[olug] Building a web server for both security and performance in 2011

Lou Duchez lou at paprikash.com
Thu Sep 1 15:05:43 UTC 2011


Hard for me to say for sure, I'm not the best test environment, and 
mostly I'm using the certificates for Email.  I remember doing some 
quick testing with the StartSSL certificate and the Web server, and I 
think it worked okay on IE and Opera (and possibly Firefox), but I 
didn't test extensively.

This discussion reminds me of a sad truth about SSL and HTTP: you can 
have only one zone / domain certificate per port.  In other words, if 
you've got two domains ("foo.com" and "bar.com") and you want to set up 
SSL sites for "secure.foo.com", "secure.bar.com", "private.foo.com", and 
"private.bar.com", they all have to be on different ports, and only one 
of them can get the coveted default port of 443.  This is because the 
SSL is sorted out long before the HTTP request's headers have been 
picked apart, so the Web server can't look for the "right" certificate 
only after figuring out which virtual domain the request is for.  
Rather, the Web server has to decide which certificate based on the 
port, and once that's done, the HTML headers had better agree with the 
certificate.

I would say it's worth trying startssl.com; at most it will cost you 
time, not money.  Think of it this way: you can experiment with domains 
you really don't have any interest in securing, without feeling like a 
chump who wasted $50.


> Does StartSSL present a warning to unmomdified IE/Firefox/Safari/Chrome?
>
> On Thu, Sep 1, 2011 at 09:18, Lou Duchez<lou at paprikash.com>  wrote:
>> I've been experimenting with SSL from startssl.com.  It's free, and it seems
>> to work well enough so far.
>>
>> Also, where my Web apps require a login / password, I try to hook them into
>> Fail2Ban, so that repetitive failed logins trigger a temporary IP ban and an
>> E-Mail to the admin.
>>
>>> generally, yes, the big issue we ran into with selinux was having a web
>>> page be able to gpg a file
>>>
>>>
>>> I'd add to my list run ssl - for $50 at godaddy (or less other places),
>>> there's almost no reason not to
>>>
>>>
>>>
>>> -barry
>>>
>>>
>>>
>>>
>>> On 8/31/2011 11:26 PM, Kevin wrote:
>>>> On CentOS/RHEL, SELinux is actually not all that bad. Certainly on any
>>>> system I was hardening, I would enable it.
>>>>
>>>> On Wed, Aug 31, 2011 at 18:36, Barry Von Ahsen<barry at vonahsen.com>
>>>>   wrote:
>>>>> generally I:
>>>>>
>>>>> * don't load/remove modules I don't need
>>>>> * remove the dumb default .conf files my distro adds (centos/rhel)
>>>>> * run mod_security
>>>>> * run php-suhosin
>>>>>
>>>>> in theory, also run selinux/apparmor, but it's usually been more trouble
>>>>> than it's worth
>>>>>
>>>>> -barry
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On 08/30/2011 04:51 PM, T. J. Brumfield wrote:
>>>>>> I've tried to keep up on best practices over the years, but I'm always
>>>>>> wondering if there are tips and tricks out there that I'm not aware of,
>>>>>> especially when it comes to securing a web server.
>>>>>>
>>>>>> If you were putting together a standard for a web Linux server today,
>>>>>> what
>>>>>> would you recommend?
>>>>>>
>>>>>> -- T. J. Brumfield
>>>>>> _______________________________________________
>>>>>> OLUG mailing list
>>>>>> OLUG at olug.org
>>>>>> https://lists.olug.org/mailman/listinfo/olug
>>>>> _______________________________________________
>>>>> OLUG mailing list
>>>>> OLUG at olug.org
>>>>> https://lists.olug.org/mailman/listinfo/olug
>>>>>
>>>> _______________________________________________
>>>> OLUG mailing list
>>>> OLUG at olug.org
>>>> https://lists.olug.org/mailman/listinfo/olug
>>> _______________________________________________
>>> OLUG mailing list
>>> OLUG at olug.org
>>> https://lists.olug.org/mailman/listinfo/olug
>> _______________________________________________
>> OLUG mailing list
>> OLUG at olug.org
>> https://lists.olug.org/mailman/listinfo/olug
>>
> _______________________________________________
> OLUG mailing list
> OLUG at olug.org
> https://lists.olug.org/mailman/listinfo/olug




More information about the OLUG mailing list