kmself@ix.netcom.com wrote: > Not necessarily, AFAIK [1]. Regular-mode apache and apache-ssl don't share > address space, and if configured properly, are working from different > document roots. The "risk" is about the same as having multiple accounts > on the same system. Apache is pretty bulletproof -- there aren't a > whole mess of security problems associated with it (security tends to be > compromised through CGIs instead). > > Here's a different analogy: apache and apache-ssl are like having > telnet and ssh on the same box. The fact that telnet is inherently > insecure in terms of data and session *doesn't* mean that ssh is > insecure, *so long as* no data are allowed to traverse the telnet > channel which would allow a compromise through ssh (eg: > userid/password). So if the telnet were configured for unprivileged > user access in a chroot jail with very little command functionality (an > approximation of a standard http session), the risk is low.
You just made the light go on, I think. I was trying to run both secure and normal sites using apache-ssl. I thought that the ssl version could do both, and it was a matter of configuring each virtual site to use one or the other. What you're saying is that I need to install both apache and apache-ssl, running out of separate server roots. I'll try that. Thanks! John [EMAIL PROTECTED] -- John Ackermann N8UR Dayton, Ohio, USA [EMAIL PROTECTED] -- http://www.febo.com -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.3a mQBtAzgI9hgAAAEDAMiMQDZTVVuVIS0AscJ0Wy63oK4+Q5xvtxbX/ZoG1qCOuYDI Fph4/RqL9vVEItWBy6ISk+zbkATzPgy84nrI7+GBtld4F9DoHWARQXjC1I8cFZjY TSe16ffqO/ba1ukLnQAFEbQlSm9obiBSLiBBY2tlcm1hbm4gTjhVUiA8anJhQGZl Ym8uY29tPokAdQMFEDgI9hjqO/ba1ukLnQEBtYIC/AxJ2RqT0/9TqY8JGEkPx2sw +W5Z6Tu4UI654t9diGdCcIEPjOG1qUvwH2Xop0Yj9QGoM4NnHIw6qUSN5VH7hHKA bGnpuTxinuW/gKaI3bt2MC8QZZq0gy2de26907lE2A== =UHWl -----END PGP PUBLIC KEY BLOCK-----
