Hi,
well, Apache httpd uses SNI to decide which vhost to use. Otherwise, it would not even be possible to have multiple TLS secured domains on the same port. However, this is indeed possible, but you have to put the into multiple vhosts. These vhosts can be as similar as they share everything but the TLS certificate files and ServerNames. They can have the same DocumentRoot and so on.
Otherwise, you could also try Haproxy infront of Apache. Haproxy supports SNI and can perform TLS offloading, so that the Apache webserver is to be configured with HTTP only.
Kind regards,
rexkogitans.
Am 05.07.24 um 16:28 schrieb Frank Gingras:
Hi Michael,
you can add any number of domain names to a TLS certificate. These entries are known as SAN (Subject Alternative Name). So, you want a single TLS certificate with multiple domain names instead of multiple TLS certificates each with a single domain name.
Kind regards,
rexkogitans
Am 04.07.24 um 15:57 schrieb Frank Gingras:
On Thu, Jul 4, 2024 at 8:44 AM Michael Osipov <michaelo@xxxxxxxxxx> wrote:
Folks,
please consider the following example:
> <VirtualHost *:443>
> ServerAdmin me@xxxxxxxxxxx
> ServerName foo.example.com
> ServerAlias foo.sub.example.net
> DocumentRoot /usr/local/www/apache24/data
> ErrorLog "/var/log/apache/foo-ssl-errors.log"
> CustomLog "/var/log/apache/foo-ssl-access.log" common
>
> SSLEngine On
> SSLCertificateFile /etc/ssl/foo.example.com/cert.crt
> SSLCertificateKeyFile /etc/ssl/foo.example.com/key.crt
> SSLCertificateFile /etc/ssl/foo.sub.example.net/cert.crt
> SSLCertificateKeyFile /etc/ssl/foo.sub.example.net/key.crt
>
> Include "..."
> </VirtualHost>
I'd like to run a single vhost serving the same content under multiple FQDNs to the users
As far as I understand mod_ssl it does not seem to support to have SNI on a single vhost with multiple hostnames. I get error messages in the log file.
I am running "Apache/2.4.59 (FreeBSD) OpenSSL/1.1.1w-freebsd".
FWIW: the same concept is support with Tomcat: One connector, one default host, aliases and several SSLHostConfig elements.
Is the approach to run two vhosts here? I am sure that a SAN certificate will do the trick, but for €€€ reasons I won' able to order one.
Michael
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
In that case, define separate :443 vhosts for each name, and redirect to the main one.
They already said that for price reasons, that consideration is not on the table.