Re: Multi-domain with SSL - Virtualhost all need IPs?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




ok this is starting to make more sense as we go along ....

I went through all of this myself when setting up origionally

i found that i can not use vhosts easily with ssl / sni / sans etc

and san is a nightmare to manage everytime you make a cert change.

it was just more reliable to use individual config entries and sni and proper certs for the domain.

also note certrs today handle the domain.com & www.domain.com in one cert (or apache - never really did figure that out)

basically domain.com handles both with the ServerAlias


also (why i forgot about it) vhosts allows users to criss cross directories data wise (ie all rights are users www:www) which is why i went away from that type of config.

unless this has changed i ended up dumping vhosts config and went with individual config entries per website.


examples below using *:80 & *:443 respectively

<VirtualHost *:80>
ServerName underconstruction.scom.ca
ServerAlias underconstruction.scom.ca
DocumentRoot /www/underconstruction.scom.ca
</VirtualHost>

<VirtualHost *:443>
ServerName underconstruction.scom.ca
ServerAlias underconstruction.scom.ca
DocumentRoot /www/underconstruction.scom.ca
SSLEngine on
SSLProtocol all
SSLCertificateKeyFile /www/scom.ca/ssl/scom.ca.key
SSLCertificateFile /www/scom.ca/ssl/scom.ca.crt
SSLCertificateChainFile /www/scom.ca/ssl/scom.ca.chain
</VirtualHost>

I know its long and drawn out in the config file which is why i wrote a python script against a pgsql database to generate my config but IT DOES WORK!


a better example (more secure) - this keeps all php scripts and users from bleeding into other user directories. This is how onetoone, myself and a bunch of other providers got hacked a few years back.

Mainly due to wordpress security issues.

vhosts is convient but not super secure.

<VirtualHost *:80>
ServerName video.guelph.eks.scom.ca
ServerAlias video.guelph.eks.scom.ca
DocumentRoot /www/video.guelph.eks.scom.ca


SuexecUserGroup www www

<Directory "/www/video.guelph.eks.scom.ca/wp-content/uploads/">
<Files "*.php">
Order Deny,Allow
Deny from All
</Files>
</Directory>

<Directory /www/video.guelph.eks.scom.ca>
php_admin_value open_basedir /www/video.guelph.eks.scom.ca:/var/log/
</Directory>

<Directory /www/video.guelph.eks.scom.ca>
php_admin_value sys_temp_dir /www/video.guelph.eks.scom.ca/tmp/
</Directory>

<Directory /www/video.guelph.eks.scom.ca>
php_admin_value session.save_path /www/video.guelph.eks.scom.ca/tmp/
</Directory>

<Directory /www/video.guelph.eks.scom.ca>
php_admin_value soap.wsdl_cache_dir /www/video.guelph.eks.scom.ca/tmp/
</Directory>

<Directory /www/video.guelph.eks.scom.ca>
php_admin_value upload_tmp_dir /www/video.guelph.eks.scom.ca/tmp
</Directory>

<Directory "/www/video.guelph.eks.scom.ca">
AllowOverride All
php_value session.save_path "/www/video.guelph.eks.scom.ca/"
</Directory>

</VirtualHost>


&

<VirtualHost *:443>
ServerName video.guelph.eks.scom.ca
ServerAlias video.guelph.eks.scom.ca
DocumentRoot /www/video.guelph.eks.scom.ca


SuexecUserGroup www www

<Directory "/www/video.guelph.eks.scom.ca/wp-content/uploads/">
<Files "*.php">
Order Deny,Allow
Deny from All
</Files>
</Directory>

<Directory /www/video.guelph.eks.scom.ca>
php_admin_value open_basedir /www/video.guelph.eks.scom.ca:/var/log/
</Directory>

<Directory /www/video.guelph.eks.scom.ca>
php_admin_value sys_temp_dir /www/video.guelph.eks.scom.ca/tmp/
</Directory>

<Directory /www/video.guelph.eks.scom.ca>
php_admin_value session.save_path /www/video.guelph.eks.scom.ca/tmp/
</Directory>

<Directory /www/video.guelph.eks.scom.ca>
php_admin_value soap.wsdl_cache_dir /www/video.guelph.eks.scom.ca/tmp/
</Directory>

<Directory /www/video.guelph.eks.scom.ca>
php_admin_value upload_tmp_dir /www/video.guelph.eks.scom.ca/tmp
</Directory>

<Directory "/www/video.guelph.eks.scom.ca">
AllowOverride All
php_value session.save_path "/www/video.guelph.eks.scom.ca/"
</Directory>

SSLEngine on
SSLProtocol all
SSLCertificateKeyFile /www/scom.ca/ssl/scom.ca.key
SSLCertificateFile /www/scom.ca/ssl/scom.ca.crt
SSLCertificateChainFile /www/scom.ca/ssl/scom.ca.chain

</VirtualHost>

Note I have a wildcard ssl cert but the file location setup is clearly defined.



Happy Thursday !!!
Thanks - paul

Paul Kudla


Scom.ca Internet Services <http://www.scom.ca>
004-1009 Byron Street South
Whitby, Ontario - Canada
L1N 4S3

Toronto 416.642.7266
Main 1.866.411.7266
Fax 1.888.892.7266

On 5/19/2022 9:11 AM, Rainer Canavan wrote:

On Wed, May 18, 2022 at 11:53 PM Frank Gingras <thumbs@xxxxxxxxxx> wrote:

Not sure if you saw the other answer on the other email:

// If you can't use a SAN, then you need to configure all your vhosts as IP:443, whereas one vhost uses a separate IP, and the remainder uses the second IP.

That sounds wrong to me. Apache should pick a matching certificate for
the hostname specified via SNI by the client, if any, or the first one
configured as a fallback (assuming the vhost IP / * specification
matches). Note that only vhosts with IP:port are considered, if any
are specified and match the request. You should be able to use *:443
for all vhosts.

Rainer

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx




[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux