SSL

[Francisco Castellon]

Hi Sam:

I am wanting to be able to use SSL on my current apache installation
(version 1.3.26). However I was doing some reading on the web (and
obtained feedback from the list on a previous email) and found quite a
few ways to go about installing SSL support on apache. There is:

- mod_SSL
- Apache-SSL (a debian package)
- libapache-mod-ssl (another debian package)

and I can't decide which way to do it. I know that if I install mod_perl
from [url]http://www.modssl.org[/url] I'd have to do it all manually, however if I
use the other 2 debian packages mentioned above apt-get would do most of
the installing for me.

My other concern is that I already have apache running the way I want
it. I installed PHP4 and it works fine and I configured a few other
things as well and I dont want to ruin that current configuration. As
well, I do all of my apache administering from webmin, so if I install
SSL it would be nice to still be able to administer it all from webmin.

I posted a question on the user-debian mailing list but got really no
solid sense of direction as to what I should do. I do want to be able to
run my ssl server but at the same time it would also be nice to be able
to run some parts of the website without SSL, I found this on the
apache-ssl website

There are two ways to do this: run two server daemons, or run both
services from the same daemon. Unless there is a good reason to run two
(like using a different product for secure/non-secure), it's usually
simplest to run a single daemon and disable SSL on those virtual hosts
that don't need it. If you wish to run two daemons you must make sure
that they each only try to bind to their allotted ports (normally port
80 for non-secure and 443 for secure). If you wish to run a single
daemon, here's an example config file showing how you might do it.

what do you think is the best course of action here that I could follow
so that I could still keep my current configuration, be able to run SSL,
and still manage apache (with SSL) from webmin?

[David Z Maze]

Francisco Castellon <castf@shaw.ca> writes:

> 1. (*) text/plain ( ) text/html

(Please configure your mailer to send only plain text, not HTML.)

> I am wanting to be able to use SSL on my current apache installation
> (version 1.3.26). However I was doing some reading on the web (and
> obtained feedback from the list on a previous email) and found quite a
> few ways to go about installing SSL support on apache. There is:
>
> - mod_SSL
> - Apache-SSL (a debian package)
> - libapache-mod-ssl (another debian package)

....libapache-mod-ssl is the Debian-packaged mod_ssl. So you really
only have two options. :-)

> My other concern is that I already have apache running the way I want
> it. I installed PHP4 and it works fine and I configured a few other
> things as well and I dont want to ruin that current configuration. As
> well, I do all of my apache administering from webmin, so if I install
> SSL it would be nice to still be able to administer it all from webmin.

Both Apache-SSL and mod_ssl fundamentally are Apache, so your existing
configuration should work fine (though have no SSL support). I have
no idea what webmin could do with either (and am somewhat leery of
such things).

> I posted a question on the user-debian mailing list but got really no
> solid sense of direction as to what I should do. I do want to be able to
> run my ssl server but at the same time it would also be nice to be able
> to run some parts of the website without SSL, I found this on the
> apache-ssl website

You can do this with both Apache-SSL and mod_ssl, in actually much the
same way...

> it's usually simplest to run a single daemon and disable SSL on
> those virtual hosts that don't need it.

....like that.

In my personal experience, mod_ssl is slightly more configurable than
Apache-SSL in corner cases involving handling of personal
certificates[1]. Most people don't use personal certificates at all
so this isn't really an issue. I'm also a little more comfortable
with mod_ssl's approach (use the existing extension mechanism) than
Apache-SSL's ("SSL is fundamental, must patch server"). But we use
Apache-SSL in a ~production environment here and haven't had problems
here, for the most part.

[1] The corner case: I want to ask for a certificate, and if that's
not available, then do HTTP basic authentication. My memory is that
mod_ssl can do this, but that Apache-SSL can't. We wound up giving up
on the personal-certificate thing, and just use basic authentication
(vs. NIS, ick) where we need it.

