Re: Multiple http servers for zendphp7

San is a function of the certificate, not the server, so any server that
can present a certificate should support it. All modern browsers should
support san certificates, so if your websites are all running one code
base and it is the only codebase you need on your server, san should
work. We only tried to use it once, and it wasn't served off the IBM i.
We ended up having to scrape the certificate however because the vendor
connecting to us required the domain to match the common name. That was
a while back, and I'm not sure if they still require that, but we just
renew the certificates when they expire now, and haven't tried to
combine them again.

Virtual hosts have been around for a long time. They allow one server
listening on one ip:port combination to have different configurations
based on the domain being served. For a long time SSL sites were limited
because of the timing of serving the certificate. You were limited to
one certificate per server. SNI allows you to overcome that. It moved
just enough of the headers outside the encrypted portion of the
communication to allow a server to determine what site the client is
trying to reach, and allows the server to have different configurations
(including different certificates) for each domain being served.

With SAN you have one server serving one certificate for multiple
domains. You are limited to one configuration including codebase,
certificate, permissions, etc.

With named virtual hosts and SNI, you have one server serving multiple
configurations. You can use the same or different codebases,
certificates, permissions, etc.

Both have strengths and weaknesses. Once you get past your deadline,
fire up a linux VM and create some letsencrypt certs and play around
with both just so you understand the config and routing.

Kevin Bucknum
Senior Programmer Analyst
MEDDATA/MEDTRON
Tel: 985-893-2550

-----Original Message-----

From: WEB400 [mailto:web400-bounces@xxxxxxxxxxxx] On Behalf Of Don
Brown
Sent: Thursday, January 25, 2018 5:07 PM
To: Web Enabling the IBM i(AS/400 and iSeries)
Subject: Re: [WEB400] Multiple http servers for zendphp7

Ok this is well above my skill level!

I had to look SNI up to find it is Server Name Identification

I have a single PHP application running on IBMi at 7.2 and 7.3 that is

used by

multiple entities and each entity requires a https connection with
appropriate ssl certificate.

I have a deadline of 1st Feb to get this operational.

There is such a certificate as a SAN but getting specific information

on this is

seeming difficult. I tried calling the US and UK offices of GeoTrust

and after

10 minutes + on hold to each I left a message and no replies as yet.

And I can not find anything that specifically indicates this is

supported on

IBMi.

While not totally great I can do this with a simple wildcard

certificate and just

put the entities accessing the site; for example

fredsaccounts.msd.net.au

and acmeaccounts.msd.net.au ... Etcetera.

Kevin: Thanks for the apache config - I will at some stage go through

this in

detail and try and understand exactly what you are saying - like I

said this is

way above my current skill level. Sorry but I really do not

understand what

this is doing, it may be the perfect solution for my but I can't

visualise the

network diagram or traffic flow.


Pete: I have read a lot about reverse proxies in this blog but again

until you

actually work with one it is my old head that is struggling with the

concept. I

know nothing of letsEncrypt Ok scratch that they are a free

Certificate

provider WOW I will have to investigate this further in the future.

So I am

struggling with the overview of how a reverse proxy will allow me to

have

multiple certificates as indicated above in what I am trying to

achieve. As

much as I would love to be going to Sam Antonio this year just not in

the

budget (I did Orlando last year) but if you want a guinea pig to test

your

presentation on I can definitely assist :-)

So I am a little bit stuck.

Appreciate the assistance



Don Brown





From: "Kevin Bucknum" <Kevin@xxxxxxxxxxxxxxxxxxx>
To: "Web Enabling the IBM i\(AS/400 and iSeries\)"
<web400@xxxxxxxxxxxx>
Date: 25/01/2018 11:37 PM
Subject: Re: [WEB400] Multiple http servers for zendphp7
Sent by: "WEB400" <web400-bounces@xxxxxxxxxxxx>



SNI works fine with zendserver on the i. I've been configuring apache

servers

for so long, that I just do it now, and haven't had to look around for

any kind

of instructions lately. Any basic walkthrough for setting up named

virtual

hosts should work. To answer your other question about multiple
certificates. I'm 90% sure that I had it working, but that was several

years ago,

and the memory is fuzzy. I could try again real quick to see if it

works. There

are a couple of directives in the IBM apache implantation that are

different

from standard, and one of them controls the certificate used.

