CA certificates below I det Error saying SSL CERT no start line .. If I concat them all like this >> cat myserver.key AddTrustExternalCARoot.crt UTNAddTrustSGCCA.crt ComodoUTNSGCCA.crt ComodoHighAssuranceSecureServerCA.crt www_cebelca_biz.crt >> stunnel.pem (first the PRIV KEY ALL THE CERTS in same order as they are listed in email to me.. with cebelca.biz.crt as last I get the "key values missmatch" which I think means that the priv key and certs don't match | |
I tried using the pem file I can generate on stunnel page and I see that it's certs and privkey are half shorter... maybe I don't have tre right version type or something of encription setup? | |
I got it working with that sample pem .. the stupid mistake is that if you uncomment it like this ; [https] accept = 443 connect = 80 TIMEOUTclose = 0 instead of like this [https] accept = 443 connect = 80 TIMEOUTclose = 0 you get some strange errors ... now I need to make those bought certs work somehow ( I WILL WRITE A TUTORIAL ABOUT THIS .. how to setup cheyenne with stunnel) | |
where did my last message go? | |
(messages are here after restart .. sorry) | |
I compared the modulus and public exponent of key and cert and they are the same, but I saw another thing.. related to "half length" of the key that worked. | |
When stunnel starts it says "Wrote 1024 new random bytes to /root/.rnd" .. the certs are 2048 bit .. do you think this the problem could be that stunnel expects the 1024 byte cert/key ? (the sample cert/key taht worked was 1024 byte) | |
Will 23-Aug-2009 [5586] | I use apache2-MPM as a reverse proxy in front of Cheyenne for the same reasons (static serving, ssl), works flawlessly, but now is time to move to nginx. Looking at MacPorts variants for nginx, there are many options that I see interestings: root/trunk/build alpha% port variants nginx nginx has the variants: dav: Add WebDAV support to server flv: Add FLV (Flash Video) streaming support to server mail: Add IMAP4/POP3 mail proxy support ssl: Add SSL (HTTPS) support to the server, and also to the mail proxy if that is enabled status: Add /nginx_status support to the server perl5: Add perl support to the server directly within nginx and call perl via SSI realip: Using nginx as a backend addition: Append text to pages substitution: Replace text in pages gzip_static: Avoids compressing the same file each time it is requested google_perftools: Enable Google Performance Tools profiling for workers upload: Enable Valery Kholodkov's upload module (http://grid.net.ru/nginx/upload.en.html) universal: Build for multiple architectures |
Janko 23-Aug-2009 [5587x2] | I will try intalling nginx too now... I was trying this with stunnel for 3 hours and google all I could think of without much luck.. I learned a lot more about certs, that is good |
Probably it's soemthign about how I create the pem .. maybe I didn't position them right (baceuse I see nothing related to 1024 2048 that I suspected) | |
Will 23-Aug-2009 [5589x2] | some benchmarks http://blog.mudy.info/tag/nginx/interesting performances! 8) |
Tryed stunnel once, had stability issues, but that may have been me or OSX implementation.. | |
Janko 23-Aug-2009 [5591x5] | Wel I am afraid it won't be so easy with nginx either.. I need to take a break , I will try again in the evening.. if anyone succesfully setup chained ssl certs with stunnel .. any hint is more than welcome |
I got the nginx running with my cert ... I got the same error as stunnel , but then I found that my cert must be first and other in chan are later .. reverse to some examples on net and to stunnel examples (maybe there is the same thing?) | |
now I need to make it reverse proxy to cebelca | |
Yay it works !!! | |
screenshot of latest version of cebelca btw: http://www.refaktor.si/blog/img/cebelca.biz.norm.png | |
Graham 23-Aug-2009 [5596] | I wrote a how to on setting up stunnel with cheyenne a couple of years ago ... it was easy. Now i just have to find where I published it! |
Henrik 23-Aug-2009 [5597] | Could be useful to have on the cheyenne site. |
Janko 23-Aug-2009 [5598] | Graham .. did you have multiple certificates (root intermediatte and yours) ? |
Will 23-Aug-2009 [5599] | nginx rules! |
Graham 23-Aug-2009 [5600] | no. |
Dockimbel 24-Aug-2009 [5601] | SVN revision 12: Response/redirect default code changed to 302 (issuing a 303 could cause unwanted effect on HEAD requests). /TEMP option replaced by /STRICT for sending back code 303. RSP API documentation updated accordingly. |
Robert 24-Aug-2009 [5602] | I use lighttpd and reverse proxy to Cheyenne. Works great. |
Graham 24-Aug-2009 [5603] | Has anyone created a RSP site where every page can be edited via the browser? I think rebol.com is like that ... |
Dockimbel 25-Aug-2009 [5604] | SVN r13, minor fixes : o RSP: fix for scripts not returning any data (test.rsp: <% 1 %>) o RSP: words in sandbox context renamed to lower the risk of collision with user script words. |
Graham 26-Aug-2009 [5605x2] | Maybe a rebol-to-json function couldl be included into Cheyenne ... |
If we can get one that works! | |
Dockimbel 26-Aug-2009 [5607] | :-) |
Maxim 26-Aug-2009 [5608x2] | working on it ;-) |
yess... done ! | |
Dockimbel 26-Aug-2009 [5610] | JSON built in Cheyenne: (replying in javascript channel) |
older newer | first last |