--
David Maze [email]dmaze@debian.org[/email] [url]http://people.debian.org/~dmaze/[/url]
"Theoretical politics is interesting. Politicking should be illegal."
-- Abra Mitchell


--
To UNSUBSCRIBE, email to [email]debian-user-request@lists.debian.org[/email]
with a subject of "unsubscribe". Trouble? Contact [email]listmaster@lists.debian.org[/email]

[Ryan McConnell]

Im new to the idea of encryption, but heres the story;
I hope to take credit card details on my site, What do i need to do to
ensure the information is kept on a secure connection. Do i need to redirect
that information to a different server or is there any simple way to set up
this sort of connection :S

Thanks
Ryan

[Ray at]

You'd need to buy an SSL certificate from an authority like Verisign,
install it on your server for your one single domain, and then use https
protocol. Depending on the size of your business and the number of
transactions, it may be cheaper or easier for you to use a third party
credit card processor and/or a third party shopping cart system that accepts
secure CC payments.

Ray at work

"Ryan McConnell" <jimron@btopenworld.com> wrote in message
news:bfqr59$io7$1@hercules.btinternet.com...

> Im new to the idea of encryption, but heres the story;
> I hope to take credit card details on my site, What do i need to do to
> ensure the information is kept on a secure connection. Do i need to

redirect

> that information to a different server or is there any simple way to set

up

> this sort of connection :S
>
> Thanks
> Ryan
>
>

[Rob]

Hi,

I like to use a https connection for test purposes. Is
there a way to try such a connection with my asp.ent applic
without the tedious certification process by a third party
etc.?

Thanks
Rob

[Rahul Singh]

If you download and compile OpenSSL, you can do this. I do this on a Linux,
box , havent compiled it on windows using cygwin. Might give it a try.
I think you if you have a certificate server on a win2k server you can do
this. Not sure.

Rahul Singh

anant systems, inc.
[url]http://www.anantsystems.net[/url]
"Rob" <robert_dx@gmx.com> wrote in message
news:066401c3559d$ae702f40$a501280a@phx.gbl...

> Hi,
>
> I like to use a https connection for test purposes. Is
> there a way to try such a connection with my asp.ent applic
> without the tedious certification process by a third party
> etc.?
>
> Thanks
> Rob

[S. Justin Gengo]

Rob,

Depending on the type of connection, server, and the client browser you
should just be able to go to any page specifying https:// and you'll get a
secure connection. The browser will pop up a warning saying there is no
valid certificate, but for testing purposes that should be ok.

--
S. Justin Gengo, MCP
Web Developer

Free code library at:
[url]www.aboutfortunate.com[/url]

"Out of chaos comes order."
Nietzche
"Rob" <robert_dx@gmx.com> wrote in message
news:066401c3559d$ae702f40$a501280a@phx.gbl...

> Hi,
>
> I like to use a https connection for test purposes. Is
> there a way to try such a connection with my asp.ent applic
> without the tedious certification process by a third party
> etc.?
>
> Thanks
> Rob

[Jeff Clark]

I setup SSL.

Now users can see the site at port 80 and at port 443. i want to disable 80.

How to?

Thanks

[Ray at]

You won't do this with ASP. You should ask in an IIS group.

But do you really want your whole site to run in SSL? You should leave port
80 open at least for the sake of setting up a redirect from http to https.

Ray at work

"Jeff Clark" <JeffC@NO_SPAMreturnventures.com> wrote in message
news:%23bV1QmOlDHA.2232@TK2MSFTNGP09.phx.gbl...

> I setup SSL.
>
> Now users can see the site at port 80 and at port 443. i want to disable

80.

>
> How to?
>
> Thanks
>
>

[Mot Misthoff]

in the meantime you could always-

if Request.ServerVariables("HTTPS") = "off" then
response.redirect ([url]https://www.redirect-to-this-page.com[/url])
end if





"Jeff Clark" <JeffC@NO_SPAMreturnventures.com> wrote in message
news:%23bV1QmOlDHA.2232@TK2MSFTNGP09.phx.gbl...

> I setup SSL.
>
> Now users can see the site at port 80 and at port 443. i want to disable

80.

