[olug] Building a web server for both security and performance in 2011

Sam Tetherow tetherow at shwisp.net
Thu Sep 1 15:37:20 UTC 2011 

Can't you use a wildcard cert for this?

On 9/1/11 10:05 AM, Lou Duchez wrote:
> Hard for me to say for sure, I'm not the best test environment, and 
> mostly I'm using the certificates for Email.  I remember doing some 
> quick testing with the StartSSL certificate and the Web server, and I 
> think it worked okay on IE and Opera (and possibly Firefox), but I 
> didn't test extensively.
>
> This discussion reminds me of a sad truth about SSL and HTTP: you can 
> have only one zone / domain certificate per port.  In other words, if 
> you've got two domains ("foo.com" and "bar.com") and you want to set 
> up SSL sites for "secure.foo.com", "secure.bar.com", 
> "private.foo.com", and "private.bar.com", they all have to be on 
> different ports, and only one of them can get the coveted default port 
> of 443.  This is because the SSL is sorted out long before the HTTP 
> request's headers have been picked apart, so the Web server can't look 
> for the "right" certificate only after figuring out which virtual 
> domain the request is for.  Rather, the Web server has to decide which 
> certificate based on the port, and once that's done, the HTML headers 
> had better agree with the certificate.
>
> I would say it's worth trying startssl.com; at most it will cost you 
> time, not money.  Think of it this way: you can experiment with 
> domains you really don't have any interest in securing, without 
> feeling like a chump who wasted $50.
>
>
>> Does StartSSL present a warning to unmomdified IE/Firefox/Safari/Chrome?
>>
>> On Thu, Sep 1, 2011 at 09:18, Lou Duchez<lou at paprikash.com>  wrote:
>>> I've been experimenting with SSL from startssl.com.  It's free, and 
>>> it seems
>>> to work well enough so far.
>>>
>>> Also, where my Web apps require a login / password, I try to hook 
>>> them into
>>> Fail2Ban, so that repetitive failed logins trigger a temporary IP 
>>> ban and an
>>> E-Mail to the admin.
>>>
>>>> generally, yes, the big issue we ran into with selinux was having a 
>>>> web
>>>> page be able to gpg a file
>>>>
>>>>
>>>> I'd add to my list run ssl - for $50 at godaddy (or less other 
>>>> places),
>>>> there's almost no reason not to
>>>>
>>>>
>>>>
>>>> -barry
>>>>
>>>>
>>>>
>>>>
>>>> On 8/31/2011 11:26 PM, Kevin wrote:
>>>>> On CentOS/RHEL, SELinux is actually not all that bad. Certainly on 
>>>>> any
>>>>> system I was hardening, I would enable it.
>>>>>
>>>>> On Wed, Aug 31, 2011 at 18:36, Barry Von Ahsen<barry at vonahsen.com>
>>>>>   wrote:
>>>>>> generally I:
>>>>>>
>>>>>> * don't load/remove modules I don't need
>>>>>> * remove the dumb default .conf files my distro adds (centos/rhel)
>>>>>> * run mod_security
>>>>>> * run php-suhosin
>>>>>>
>>>>>> in theory, also run selinux/apparmor, but it's usually been more 
>>>>>> trouble
>>>>>> than it's worth
>>>>>>
>>>>>> -barry
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> On 08/30/2011 04:51 PM, T. J. Brumfield wrote:
>>>>>>> I've tried to keep up on best practices over the years, but I'm 
>>>>>>> always
>>>>>>> wondering if there are tips and tricks out there that I'm not 
>>>>>>> aware of,
>>>>>>> especially when it comes to securing a web server.
>>>>>>>
>>>>>>> If you were putting together a standard for a web Linux server 
>>>>>>> today,
>>>>>>> what
>>>>>>> would you recommend?
>>>>>>>
>>>>>>> -- T. J. Brumfield
>>>>>>> _______________________________________________
>>>>>>> OLUG mailing list
>>>>>>> OLUG at olug.org
>>>>>>> https://lists.olug.org/mailman/listinfo/olug
>>>>>> _______________________________________________
>>>>>> OLUG mailing list
>>>>>> OLUG at olug.org
>>>>>> https://lists.olug.org/mailman/listinfo/olug
>>>>>>
>>>>> _______________________________________________
>>>>> OLUG mailing list
>>>>> OLUG at olug.org
>>>>> https://lists.olug.org/mailman/listinfo/olug
>>>> _______________________________________________
>>>> OLUG mailing list
>>>> OLUG at olug.org
>>>> https://lists.olug.org/mailman/listinfo/olug
>>> _______________________________________________
>>> OLUG mailing list
>>> OLUG at olug.org
>>> https://lists.olug.org/mailman/listinfo/olug
>>>
>> _______________________________________________
>> OLUG mailing list
>> OLUG at olug.org
>> https://lists.olug.org/mailman/listinfo/olug
>
> _______________________________________________
> OLUG mailing list
> OLUG at olug.org
> https://lists.olug.org/mailman/listinfo/olug

More information about the OLUG mailing list