ok this is starting to make more sense as we go along .... I went through all of this myself when setting up origionally i found that i can not use vhosts easily with ssl / sni / sans etc and san is a nightmare to manage everytime you make a cert change.it was just more reliable to use individual config entries and sni and proper certs for the domain.
also note certrs today handle the domain.com & www.domain.com in one cert (or apache - never really did figure that out)
basically domain.com handles both with the ServerAliasalso (why i forgot about it) vhosts allows users to criss cross directories data wise (ie all rights are users www:www) which is why i went away from that type of config.
unless this has changed i ended up dumping vhosts config and went with individual config entries per website.
examples below using *:80 & *:443 respectively <VirtualHost *:80> ServerName underconstruction.scom.ca ServerAlias underconstruction.scom.ca DocumentRoot /www/underconstruction.scom.ca </VirtualHost> <VirtualHost *:443> ServerName underconstruction.scom.ca ServerAlias underconstruction.scom.ca DocumentRoot /www/underconstruction.scom.ca SSLEngine on SSLProtocol all SSLCertificateKeyFile /www/scom.ca/ssl/scom.ca.key SSLCertificateFile /www/scom.ca/ssl/scom.ca.crt SSLCertificateChainFile /www/scom.ca/ssl/scom.ca.chain </VirtualHost>I know its long and drawn out in the config file which is why i wrote a python script against a pgsql database to generate my config but IT DOES WORK!
a better example (more secure) - this keeps all php scripts and users from bleeding into other user directories. This is how onetoone, myself and a bunch of other providers got hacked a few years back.
Mainly due to wordpress security issues. vhosts is convient but not super secure. <VirtualHost *:80> ServerName video.guelph.eks.scom.ca ServerAlias video.guelph.eks.scom.ca DocumentRoot /www/video.guelph.eks.scom.ca SuexecUserGroup www www <Directory "/www/video.guelph.eks.scom.ca/wp-content/uploads/"> <Files "*.php"> Order Deny,Allow Deny from All </Files> </Directory> <Directory /www/video.guelph.eks.scom.ca> php_admin_value open_basedir /www/video.guelph.eks.scom.ca:/var/log/ </Directory> <Directory /www/video.guelph.eks.scom.ca> php_admin_value sys_temp_dir /www/video.guelph.eks.scom.ca/tmp/ </Directory> <Directory /www/video.guelph.eks.scom.ca> php_admin_value session.save_path /www/video.guelph.eks.scom.ca/tmp/ </Directory> <Directory /www/video.guelph.eks.scom.ca> php_admin_value soap.wsdl_cache_dir /www/video.guelph.eks.scom.ca/tmp/ </Directory> <Directory /www/video.guelph.eks.scom.ca> php_admin_value upload_tmp_dir /www/video.guelph.eks.scom.ca/tmp </Directory> <Directory "/www/video.guelph.eks.scom.ca"> AllowOverride All php_value session.save_path "/www/video.guelph.eks.scom.ca/" </Directory> </VirtualHost> & <VirtualHost *:443> ServerName video.guelph.eks.scom.ca ServerAlias video.guelph.eks.scom.ca DocumentRoot /www/video.guelph.eks.scom.ca SuexecUserGroup www www <Directory "/www/video.guelph.eks.scom.ca/wp-content/uploads/"> <Files "*.php"> Order Deny,Allow Deny from All </Files> </Directory> <Directory /www/video.guelph.eks.scom.ca> php_admin_value open_basedir /www/video.guelph.eks.scom.ca:/var/log/ </Directory> <Directory /www/video.guelph.eks.scom.ca> php_admin_value sys_temp_dir /www/video.guelph.eks.scom.ca/tmp/ </Directory> <Directory /www/video.guelph.eks.scom.ca> php_admin_value session.save_path /www/video.guelph.eks.scom.ca/tmp/ </Directory> <Directory /www/video.guelph.eks.scom.ca> php_admin_value soap.wsdl_cache_dir /www/video.guelph.eks.scom.ca/tmp/ </Directory> <Directory /www/video.guelph.eks.scom.ca> php_admin_value upload_tmp_dir /www/video.guelph.eks.scom.ca/tmp </Directory> <Directory "/www/video.guelph.eks.scom.ca"> AllowOverride All php_value session.save_path "/www/video.guelph.eks.scom.ca/" </Directory> SSLEngine on SSLProtocol all SSLCertificateKeyFile /www/scom.ca/ssl/scom.ca.key SSLCertificateFile /www/scom.ca/ssl/scom.ca.crt SSLCertificateChainFile /www/scom.ca/ssl/scom.ca.chain </VirtualHost>Note I have a wildcard ssl cert but the file location setup is clearly defined.
Happy Thursday !!! Thanks - paul Paul Kudla Scom.ca Internet Services <http://www.scom.ca> 004-1009 Byron Street South Whitby, Ontario - Canada L1N 4S3 Toronto 416.642.7266 Main 1.866.411.7266 Fax 1.888.892.7266 On 5/19/2022 9:11 AM, Rainer Canavan wrote:
On Wed, May 18, 2022 at 11:53 PM Frank Gingras <thumbs@xxxxxxxxxx> wrote:Not sure if you saw the other answer on the other email: // If you can't use a SAN, then you need to configure all your vhosts as IP:443, whereas one vhost uses a separate IP, and the remainder uses the second IP.That sounds wrong to me. Apache should pick a matching certificate for the hostname specified via SNI by the client, if any, or the first one configured as a fallback (assuming the vhost IP / * specification matches). Note that only vhosts with IP:port are considered, if any are specified and match the request. You should be able to use *:443 for all vhosts. Rainer --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
--------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|