>
> How to?
>
> Thanks
>
>

[Jeff Clark]

noted and incorporated redirect and iis setting.
thanks

"Mot Misthoff" <email@NOTANDADDREE.com> wrote in message
news:uPMT3rOlDHA.1708@TK2MSFTNGP12.phx.gbl...

> in the meantime you could always-
>
> if Request.ServerVariables("HTTPS") = "off" then
> response.redirect ([url]https://www.redirect-to-this-page.com[/url])
> end if
>
>
>
>
>
> "Jeff Clark" <JeffC@NO_SPAMreturnventures.com> wrote in message
> news:%23bV1QmOlDHA.2232@TK2MSFTNGP09.phx.gbl...

> > I setup SSL.
> >
> > Now users can see the site at port 80 and at port 443. i want to disable

> 80.

> >
> > How to?
> >
> > Thanks
> >
> >

>
>

[Chris Barber]

Use host headers to 'hide' port 80 from IP based scanning?

Can you elaborate on why you want to disable port 80?

Chris.

"Jeff Clark" <JeffC@NO_SPAMreturnventures.com> wrote in message
news:%23bV1QmOlDHA.2232@TK2MSFTNGP09.phx.gbl...
I setup SSL.

Now users can see the site at port 80 and at port 443. i want to disable 80.

How to?

Thanks

[Jeff Clark]

cause i want to make sure that people go thru the secure site.



"Chris Barber" <chris@blue-canoe.co.uk.NOSPAM> wrote in message
news:epjilJWlDHA.2244@TK2MSFTNGP12.phx.gbl...

> Use host headers to 'hide' port 80 from IP based scanning?
>
> Can you elaborate on why you want to disable port 80?
>
> Chris.
>
> "Jeff Clark" <JeffC@NO_SPAMreturnventures.com> wrote in message
> news:%23bV1QmOlDHA.2232@TK2MSFTNGP09.phx.gbl...
> I setup SSL.
>
> Now users can see the site at port 80 and at port 443. i want to disable

80.

>
> How to?
>
> Thanks
>
>
>

[Chris Barber]

Sound reasonable, I just wanted to check if this was more to do with
unwanted traffic to the IP address as opposed to a reasoned choice to drop
port 80.

You can specify that a specific website be hosted only on 443 (eg. https:\\)
or you can place a redirect in the global.asa to push all http:\\ traffic to
the https:\\ entry page when the first .asp page is viewed.

Chris.

"Jeff Clark" <JeffC@NO_SPAMreturnventures.com> wrote in message
news:e$yMnSYlDHA.1656@tk2msftngp13.phx.gbl...
cause i want to make sure that people go thru the secure site.



"Chris Barber" <chris@blue-canoe.co.uk.NOSPAM> wrote in message
news:epjilJWlDHA.2244@TK2MSFTNGP12.phx.gbl...

> Use host headers to 'hide' port 80 from IP based scanning?
>
> Can you elaborate on why you want to disable port 80?
>
> Chris.
>
> "Jeff Clark" <JeffC@NO_SPAMreturnventures.com> wrote in message
> news:%23bV1QmOlDHA.2232@TK2MSFTNGP09.phx.gbl...
> I setup SSL.
>
> Now users can see the site at port 80 and at port 443. i want to disable

80.

>
> How to?
>
> Thanks
>
>
>

[Jeff Clark]

Ok how do I put another site only to be port 80?

you see, i have a secure.mydomain.com on the same machine as
[url]www.mydomain.com[/url]

I don't want the 2 to intermingle. I see that I can "require 128 bit
encryption" on the SSL site.

But on the regular www site, I don't want them to use sssl 0 i want to force
port 80
thanks.

Even if i do a redirect in global.asa , that won't stop the guy from
changing the url to https on the next page

"Chris Barber" <chris@blue-canoe.co.uk.NOSPAM> wrote in message
news:%23EwuZdYlDHA.1884@TK2MSFTNGP09.phx.gbl...