SSLAppName

points to a name in the DCM which controls which certificate is used.

As I

recall the only confusing thing was getting the application set up in

the DCM.

If you have issues setting it up, I can create a letsencrypt cert and

try and pop

a new named instance on my box. It would probably be tomorrow before I
can do that however. Here is my current apache config with several

named

hosts running different code bases.

#s Configuration originally created by Create HTTP Server wizard on

Tue Apr

11 01:53:18 CDT 2006 LoadModule proxy_module
/QSYS.LIB/QHTTPSVR.LIB/QZSRCORE.SRVPGM
LoadModule proxy_http_module
/QSYS.LIB/QHTTPSVR.LIB/QZSRCORE.SRVPGM
LoadModule proxy_connect_module
/QSYS.LIB/QHTTPSVR.LIB/QZSRCORE.SRVPGM
LoadModule proxy_ftp_module
/QSYS.LIB/QHTTPSVR.LIB/QZSRCORE.SRVPGM

LoadModule zend_enabler_module
/QSYS.LIB/QHTTPSVR.LIB/QZFAST.SRVPGM
LoadModule ibm_ssl_module /QSYS.LIB/QHTTPSVR.LIB/QZSRVSSL.SRVPGM

Listen *:10081
NameVirtualHost *:10081
Listen *:10080
NameVirtualHost *:10080
DocumentRoot /www/zendsvr6/htdocs

DefaultFsCCSID 37
CGIJobCCSID 37

<VirtualHost *:10080>
Include

/usr/local/zendsvr6/etc/sites.d/zend-default-vhost-10080.conf

</VirtualHost>
Listen *:443
Options -ExecCGI -FollowSymLinks -SymLinksIfOwnerMatch -Includes -
IncludesNoExec -Indexes -MultiViews LogFormat "%h %l %u %t \"%r\" %>s
%b \"%{Referer}i\" \"%{User-Agent}i\""
combined
LogFormat "%{Cookie}n \"%r\" %t" cookie
LogFormat "%{User-agent}i" agent
LogFormat "%{Referer}i -> %U" referer
LogFormat "%h %l %u %t \"%r\" %>s %b" common CustomLog
logs/access_log combined SetEnvIf "User-Agent" "Mozilla/2" nokeepalive
SetEnvIf "User-Agent" "JDK/1\.0" force-response-1.0 SetEnvIf

"User-Agent"

"Java/1\.0" force-response-1.0 SetEnvIf "User-Agent" "RealPlayer 4\.0"
force-response-1.0 SetEnvIf "User-Agent" "MSIE 4\.0b2;" nokeepalive
SetEnvIf "User-Agent" "MSIE 4\.0b2;" force-response-1.0 DefaultFsCCSID

37

CGIJobCCSID 37

DirectoryIndex index.php index.html
CgiConvMode %%MIXED/MIXED%%
TimeOut 30000
KeepAlive Off
HotBackup Off
NameVirtualHost *:443

#AddCharset UTF-8 .utf8
#AddCharset utf-8 .utf8
#AddCharset utf-7 .utf7
AddCharset UTF-8 .htm .html .xml

# zend fastcgi
AddType application/x-httpd-php .php
AddHandler fastcgi-script .php


RewriteEngine on

<Directory />
Order Deny,Allow
Deny From all
</Directory>

# Allow requests for files in document root

<Directory /www/zendsvr6/htdocs>
Options FollowSymLinks
order allow,deny
allow from all
AllowOverride all
</Directory>

