RE: [users@httpd] How to skip setting HSTS header for certain virtual hosts only?

2014-10-06 Thread Eddie B
Is it possible to an AND clause to the IF, so that it only adds the header when env=HTTPS ? Thanks!

Re: [users@httpd] How to skip setting HSTS header for certain virtual hosts only?

2014-10-06 Thread Igor Cicimov
On Tue, Oct 7, 2014 at 9:22 AM, Eddie B wrote: > I set HSTS for HTTPS only, using this directive at the beginning of > httpd.conf (apache 2.2) > > > > > > Header add Strict-Transport-Security "max-age=15768000;includeSubDomains" > env=HTTPS > > > > > > How can I tell Apache to not set HSTS for

[users@httpd] How to skip setting HSTS header for certain virtual hosts only?

2014-10-06 Thread Eddie B
I set HSTS for HTTPS only, using this directive at the beginning of httpd.conf (apache 2.2) Header add Strict-Transport-Security "max-age=15768000;includeSubDomains" env=HTTPS How can I tell Apache to not set HSTS for specific virtual hosts (using some type of IF statement) using one

Re: [users@httpd] How is this possible? Apache sends HSTS on a non valid cert but user can proceed, on compatible browser

2014-10-06 Thread Scott (firstclasswatches.co.uk)
Yes, HSTS requests over HTTP are ignored anyway for similar reasons. Kind Regards, Scott First Class Watches 9 Warwick Road Kenilworth CV8 1HD Warwickshire United Kingdom On 6 October 2014 23:19, Eddie B wrote: > Great answer, thank you Scott. > > > > Do you recommend only setting the HSTS he

RE: [users@httpd] How is this possible? Apache sends HSTS on a non valid cert but user can proceed, on compatible browser

2014-10-06 Thread Eddie B
Great answer, thank you Scott. Do you recommend only setting the HSTS header for https requests?

Re: [users@httpd] How is this possible? Apache sends HSTS on a non valid cert but user can proceed, on compatible browser

2014-10-06 Thread Scott (firstclasswatches.co.uk)
Hello, Not strictly a httpd specific issue but nevertheless, Chrome/Firefox should ignore the header because it is not delivered with a valid certificate and thus there is no way of knowing if it was actually issued by the website. You should get the expected result if you first respond with an H

[users@httpd] How is this possible? Apache sends HSTS on a non valid cert but user can proceed, on compatible browser

2014-10-06 Thread Eddie B
I have an https server that sets the HSTS header, but up to date Chrome (and other HSTS compatible browsers, such as Firefox 32) still let the user proceed to HTTPS. Isn't the specific reason HSTS exists to prevent users from proceeding? Here's the server: http://pastebin.com/JFJw1m40 How i

Re: [users@httpd] Cannot get certificate chain to work.

2014-10-06 Thread Daniel
I found myself in a similar situation and I couldn't find the reason but I did find a workaround. To work around this, make a pkcs12 file with all files in it, your private key and the whole chain up until the root CA certificate, then extract them back out from that pkcs12, using the extracted fi

[users@httpd] Cannot get certificate chain to work.

2014-10-06 Thread dE
Hi. I'm in a situation where I got 3 certificates server.pem -- the end user certificate which's sent by the server to the client. intermediate.pem -- server.pem is signed by intermediate.pem's private key. issuer.pem -- intermediate.pem is signed by issuer.pem's private key. combined.pem is

Re: [users@httpd] Too many vhosts?!?!

2014-10-06 Thread Nick Kew
On 6 Oct 2014, at 14:16, Jakov Sosic wrote: > There isn't a large number of clients, it's only a large number of vhosts - > which translates in large number of FDs in use. So you've made the most obvious diagnosis yourself. To test that, why not try it with a logger that doesn't involve an FD

Re: [users@httpd] Too many vhosts?!?!

2014-10-06 Thread Jakov Sosic
On 10/06/2014 03:06 PM, Tom Evans wrote: Why do you think it has anything to do with httpd? This is firmly a "When I do things with PHP, PHP doesn't work therefore httpd has a problem" type diagnosis. I'm sorry that I pointed my finger at httpd. It could be anything in the chain (HW - ke

Re: [users@httpd] Too many vhosts?!?!

2014-10-06 Thread Tom Evans
On Sun, Oct 5, 2014 at 9:22 PM, Jakov Sosic wrote: > Hi guys. > > I'm running CentOS 6 with latest httpd (2.2.15-31.el6). > > > I've noticed a very peculiar problem with Apache. I have a very high number > of virtual hosts set up - it's around 501. > > Problems started occuring after vhost number