> Sound reasonable, I just wanted to check if this was more to do with
> unwanted traffic to the IP address as opposed to a reasoned choice to drop
> port 80.
>
> You can specify that a specific website be hosted only on 443 (eg.

https:\\)

> or you can place a redirect in the global.asa to push all http:\\ traffic

to

> the https:\\ entry page when the first .asp page is viewed.
>
> Chris.
>
> "Jeff Clark" <JeffC@NO_SPAMreturnventures.com> wrote in message
> news:e$yMnSYlDHA.1656@tk2msftngp13.phx.gbl...
> cause i want to make sure that people go thru the secure site.
>
>
>
> "Chris Barber" <chris@blue-canoe.co.uk.NOSPAM> wrote in message
> news:epjilJWlDHA.2244@TK2MSFTNGP12.phx.gbl...

> > Use host headers to 'hide' port 80 from IP based scanning?
> >
> > Can you elaborate on why you want to disable port 80?
> >
> > Chris.
> >
> > "Jeff Clark" <JeffC@NO_SPAMreturnventures.com> wrote in message
> > news:%23bV1QmOlDHA.2232@TK2MSFTNGP09.phx.gbl...
> > I setup SSL.
> >
> > Now users can see the site at port 80 and at port 443. i want to disable

> 80.

> >
> > How to?
> >
> > Thanks
> >
> >
> >

>
>
>

[Chris Barber]

OK,

Generally to run multiple sites on port 80 you have to use host headers.

eg.

[url]http://www.4guysfromrolla.com/webtech/080200-1.shtml[/url]

Now to allow a specific site to be only available on the https:\\ (eg. port
443) then just remove the port 80 entries from the host headers and leave
the port 443 entries (these port 443 entries can only be added if you have a
cert installed I think).

Host headers are a way of creating 'multiple' websites hosted off one IP
address distinguished by the URL of the site domain as opposed to a blanket
resolution of all urls to that IP address.

The most common usage is to create host header and then drop the 'open' port
80 entry (eg. the entry that has a blank host header) so that IP based
traffic will not be granted access, only url's that conform to the host
header will be allowed to see the website. This has the great effect of
stopping the majority of hack and virus traffic to your IIS server since
these all try to get in using the IP address as opposed to a host header.

Have a read of host headers on Google to get more information about it.

[url]http://www.google.com/search?hl=en&ie=UTF-8&oe=UTF-8&q=Using+Host+headers+in+IIS+5.0[/url]

Just a small point, you will need the capability to add 'A' records to your
DNS server to create further domains beyond your own. For example, Blue
Canoe (my company) uses DSVR (UK based hosting) to host our websites and
provide access to our DNS so we can create as many domains and subdomains as
we require such as: site1.blue-canoe.net, site2.blue-canoe.net,
securestuff.blue-canoe.net etc.

If you can't see how to achieve what you want then please post again but
make sure you have a clear description of exactly what you want to achieve.
At the moment I'm still not sure of your concerns about the two sites (one
on http:\\ only and one on https:\\ only?).

Hope this helps,

Chris.

"Jeff Clark" <JeffC@NO_SPAMreturnventures.com> wrote in message
news:urKGBIelDHA.2444@TK2MSFTNGP09.phx.gbl...
Ok how do I put another site only to be port 80?

you see, i have a secure.mydomain.com on the same machine as
[url]www.mydomain.com[/url]

I don't want the 2 to intermingle. I see that I can "require 128 bit
encryption" on the SSL site.

But on the regular www site, I don't want them to use sssl 0 i want to force
port 80
thanks.

Even if i do a redirect in global.asa , that won't stop the guy from
changing the url to https on the next page

"Chris Barber" <chris@blue-canoe.co.uk.NOSPAM> wrote in message
news:%23EwuZdYlDHA.1884@TK2MSFTNGP09.phx.gbl...

> Sound reasonable, I just wanted to check if this was more to do with
> unwanted traffic to the IP address as opposed to a reasoned choice to drop
> port 80.
>
> You can specify that a specific website be hosted only on 443 (eg.

https:\\)

> or you can place a redirect in the global.asa to push all http:\\ traffic

to

> the https:\\ entry page when the first .asp page is viewed.
>
> Chris.
>
> "Jeff Clark" <JeffC@NO_SPAMreturnventures.com> wrote in message
> news:e$yMnSYlDHA.1656@tk2msftngp13.phx.gbl...
> cause i want to make sure that people go thru the secure site.
>
>
>
> "Chris Barber" <chris@blue-canoe.co.uk.NOSPAM> wrote in message
> news:epjilJWlDHA.2244@TK2MSFTNGP12.phx.gbl...

