List ecs-isp@2rosenthals.com Arkiverade meddelande #914

Från: "Lewis G Rosenthal" <ecs-isp@2rosenthals.com> Meddelandehuvud
Oavkodat meddelande
Ämne: Re: [eCS-ISP] SSL certs & apache 2.4.61
Datum: Fri, 4 Oct 2024 22:47:36 -0400
Till: eCS ISP Mailing List <ecs-isp@2rosenthals.com>

Hi...

On 10/04/24 04:37 pm, Steven Levine wrote:
In <list-11062655@2rosenthals.com>, on 10/04/24
    at 01:58 PM, "Lewis G Rosenthal" <ecs-isp@2rosenthals.com> said:

Hi,

I don't quite think that's getting to the heart of what Max is asking
(though it is the most correct approach).
I chose to ignore Massimo question as asked and chose to answer the
question that he should have asked.

:-)

What the actual question is (AFAICT) is whether there is a way to start
httpd without one or more (mis)configured vhosts. As an example, say I
have  a server with 20 vhosts configured, and all but one get proper cert
updates,  leaving that one site "broken." httpd will refuse to start, and
the other 19  vhosts are then also taken offline, just because of a
single failure. So, is  there a way to force Apache to ignore the broken
vhost?
The answer, of course, is no, there is no magic option to pass to httpd
or  put in the vhosts.conf (IF_NOT_BROKEN) to allow for such behavior.
However,  it is not necessary to go to great lengths to script anything,
either.
FWIW, it's relatively trival to instrument the httpd conf files to start
only a selected set of virtual hosts.  Depending on the number of hosts,
it might be easier to define the hosts not the be started.

The basic logic in this case would be to define the hosts not to start in
a environment variable.  Let's say

   set HOSTS_NOT_TO_START=,foobar,

Each vitual host definition would be wrapped in and <If ...> directive

   <If ! ${HOSTS_NOT_TO_START} ~= ",foobar,">
     <VirtualHost ...>
       ServerName foobar
        ...
     </VirtualHost>
   </If>

The commas make it easier to avoid false posiitives.


Surely, that should work as well as my approach to move the conf to an alternate directory, though ISTR some issue with checking variables in conf files where the variable does not exist (faded memory from something we were testing a couple decades ago, so perhaps I'm misremembering). This might complicate "off-the-cuff" startup of the daemon (but again, so would broken SSL configurations, so...)...

Of course trivial though it might be, the httpd conf edits are
sufficiently tedious so that I will continue to use httpd -t.


As I said, that is the correct way to do this.

--
Lewis
-------------------------------------------------------------
Lewis G Rosenthal, CNA, CLP, CLE, CWTS, EA
Rosenthal & Rosenthal, LLC                www.2rosenthals.com
visit my IT blog                www.2rosenthals.net/wordpress
-------------------------------------------------------------


Prenumerera: Sändning, Uppsamling, Index.
Stoppa prenumeration
Meddelande till ListMaster