<Directory /usr/local/zendsvr6/var/apps>
Options FollowSymLinks
order allow,deny
allow from all
AllowOverride all
</Directory>
<Directory /www/medpmdemo>
Options FollowSymLinks
order allow,deny
allow from all
AllowOverride all
</Directory>

<Directory /www/programming>
Options FollowSymLinks
order allow,deny
allow from all
AllowOverride all
</Directory>

<Directory /www/kevin_dev>
Options FollowSymLinks
order allow,deny
allow from all
AllowOverride all
</Directory>

<Directory /www/waynehdev>
Options FollowSymLinks
order allow,deny
allow from all
AllowOverride all
</Directory>

<Directory /www/jeremyldev>
Options FollowSymLinks
order allow,deny
allow from all
AllowOverride all
</Directory>




<Directory /www/mounika_dev>
Options FollowSymLinks
order allow,deny
allow from all
AllowOverride all
</Directory>

<Directory /www/medpmweb>
Options FollowSymLinks
order allow,deny
allow from all
AllowOverride all
</Directory>
<VirtualHost *:10081>
RedirectMatch ^/$ /ZendServer/
DocumentRoot /usr/local/zendsvr6/gui/public/ <Directory
/usr/local/zendsvr6/gui>
Options FollowSymLinks
AllowOverride None
order allow,deny
Allow from all
</Directory>

<Location /ZendServer>
order allow,deny
Allow from all
</Location>

Alias /ZendServer "/usr/local/zendsvr6/gui/public"

<Directory "/usr/local/zendsvr6/gui/public">
AllowOverride All
order allow,deny
Allow from all
</Directory>
</VirtualHost>


<Location /Zend5250Demos>
Order deny,allow
Allow from all
</Location>

<Location /Zend5250Login>
Order deny,allow
Allow from all
</Location>

Alias /Zend5250Demos /usr/local/zendsvr6/5250/demos Alias
/Zend5250Login /usr/local/zendsvr6/5250/Generator/Form
Alias /Zend5250Appl /usr/local/zendsvr6/5250/Welcome


<Directory "/www/zendsvr6/htdocs/Zend5250Emulator">
Options FollowSymLinks
AllowOverride All
</Directory>

IncludeOptional /usr/local/zendsvr6/etc/sites.d/globals-*.conf
IncludeOptional /usr/local/zendsvr6/etc/sites.d/vhost_*.conf

Listen 127.0.0.1:10083
NameVirtualHost 127.0.0.1:10083
<VirtualHost 127.0.0.1:10083>
Alias /UserServer /usr/local/zendsvr6/share/UserServer
DocumentRoot /usr/local/zendsvr6/share/UserServer
<Directory /usr/local/zendsvr6/share/UserServer>
AllowOverride All
Allow from all
</Directory>
</VirtualHost>


#XML Toolkit http settings
ScriptAlias /cgi-bin/ /QSYS.LIB/ZENDSVR6.LIB/ <Directory
/QSYS.LIB/ZENDSVR6.LIB/> AllowOverride None order allow,deny allow
from all SetHandler cgi-script Options +ExecCGI </Directory> #End

XML

Toolkit http settings


#/* keep access logs 30 days, error logs 30 days, FastCGI logs 30 days
#/LogMaint logs/access_log 30 0 #/LogMaint logs/error_log 30 0

#//LogMaint

logs/error_zfcgi 30 0

#/ Maintain Logs at 3 am (0 = midnight, 23 = 11 pm, etc) #/ Set for an

hour

when the server is active (i.e. not during an IPL or backup, for

example)

