Hi folks,


I have a headless server which requires "pass phrase" to start Apache at boot. After remote rebooting I can ssh connect the server. But I can't start Apache because I have no way to keyin the password remotely.


After connection, running;

$ sudo /etc/init.d/apache2 restart
* Forcing reload of apache 2.0 web server... [Sat Jun 28 10:33:50 2008] [warn] NameVirtualHost *:0 has no VirtualHosts
(98)Address already in use: make_sock: could not bind to address [::]:443
no listening sockets available, shutting down
Unable to open logs
[fail]

Is there any glue. TIA


B.R.
satimis

That seems to be a problem with sudo not with apache, sudo is not changing your privilage level to root to allow you to bind to port 443

That seems to be a problem with sudo not with apache, sudo is not changing your privilage level to root to allow you to bind to port 443
Hi topdog,


Thanks for your advice.


If ssh connect the remote server as root can it starts Apache remotely?


On Internet some folks suggest running SSLPassPhraseDialog directive. But I haven't got experience on it before.


on /etc/apache2/httpd.conf

adding follows;

<IfModule mod_ssl.c>
# Pass Phrase Dialog:
# #SSLPassPhraseDialog builtin
SSLPassPhraseDialog exec:/content/ssl/pp/pp.out
</..>



File pp.out
#!/bin/sh

PASS1=somepass1
PASS2=somepass2

case $1 in
www.pass1.com:443) echo $PASS1;;
www.pass2.com:443) echo $PASS2;;
esac

exit 0



But I haven't figured out what shall I replace "somepass1" and "somepass2"? Whether the request for "Pass Phrase" will popup on running ssh-connect the remote server?


Where shall I create the path "/content/ssl/pp/pp.out" ?


Any additional Apache package needed to install?



B.R.
satimis

If you are running only one secure site then you only need one password.

You can place the file in /etc/httpd/conf/ (if on centos | use the relevant directory for other distros) just make sure the file is only readable to the apache user otherwise there password will be compromised.

Hi topdog,



If you are running only one secure site then you only need one password.

If I understand your advice correctly.

One secure site = only one site/pc from where to boot the server remotely.

password=the password with it to boot the remote server on the secure site. I can select any combination of character and number to replace "somepass".


So the pp.out will look like
#!/bin/sh

PASS=acd123

case $ in
123.123.456.456:443) echo $PASS;;
esac

exit 0

123.123.456.456 is the public IP of the secure site. OR can I replace is with www.domain.com? ( domain.com is domain of the secure site to boot the server remotely)



You can place the file in /etc/httpd/conf/ (if on centos | use the relevant directory for other distros) just make sure the file is only readable to the apache user otherwise there password will be compromised.
On Ubuntu if I create a directory /etc/apache2/pp I can put the file on /etc/apache2/pp/pp.out

Then on the file
SSLPassPhraseDialog exec:/etc/apache2/ssl/pp/pp.out

What will be the permission and owership of the directory /pp/ and the file pp.out?


If I'm wrong, please correct me. TIA


Any additional package I need to install?


B.R.
satimis

By one site i mean site hosted on the machine, using the domain name on ip address depends on how you have configured your ssl server apache has to be able to search the pp directory meaning the x flag has to be set, the script can be rx for the owner (apache)

By one site i mean site hosted on the machine, using the domain name on ip address depends on how you have configured your ssl server apache has to be able to search the pp directory meaning the x flag has to be set, the script can be rx for the owner (apache)
Hi topdog,


Performed following test without success.


$ sudo mkdir /etc/apache2/ssl/pp
$ sudo nano /etc/apache2/ssl/pp/pp.out

Copying following content on it;
#!/bin/sh

PASS=abcde

case $ in
192.168.0.10:443) echo $PASS;;

esac

exit 0


Remark: 192.168.0.10 is the IP of the local PC


$ sudo chmod +x -c /etc/apache2/ssl/pp/pp.out
mode of `/etc/apache2/ssl/pp/pp.out' changed to 0755 (rwxr-xr-x)



$ sudo nano /etc/apache2/httpd.conf

adding follows at the bottom of the file;
<IfModule mod_ssl.c>
# Pass Phrase Dialog:
# #SSLPassPhraseDialog builtin
SSLPassPhraseDialog exec:/etc/apache2/ssl/pp/pp.out
</IfModule>


$ cat /etc/apache2/httpd.conf
# This is here for backwards compatability reasons and to support
# installing 3rd party modules directly via apxs2, rather than
# through the /etc/apache2/mods-{available,enabled} mechanism.
#
#LoadModule mod_placeholder /usr/lib/apache2/modules/mod_placeholder.so

ServerName lampserver

<IfModule mod_ssl.c>
# Pass Phrase Dialog:
# #SSLPassPhraseDialog builtin
SSLPassPhraseDialog exec:/etc/apache2/ssl/pp/pp.out
</IfModule>



$ sudo reboot and ssh connect the server remotely. Nothing happens. No dialog starts


I think the steps are wrong.

Before the test Apache/2.0.55 mod_ssl/2.0.55 (Pass Phras Dialog) starts after booting on the server locally waiting for input of password. After editing /etc/apache2/httpd.conf on reboot the dialog doesn't start at all.


B.R.
satimis

Your script is incorrect you need $1 as the variable, but in any case since you only have one host there is no need for a switch statement this script should do it.

#!/bin/bash
PASS=abcde
echo $PASS
exit 0

Your script is incorrect you need $1 as the variable, but in any case since you only have one host there is no need for a switch statement this script should do it.

#!/bin/bash
PASS=abcde
echo $PASS
exit 0
Your advice works for me. Thanks.


To make it more difficult. PassPhrase won't start automatically.


It only works under following 2 conditions;

1) The server detects the pre-set IP of the remote site on ssh connection.

2) The PassPhrase must be keyined by the remote site.


Is it possible? If YES how to achieve it? TIA


B.R.
satimis

I dont understand what you mean the point of using that script is to allow apache start with a private key that is password protected, so what are you talking about ?

I dont understand what you mean the point of using that script is to allow apache start with a private key that is password protected, so what are you talking about ?
Oh sorry NOT the script. I was talking new steps/new setup. So non authorized person can't restart the web server without the PassPhrase which won't be stored on the server.

Regarding IP I was talking 2 sites. Thanks


satimis

In that case the default builtin mechanism should be sufficient as they will need to know the pass phrase

In that case the default builtin mechanism should be sufficient as they will need to know the pass phrase
Noted with thanks.


Having tried 2 sites version on Intranet without success.

Site-1 to reboot the server, IP=192.168.0.10
Site-2 to reboot the server, IP=192.168.0.55

No port forwarded to the server


variation on pp.out tested
#!/bin/sh

PASS1=abcde
PASS2=vwxyz

case $1 in
192.168.0.10 echo $PASS1;;
192.168,0.55 echo $PASS2;;
esac

exit 0




#!/bin/sh

PASS1=abcde
PASS2=vwxyz

case $1 in
192.168.0.10) echo $PASS1;;
192.168,0.55) echo $PASS2;;
esac

exit 0




#!/bin/sh

PASS1=abcde
PASS2=vwxyz

case $1 in
192.168.0.10 ) echo $PASS1;;
192.168,0.55 ) echo $PASS2;;
esac

exit 0




#!/bin/sh

PASS1=abcde
PASS2=vwxyz

case $1 in
192.168.0.10 echo $PASS1;
192.168,0.55 echo $PASS2;
esac

exit 0


etc.

Run
$ sudo chmod +x /var/www/apache2/ssl/pp/pp.out

each time after change made.

None of them can work.


satimis