logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> Apache View previous topic :: View next topic
Reply to topic   Topic: OCSP stapling not configurable for all virtual hosts?
Author
20160413



Joined: 13 Apr 2016
Posts: 28

PostPosted: Sat 02 Nov '19 15:28    Post subject: OCSP stapling not configurable for all virtual hosts? Reply with quote

OCSP stapling not configurable for all virtual hosts on a given server?


Hi,

I wonder why I cannot configure OCSP stapling centrally for all virtual hosts of a server by default, i.e. by adding

Code:

SSLStaplingCache "shmcb:${APACHE_RUN_DIR}/stapling-cache(150000)"
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off


to "ssl.conf" located in the "mods-available" directory.

I is no big deal to do OCSP stapling for all virtual host individually but it would be nicer not add the same config above to all virtual hosts all over again. It will be nice only having to activate stapling here.

For SSL in general e.g. I put all configuration into "ssl.conf" for me only to activate the ssl engine and specifiy the individual cert and key files within the respective virtual hosts.

Some rationale will be nice. Perhaps I am doing it wrong somehow? Thanks for your time.
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7288
Location: Germany, Next to Hamburg

PostPosted: Sat 02 Nov '19 15:55    Post subject: Reply with quote

In the global config you must enable the stapling

Code:
SSLUseStapling On


Also do you load mod_socache_shmcb ?
Back to top
20160413



Joined: 13 Apr 2016
Posts: 28

PostPosted: Sat 02 Nov '19 16:12    Post subject: Reply with quote

> Also do you load mod_socache_shmcb ?

Yes

> In the global config you must enable the stapling

Did so now.


In the end all of this resulted in one error, once fixed into another error so I reverted. Sad
Back to top
20160413



Joined: 13 Apr 2016
Posts: 28

PostPosted: Sat 02 Nov '19 16:59    Post subject: Reply with quote

Ok, got it to work now. There was a typo in the default host for 80. Not sure why this makes the server fail only when trying to move OSCP stapling to the general file but it apparently does.

Thanks for you help which is much appreciated.
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7288
Location: Germany, Next to Hamburg

PostPosted: Tue 05 Nov '19 12:13    Post subject: Reply with quote

if you run

httpd -S you can find syntax errors easily
Back to top
20160413



Joined: 13 Apr 2016
Posts: 28

PostPosted: Thu 14 Nov '19 22:54    Post subject: Reply with quote

Thanks a lot for the tip! Will do in the future. Smile

Usually I do apachectl configtest but this does not detect issues/typos like the one I had.
Back to top


Reply to topic   Topic: OCSP stapling not configurable for all virtual hosts? View previous topic :: View next topic
Post new topic   Forum Index -> Apache