<Location /phpmyadmin>
Order deny,allow
Allow from all
</Location>
<VirtualHost *:443>
ServerName dev.medtronsoftware.com
DocumentRoot /www/medpmweb/public
SSLEngine On
SSLAppName QIBM_HTTP_SERVER_ZENDSVR
SSLCacheEnable
SetEnv HTTPS_PORT 443
</VirtualHost>
<VirtualHost *:443>
ServerName kevin.dev.medtronsoftware.com
DocumentRoot /www/kevin_dev/public
SSLEngine On
SSLAppName QIBM_HTTP_SERVER_ZENDSVR
SSLCacheEnable
SetEnv HTTPS_PORT 443
</VirtualHost>
<VirtualHost *:443>
ServerName mounika.dev.medtronsoftware.com
DocumentRoot /www/mounika_dev/public
SSLEngine On
SSLAppName QIBM_HTTP_SERVER_ZENDSVR
SSLCacheEnable
SetEnv HTTPS_PORT 443
</VirtualHost>
<VirtualHost *:443>
ServerName wayneh.dev.medtronsoftware.com
DocumentRoot /www/waynehdev/medpmweb/public
SSLEngine On
SSLAppName QIBM_HTTP_SERVER_ZENDSVR
SSLCacheEnable
SetEnv HTTPS_PORT 443
</VirtualHost>
<VirtualHost *:443>
ServerName jeremyldev.medtronsoftware.com
DocumentRoot /www/jeremyldev/medpmweb/public
SSLEngine On
SSLAppName QIBM_HTTP_SERVER_ZENDSVR
SSLCacheEnable
SetEnv HTTPS_PORT 443
</VirtualHost>
<VirtualHost *:443>
ServerName programming.medtronsoftware.com
DocumentRoot /www/programming/public
SSLEngine On
SSLAppName QIBM_HTTP_SERVER_ZENDSVR
SSLCacheEnable
SetEnv HTTPS_PORT 443
</VirtualHost>
<VirtualHost *:443>
ServerName medpmdemo.medtronsoftware.com
DocumentRoot /www/medpmdemo/public
SSLEngine On
SSLAppName QIBM_HTTP_SERVER_ZENDSVR
SSLCacheEnable
SetEnv HTTPS_PORT 443
</VirtualHost>

Kevin Bucknum
Senior Programmer Analyst
MEDDATA/MEDTRON
Tel: 985-893-2550

-----Original Message-----

From: WEB400 [mailto:web400-bounces@xxxxxxxxxxxx] On Behalf Of Don
Brown
Sent: Thursday, January 25, 2018 3:20 AM
To: Web400@Midrange. Web400
Subject: [WEB400] Multiple http servers for zendphp7

I am trying to find a cheat sheet or step by step instructions to

have

multiple

http servers all running php.

Reason being I have 4 different domain names and to enable ssl on

each

I

need 4 http servers on 4 different ip addresses.

I am also exploring SAN ssl certificates but want to explore both

options first.

Does anyone have multiple http servers providing php and are there

any

concerns / problems that I should be aware of ?

Thanks for any assistance

IBMi V7R2 and V7R3

Don Brown


--
This is the Web Enabling the IBM i (AS/400 and iSeries) (WEB400)

mailing list

To post a message email: WEB400@xxxxxxxxxxxx To subscribe,

unsubscribe,

or change list options,
visit: https://lists.midrange.com/mailman/listinfo/web400
or email: WEB400-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives at
https://archive.midrange.com/web400.

--
This is the Web Enabling the IBM i (AS/400 and iSeries) (WEB400)

mailing list

To post a message email: WEB400@xxxxxxxxxxxx To subscribe,

unsubscribe,

or change list options,
visit: https://lists.midrange.com/mailman/listinfo/web400
or email: WEB400-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives at
https://archive.midrange.com/web400.


__________________________________________________________
____________
This email has been scanned by the Symantec Email Security.cloud

service.

For more information please visit http://www.symanteccloud.com
__________________________________________________________
____________


--
This is the Web Enabling the IBM i (AS/400 and iSeries) (WEB400)

mailing list

To post a message email: WEB400@xxxxxxxxxxxx To subscribe,

unsubscribe,

or change list options,
visit: https://lists.midrange.com/mailman/listinfo/web400
or email: WEB400-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives at
https://archive.midrange.com/web400.