[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Sks-devel] Question about apache2 configuration
|
From: |
Todd Lyons |
|
Subject: |
Re: [Sks-devel] Question about apache2 configuration |
|
Date: |
Tue, 12 Nov 2013 05:12:52 -0800 |
|
User-agent: |
Mutt/1.5.20 (2009-12-10) |
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Tue, Nov 12, 2013 at 09:42:13AM +0100, Filip Stefaniak wrote:
>I've tried to configure sks server with apache2 as described at
>https://bitbucket.org/skskeyserver/sks-keyserver/wiki/Peering
>But I had a problem. When sks was set to listen on port 11371, apache
>complained about listening on the same port. So I have changed the sks
>port to 11372 and configured Proxy to this port:
>
><VirtualHost *:80 *:11371>
When apache complains about a VirtualHost declaration and things
listening on the same port, it usually means there is an overlap in the
name-based virtualhosts and the ip-based virtual hosts. It depends if
you interpreted the message correctly. If it was complaining that
another process already had the port open and apache couldn't open it,
then the problem is that you have sks configured to listen on *:11371
or 0.0.0.0:11371 instead of 127.0.0.1:11371. Alternativately, apache is
complaining that multiple places in its own config tries to listen on
port 11371. The most important way to control this is to control it
with the Listen statements.
1. Show us the output of: httpd -S
2. Show us all the Listen statements in all of your various conf files.
I'm fortunate that I was able to provision a separate IP for my sks
instance, so I have separate listen statements for sks processes than
the rest of my system:
# httpd -S
VirtualHost configuration:
[2001:470:d:367::555]:80 sks.mrball.net (/etc/httpd/conf.d/sks.conf:23)
[2001:470:d:367::555]:443 sks.mrball.net (/etc/httpd/conf.d/sks.conf:37)
208.89.139.251:80 sks.mrball.net (/etc/httpd/conf.d/sks.conf:23)
208.89.139.251:443 sks.mrball.net (/etc/httpd/conf.d/sks.conf:37)
wildcard NameVirtualHosts and _default_ servers:
*:11371 sks.mrball.net (/etc/httpd/conf.d/sks.conf:8)
_default_:443 mail.mrball.net (/etc/httpd/conf.d/ssl.conf:74)
*:80 is a NameVirtualHost
default server www.mrball.net (/etc/httpd/conf.d/00-vhosts.conf:61)
port 80 namevhost www.mrball.net (/etc/httpd/conf.d/00-vhosts.conf:61)
port 80 namevhost downloads.mrball.net
(/etc/httpd/conf.d/00-vhosts.conf:69)
port 80 namevhost bluefish.mrball.net
(/etc/httpd/conf.d/00-vhosts.conf:80)
port 80 namevhost eximbuild.mrball.net
(/etc/httpd/conf.d/eximbuild.conf:1)
Syntax OK
>What is your apache2 configuration with sks server, which works for you?
I have a CentOS system, so the path is slightly different, and you'll
need to modify things to match your environment, but this is what I use
(very close to the bitbucket recommended config). Notice how I listen
in the VirtualHost line to specific IP's on port 80, *NOT* on "*:80".
# cat /etc/httpd/conf.d/sks.conf
Listen 208.89.139.251:11371
Listen 208.89.139.252:11371
Listen [2001:470:d:367::50]:11371
Listen [2001:470:d:367::555]:11371
Listen 208.89.139.251:443
Listen [2001:470:d:367::555]:443
<VirtualHost *:11371>
ServerName sks.mrball.net
# Uncomment to troubleshoot issues, otherwise leave OFF!
#CustomLog logs/sks_access_log common
CustomLog /dev/null common
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
ProxyPass / http://127.0.0.1:11371/
ProxyPassReverse / http://127.0.0.1:11371/
ProxyVia on
SetEnv proxy-nokeepalive 1
</VirtualHost>
# Used to be this, but had problems
#<VirtualHost *:80>
<VirtualHost 208.89.139.251:80 [2001:470:d:367::555]:80>
ServerName sks.mrball.net
# Uncomment to troubleshoot issues, otherwise leave OFF!
#CustomLog logs/sks_access_log common
CustomLog /dev/null common
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
ProxyPass / http://127.0.0.1:11371/
ProxyPassReverse / http://127.0.0.1:11371/
ProxyVia on
SetEnv proxy-nokeepalive 1
</VirtualHost>
<VirtualHost 208.89.139.251:443 [2001:470:d:367::555]:443>
ServerName sks.mrball.net
ServerAlias hkps.pool.sks-keyservers.net
CustomLog /dev/null common
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite !aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0
force-response-1.0
SSLCertificateKeyFile /etc/pki/tls/certs/sks_1.key
SSLCertificateFile /etc/pki/tls/certs/sks.mrball.net_keyserver.crt.pem
SSLCACertificateFile /etc/pki/tls/certs/sks.mrball.net_keyserver.crt.pem
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
ProxyPass / http://127.0.0.1:11371/
ProxyPassReverse / http://127.0.0.1:11371/
ProxyVia on
SetEnv proxy-nokeepalive 1
</VirtualHost>
## <VirtualHost [2001:470:d:367::555]:443>
## ServerName sks.mrball.net
## ServerAlias hkps.pool.sks-keyservers.net
## CustomLog /dev/null common
## SSLEngine on
## SSLProtocol all -SSLv2
## SSLCipherSuite !aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
## SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
downgrade-1.0 force-response-1.0
##
## SSLCertificateKeyFile /etc/pki/tls/certs/sks_1.key
## SSLCertificateFile /etc/pki/tls/certs/sks.mrball.net_keyserver.crt.pem
## SSLCACertificateFile /etc/pki/tls/certs/sks.mrball.net_keyserver.crt.pem
##
## <Proxy *>
## Order deny,allow
## Allow from all
## </Proxy>
## ProxyPass / http://127.0.0.1:11371/
## ProxyPassReverse / http://127.0.0.1:11371/
## ProxyVia on
## SetEnv proxy-nokeepalive 1
## </VirtualHost>
- --
Regards... Todd
When engineers want simple solutions to complicated social problems,
freedom is the first victim... --Stephane Bortzmeyer
Linux kernel 2.6.32-279.22.1.el6.x86_64 1 user, load average: 0.00, 0.00,
0.00
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
iEYEARECAAYFAlKCKVMACgkQIBT1264ScBXPAACg3Tbz2PdiXMq7akTf6DeeS3Fh
ERAAn0PQauVh43XaGl5TFl94lfgyf50t
=21Ii
-----END PGP SIGNATURE-----
Re: [Sks-devel] Question about apache2 configuration, Gabor Kiss, 2013/11/20