> > Use host headers to 'hide' port 80 from IP based scanning?
> >
> > Can you elaborate on why you want to disable port 80?
> >
> > Chris.
> >
> > "Jeff Clark" <JeffC@NO_SPAMreturnventures.com> wrote in message
> > news:%23bV1QmOlDHA.2232@TK2MSFTNGP09.phx.gbl...
> > I setup SSL.
> >
> > Now users can see the site at port 80 and at port 443. i want to disable

> 80.

> >
> > How to?
> >
> > Thanks
> >
> >
> >

>
>
>

[Jeff Clark]

thanks I got all that down, thanks. I did rephrase the question and repost.

I cannot use host headers with ssl, so that leaves a hole


"Chris Barber" <chris@blue-canoe.co.uk.NOSPAM> wrote in message
news:u7dC14ilDHA.2964@tk2msftngp13.phx.gbl...

> OK,
>
> Generally to run multiple sites on port 80 you have to use host headers.
>
> eg.
>
> [url]http://www.4guysfromrolla.com/webtech/080200-1.shtml[/url]
>
> Now to allow a specific site to be only available on the https:\\ (eg.

port

> 443) then just remove the port 80 entries from the host headers and leave
> the port 443 entries (these port 443 entries can only be added if you have

a

> cert installed I think).
>
> Host headers are a way of creating 'multiple' websites hosted off one IP
> address distinguished by the URL of the site domain as opposed to a

blanket

> resolution of all urls to that IP address.
>
> The most common usage is to create host header and then drop the 'open'

port

> 80 entry (eg. the entry that has a blank host header) so that IP based
> traffic will not be granted access, only url's that conform to the host
> header will be allowed to see the website. This has the great effect of
> stopping the majority of hack and virus traffic to your IIS server since
> these all try to get in using the IP address as opposed to a host header.
>
> Have a read of host headers on Google to get more information about it.
>
>

[url]http://www.google.com/search?hl=en&ie=UTF-8&oe=UTF-8&q=Using+Host+headers+in+IIS+5.0[/url]

>
> Just a small point, you will need the capability to add 'A' records to

your

> DNS server to create further domains beyond your own. For example, Blue
> Canoe (my company) uses DSVR (UK based hosting) to host our websites and
> provide access to our DNS so we can create as many domains and subdomains

as

> we require such as: site1.blue-canoe.net, site2.blue-canoe.net,
> securestuff.blue-canoe.net etc.
>
> If you can't see how to achieve what you want then please post again but
> make sure you have a clear description of exactly what you want to

achieve.

> At the moment I'm still not sure of your concerns about the two sites (one
> on http:\\ only and one on https:\\ only?).
>
> Hope this helps,
>
> Chris.
>
> "Jeff Clark" <JeffC@NO_SPAMreturnventures.com> wrote in message
> news:urKGBIelDHA.2444@TK2MSFTNGP09.phx.gbl...
> Ok how do I put another site only to be port 80?
>
> you see, i have a secure.mydomain.com on the same machine as
> [url]www.mydomain.com[/url]
>
> I don't want the 2 to intermingle. I see that I can "require 128 bit
> encryption" on the SSL site.
>
> But on the regular www site, I don't want them to use sssl 0 i want to

force

> port 80
> thanks.
>
> Even if i do a redirect in global.asa , that won't stop the guy from
> changing the url to https on the next page
>
> "Chris Barber" <chris@blue-canoe.co.uk.NOSPAM> wrote in message
> news:%23EwuZdYlDHA.1884@TK2MSFTNGP09.phx.gbl...

