git.net

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [users@httpd] More ssh setup question


On Thu, May 3, 2018 at 9:29 AM Dunson, Jarrell R <jrdu235@xxxxxxxxx> wrote:

Ok ... some of the guidance I see/hear refers to the setting up a .ssh/authorized_keys directory for each user that logs in ...   However, if I understand correctly (?) this would be the case for individuals... logging onto some other remote server?

Correct. SSH keys are for logging into the server directly. (There are some situations when you would want to be able to log in as the use HTTPD is running as - for example, some continous deployment schemes, but that isn't usually necessary.)

For the set up of a https-enabled website, then, you are saying I don't need to set up an .ssh/authorized_keys file? 

In other words, for Apache, I would  only need to use something like this in my httpd-vhosts.conf file

NameVirtualHost *:443

<VirtualHost *:443>
ServerName www.yoursite.com
DocumentRoot /var/www/site
SSLEngine on
SSLCertificateFile /path/to/www_yoursite_com.crt
SSLCertificateKeyFile /path/to/www_yoursite_com.key
SSLCertificateChainFile /path/to/DigiCertCA.crt
</VirtualHost>

You didn't say which version of HTTPD you are using, but NameVirtualHost isn't used in 2.4.
That does look like a reasonable starter configuration. 
You might want to make sure you have logging enabled - many people like to have separate logs for each vhost.
ErrorLog ${APACHE_LOG_DIR}/sitename_error.log
CustomLog ${APACHE_LOG_DIR}/sitename_access.log combined
If your SSLCertificateFile has the chain in it (LetsEncrypt certificates do by default), then you don't need SSLCertificateChainFile.
There are some other security settings you might want to change. You can check your site at https://www.ssllabs.com/ssltest/ to see how secure it is.
Also, it seem some administrators include / configure the httpd-ssl.conf file, and others do not... they just use the httpd-vhosts.conf file (?) ... do we need to use httpd-ssl.conf ?

You can put any configuration in any file you want. Debian/Ubuntu recommend having one file for each site you are serving.
 
For instance, one Youtube ( https://www.youtube.com/watch?v=TH6evGKgy20 ) says use Mod SSL:




You do need mod_ssl to be loaded, but that is usually in the main config file - or for Debian/Ubuntu, in a separate config file for the specific module.
 
Any guidance would help...
 thanks
 Jarrell


On 5/2/2018 4:59 PM, Eric Covener wrote:
On Wed, May 2, 2018 at 4:53 PM, Dunson, Jarrell R <jrdu235@xxxxxxxxx> wrote:
Hey all,

 for a new web server, so we need to create a .ssh directory and store the
public key in

.ssh/authorized_keys? If so, where does doe the directory need to be placed
- underneath DocumentRoot?
Your ssh setup shouldn't have anything to do with your webserver.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx


-- 
Jarrell R. Dunson, III
Associate Director, Information Services
University of Kentucky Office of Philanthropy
Lexington, KY 40506-0015
859-257-5613 
www.uky.edu/philanthropy

PNG image

PNG image