[olug] Building a web server for both security and performance in 2011

Kevin sharpestmarble at gmail.com
Thu Sep 1 15:39:19 UTC 2011


I will agree with one addendum: another IP can also work. You can set
Apache(and almost certainly others) to Listen on a different IP/port
combination. That will also work, because the client makes the
connection to another IP, and thus the system knows who you(the
client) are trying to connect to.

Is there a correlation here between scp/sftp/ftps?

On Thu, Sep 1, 2011 at 10:05, Lou Duchez <lou at paprikash.com> wrote:
> Hard for me to say for sure, I'm not the best test environment, and mostly
> I'm using the certificates for Email.  I remember doing some quick testing
> with the StartSSL certificate and the Web server, and I think it worked okay
> on IE and Opera (and possibly Firefox), but I didn't test extensively.
>
> This discussion reminds me of a sad truth about SSL and HTTP: you can have
> only one zone / domain certificate per port.  In other words, if you've got
> two domains ("foo.com" and "bar.com") and you want to set up SSL sites for
> "secure.foo.com", "secure.bar.com", "private.foo.com", and
> "private.bar.com", they all have to be on different ports, and only one of
> them can get the coveted default port of 443.  This is because the SSL is
> sorted out long before the HTTP request's headers have been picked apart, so
> the Web server can't look for the "right" certificate only after figuring
> out which virtual domain the request is for.  Rather, the Web server has to
> decide which certificate based on the port, and once that's done, the HTML
> headers had better agree with the certificate.
>
> I would say it's worth trying startssl.com; at most it will cost you time,
> not money.  Think of it this way: you can experiment with domains you really
> don't have any interest in securing, without feeling like a chump who wasted
> $50.
>
>
>> Does StartSSL present a warning to unmomdified IE/Firefox/Safari/Chrome?
>>
>> On Thu, Sep 1, 2011 at 09:18, Lou Duchez<lou at paprikash.com>  wrote:
>>>
>>> I've been experimenting with SSL from startssl.com.  It's free, and it
>>> seems
>>> to work well enough so far.
>>>
>>> Also, where my Web apps require a login / password, I try to hook them
>>> into
>>> Fail2Ban, so that repetitive failed logins trigger a temporary IP ban and
>>> an
>>> E-Mail to the admin.
>>>
>>>> generally, yes, the big issue we ran into with selinux was having a web
>>>> page be able to gpg a file
>>>>
>>>>
>>>> I'd add to my list run ssl - for $50 at godaddy (or less other places),
>>>> there's almost no reason not to
>>>>
>>>>
>>>>
>>>> -barry
>>>>
>>>>
>>>>
>>>>
>>>> On 8/31/2011 11:26 PM, Kevin wrote:
>>>>>
>>>>> On CentOS/RHEL, SELinux is actually not all that bad. Certainly on any
>>>>> system I was hardening, I would enable it.
>>>>>
>>>>> On Wed, Aug 31, 2011 at 18:36, Barry Von Ahsen<barry at vonahsen.com>
>>>>>  wrote:
>>>>>>
>>>>>> generally I:
>>>>>>
>>>>>> * don't load/remove modules I don't need
>>>>>> * remove the dumb default .conf files my distro adds (centos/rhel)
>>>>>> * run mod_security
>>>>>> * run php-suhosin
>>>>>>
>>>>>> in theory, also run selinux/apparmor, but it's usually been more
>>>>>> trouble
>>>>>> than it's worth
>>>>>>
>>>>>> -barry
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> On 08/30/2011 04:51 PM, T. J. Brumfield wrote:
>>>>>>>
>>>>>>> I've tried to keep up on best practices over the years, but I'm
>>>>>>> always
>>>>>>> wondering if there are tips and tricks out there that I'm not aware
>>>>>>> of,
>>>>>>> especially when it comes to securing a web server.
>>>>>>>
>>>>>>> If you were putting together a standard for a web Linux server today,
>>>>>>> what
>>>>>>> would you recommend?
>>>>>>>
>>>>>>> -- T. J. Brumfield
>>>>>>> _______________________________________________
>>>>>>> OLUG mailing list
>>>>>>> OLUG at olug.org
>>>>>>> https://lists.olug.org/mailman/listinfo/olug
>>>>>>
>>>>>> _______________________________________________
>>>>>> OLUG mailing list
>>>>>> OLUG at olug.org
>>>>>> https://lists.olug.org/mailman/listinfo/olug
>>>>>>
>>>>> _______________________________________________
>>>>> OLUG mailing list
>>>>> OLUG at olug.org
>>>>> https://lists.olug.org/mailman/listinfo/olug
>>>>
>>>> _______________________________________________
>>>> OLUG mailing list
>>>> OLUG at olug.org
>>>> https://lists.olug.org/mailman/listinfo/olug
>>>
>>> _______________________________________________
>>> OLUG mailing list
>>> OLUG at olug.org
>>> https://lists.olug.org/mailman/listinfo/olug
>>>
>> _______________________________________________
>> OLUG mailing list
>> OLUG at olug.org
>> https://lists.olug.org/mailman/listinfo/olug
>
> _______________________________________________
> OLUG mailing list
> OLUG at olug.org
> https://lists.olug.org/mailman/listinfo/olug
>



More information about the OLUG mailing list