> > Sound reasonable, I just wanted to check if this was more to do with
> > unwanted traffic to the IP address as opposed to a reasoned choice to

drop

> > port 80.
> >
> > You can specify that a specific website be hosted only on 443 (eg.

> https:\\)

> > or you can place a redirect in the global.asa to push all http:\\

traffic

> to

> > the https:\\ entry page when the first .asp page is viewed.
> >
> > Chris.
> >
> > "Jeff Clark" <JeffC@NO_SPAMreturnventures.com> wrote in message
> > news:e$yMnSYlDHA.1656@tk2msftngp13.phx.gbl...
> > cause i want to make sure that people go thru the secure site.
> >
> >
> >
> > "Chris Barber" <chris@blue-canoe.co.uk.NOSPAM> wrote in message
> > news:epjilJWlDHA.2244@TK2MSFTNGP12.phx.gbl...

> > > Use host headers to 'hide' port 80 from IP based scanning?
> > >
> > > Can you elaborate on why you want to disable port 80?
> > >
> > > Chris.
> > >
> > > "Jeff Clark" <JeffC@NO_SPAMreturnventures.com> wrote in message
> > > news:%23bV1QmOlDHA.2232@TK2MSFTNGP09.phx.gbl...
> > > I setup SSL.
> > >
> > > Now users can see the site at port 80 and at port 443. i want to

disable

> > 80.

> > >
> > > How to?
> > >
> > > Thanks
> > >
> > >
> > >

> >
> >
> >

>
>
>

[Chris Barber]

I'll have to investigate that [not allowing host headers on SSL] since I
don't have a cert here (I'll get a test one generated ASAP).

Chris.

"Jeff Clark" <JeffC@NO_SPAMreturnventures.com> wrote in message
news:exm%23BrtlDHA.964@TK2MSFTNGP10.phx.gbl...
thanks I got all that down, thanks. I did rephrase the question and repost.

I cannot use host headers with ssl, so that leaves a hole


"Chris Barber" <chris@blue-canoe.co.uk.NOSPAM> wrote in message
news:u7dC14ilDHA.2964@tk2msftngp13.phx.gbl...

> OK,
>
> Generally to run multiple sites on port 80 you have to use host headers.
>
> eg.
>
> [url]http://www.4guysfromrolla.com/webtech/080200-1.shtml[/url]
>
> Now to allow a specific site to be only available on the https:\\ (eg.

port

> 443) then just remove the port 80 entries from the host headers and leave
> the port 443 entries (these port 443 entries can only be added if you have

a

> cert installed I think).
>
> Host headers are a way of creating 'multiple' websites hosted off one IP
> address distinguished by the URL of the site domain as opposed to a

blanket

> resolution of all urls to that IP address.
>
> The most common usage is to create host header and then drop the 'open'

port

> 80 entry (eg. the entry that has a blank host header) so that IP based
> traffic will not be granted access, only url's that conform to the host
> header will be allowed to see the website. This has the great effect of
> stopping the majority of hack and virus traffic to your IIS server since
> these all try to get in using the IP address as opposed to a host header.
>
> Have a read of host headers on Google to get more information about it.
>
>

[url]http://www.google.com/search?hl=en&ie=UTF-8&oe=UTF-8&q=Using+Host+headers+in+IIS+5.0[/url]

>
> Just a small point, you will need the capability to add 'A' records to

your

> DNS server to create further domains beyond your own. For example, Blue
> Canoe (my company) uses DSVR (UK based hosting) to host our websites and
> provide access to our DNS so we can create as many domains and subdomains

as

> we require such as: site1.blue-canoe.net, site2.blue-canoe.net,
> securestuff.blue-canoe.net etc.
>
> If you can't see how to achieve what you want then please post again but
> make sure you have a clear description of exactly what you want to

achieve.

> At the moment I'm still not sure of your concerns about the two sites (one
> on http:\\ only and one on https:\\ only?).
>
> Hope this helps,
>
> Chris.
>
> "Jeff Clark" <JeffC@NO_SPAMreturnventures.com> wrote in message
> news:urKGBIelDHA.2444@TK2MSFTNGP09.phx.gbl...
> Ok how do I put another site only to be port 80?
>
> you see, i have a secure.mydomain.com on the same machine as
> [url]www.mydomain.com[/url]
>
> I don't want the 2 to intermingle. I see that I can "require 128 bit
> encryption" on the SSL site.
>
> But on the regular www site, I don't want them to use sssl 0 i want to

force

> port 80
> thanks.
>
> Even if i do a redirect in global.asa , that won't stop the guy from
> changing the url to https on the next page
>
> "Chris Barber" <chris@blue-canoe.co.uk.NOSPAM> wrote in message
> news:%23EwuZdYlDHA.1884@TK2MSFTNGP09.phx.gbl...

> > Sound reasonable, I just wanted to check if this was more to do with
> > unwanted traffic to the IP address as opposed to a reasoned choice to

drop

> > port 80.
> >
> > You can specify that a specific website be hosted only on 443 (eg.

> https:\\)

> > or you can place a redirect in the global.asa to push all http:\\

traffic

> to

> > the https:\\ entry page when the first .asp page is viewed.
> >
> > Chris.
> >
> > "Jeff Clark" <JeffC@NO_SPAMreturnventures.com> wrote in message
> > news:e$yMnSYlDHA.1656@tk2msftngp13.phx.gbl...
> > cause i want to make sure that people go thru the secure site.
> >
> >
> >
> > "Chris Barber" <chris@blue-canoe.co.uk.NOSPAM> wrote in message
> > news:epjilJWlDHA.2244@TK2MSFTNGP12.phx.gbl...

> > > Use host headers to 'hide' port 80 from IP based scanning?
> > >
> > > Can you elaborate on why you want to disable port 80?
> > >
> > > Chris.
> > >
> > > "Jeff Clark" <JeffC@NO_SPAMreturnventures.com> wrote in message
> > > news:%23bV1QmOlDHA.2232@TK2MSFTNGP09.phx.gbl...
> > > I setup SSL.
> > >
> > > Now users can see the site at port 80 and at port 443. i want to

disable

> > 80.

> > >
> > > How to?
> > >
> > > Thanks
> > >
> > >
> > >

> >
> >
> >

>
>
>

[Curia Damiano]

I have an app in C#/ASP.NET 1.1 on a Win2003 server.
Now I'm trying to make it use SSL, so I requested and installed a server
certificate to IIS.
But now I have some questions:
1) if I force my web-site to use SSL, and I request a page via SSL, in IE a
warning appears telling that the page contains protected object and non
protected object, but how is it possible, if I force https? How can I make
this warning disappear?
2) I would like to force https to all my objects; for example I'd like
images, css, javascript and plain htm to be trasmitted not crypted. So I
thought of using an HttpHandler that redirect http calls of aspx/asmx to
https and https calls to other object to http. Is it possible? Or there is a
better solution to this optimization?
Thanks, Damiano Curia

[Hernan de Lahitte]

It seems that 1 and 2 are likely to be opposite.
Perhaps this article might be of some help.

[url]http://www.codeproject.com/aspnet/WebPageSecurity.asp[/url]


--
Hernan de Lahitte
Lagash Systems S.A.
[url]http://www.lagash.com[/url]



"Curia Damiano" <curiad@euroforex.com> wrote in message
news:#HkWsoJ7DHA.3420@TK2MSFTNGP11.phx.gbl...

> I have an app in C#/ASP.NET 1.1 on a Win2003 server.
> Now I'm trying to make it use SSL, so I requested and installed a server
> certificate to IIS.
> But now I have some questions:
> 1) if I force my web-site to use SSL, and I request a page via SSL, in IE

a

> warning appears telling that the page contains protected object and non
> protected object, but how is it possible, if I force https? How can I make
> this warning disappear?
> 2) I would like to force https to all my objects; for example I'd like
> images, css, javascript and plain htm to be trasmitted not crypted. So I
> thought of using an HttpHandler that redirect http calls of aspx/asmx to
> https and https calls to other object to http. Is it possible? Or there is

a

> better solution to this optimization?
> Thanks, Damiano Curia
>
>