RE: [users@httpd] SSL And Virtual Hosts

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

> -----Original Message-----
> From: David P. Donahue [mailto:ddonahue@xxxxxxxxxxx] 
> Sent: Montag, 13. März 2006 15:34
> To: users@xxxxxxxxxxxxxxxx
> Subject: [users@httpd] SSL And Virtual Hosts
> 
> I've been using Apache 1.3 for a while now with several name-based 
> virtual hosts (my server has only one IP).  Recently, I have begun 
> testing the use of SSL, which is entirely new territory for 
> me.  But I 
> seem to be running into a couple problems.

I'll say... 

The web (and this mailing list) is replete on subject of SSL and NBVHs. Most recent: http://marc.theaimsgroup.com/?l=apache-httpd-users&m=114137608115220&w=2

Or search the archives and/or google for "SSL NBVH". Not to mention the docs: http://httpd.apache.org/docs/2.2/ssl/ssl_faq.html#vhosts2

Rgds,
Owen Boyle
Disclaimer: Any disclaimer attached to this message may be ignored. 

> 
> First thing I notice is that my ssl_engine log yells at me and says I 
> should not use name-based virtual hosts with SSL.  If this is 
> the case, 
> what would one recommend?  What is the "right way" to do it?
> 
> During testing of my name-based virtual hosts with SSL, I am 
> using two 
> of my hosted domains.  One of them, the main default domain 
> for my site, 
> seems to work, except that in my browser (FireFox) the lock icon is 
> broken, so it seems to not be working from the client side.  
> But no more 
> info is given as to why that is the case.
> 
> The second domain I'm testing seems to be encrypting fine between the 
> client and server, but when it issues the self-signed cert it 
> sends the 
> wrong one (the one for the default domain).
> 
> Can anyone explain to me what is probably wrong and what the 
> right way 
> to do things would be?
> 
> 
> For reference, here is the VirtualHosts section of my 
> mod_ssl.conf file:
> 
> NameVirtualHost *:443
> 
> <VirtualHost *:443>
>    DocumentRoot "/home/www/.www"
>    ServerName www.cyber0ne.com
>    ServerAlias cyber0ne.com
>    DirectoryIndex index.aspx index.asp index.html index.htm index.php
>    HostnameLookups On
>    ServerAdmin ddonahue@xxxxxxxxxxx
>    ErrorLog /var/log/apache/ssl_error_log
>    LogLevel warn
>    TransferLog /var/log/apache/ssl_access_log
>    SSLEngine on
>    SSLCipherSuite 
> ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
>    SSLCertificateFile /etc/apache/ssl.crt/cyber0ne.cert
>    SSLCertificateKeyFile /etc/apache/ssl.key/cyber0ne.key
>    <Files ~ "\.(cgi|shtml|phtml|php3?)$">
>        SSLOptions +StdEnvVars
>    </Files>
>    SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown 
> downgrade-1.0 force-response-1.0
>    LogFormat "%h %l %u %t \"%!414r\" %>s %b \"%{Referer}i\" 
> \"%{User-Agent}i\"" combined
>    CustomLog /var/log/apache/ssl_access_log combined
> </VirtualHost>
> 
> <VirtualHost *:443>
>    DocumentRoot "/home/www/.www/webusers/newharvest"
>    ServerName www.newharvestchristians.org
>    ServerAlias newharvestchristians.org
>    DirectoryIndex index.aspx index.asp index.html index.htm index.php
>    HostnameLookups On
>    ServerAdmin ddonahue@xxxxxxxxxxx
>    ErrorLog /var/log/apache/www.newharvestchristians.org-ssl_error_log
>    LogLevel warn
>    TransferLog 
> /var/log/apache/www.newharvestchristians.org-ssl_access_log
>    SSLEngine on
>    SSLCipherSuite 
> ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
>    SSLCertificateFile /etc/apache/ssl.crt/newharvestchristians.cert
>    SSLCertificateKeyFile /etc/apache/ssl.key/newharvestchristians.key
>    <Files ~ "\.(cgi|shtml|phtml|php3?)$">
>        SSLOptions +StdEnvVars
>    </Files>
>    SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown 
> downgrade-1.0 force-response-1.0
>    LogFormat "%h %l %u %t \"%!414r\" %>s %b \"%{Referer}i\" 
> \"%{User-Agent}i\"" combined
>    CustomLog 
> /var/log/apache/www.newharvestchristians.org-ssl_access_log 
> combined
> </VirtualHost>
> 
> <VirtualHost *:443>
>    DocumentRoot "/home/www/.www/webusers/newharvest/ftp"
>    ServerName ftp.newharvestchristians.org
>    DirectoryIndex index.aspx index.asp index.html index.htm index.php
>    HostnameLookups On
>    ServerAdmin ddonahue@xxxxxxxxxxx
>    ErrorLog /var/log/apache/www.newharvestchristians.org-ssl_error_log
>    LogLevel warn
>    TransferLog 
> /var/log/apache/www.newharvestchristians.org-ssl_access_log
>    SSLEngine on
>    SSLCipherSuite 
> ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
>    SSLCertificateFile /etc/apache/ssl.crt/newharvestchristians.cert
>    SSLCertificateKeyFile /etc/apache/ssl.key/newharvestchristians.key
>    <Files ~ "\.(cgi|shtml|phtml|php3?)$">
>        SSLOptions +StdEnvVars
>    </Files>
>    SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown 
> downgrade-1.0 force-response-1.0
>    LogFormat "%h %l %u %t \"%!414r\" %>s %b \"%{Referer}i\" 
> \"%{User-Agent}i\"" combined
>    CustomLog 
> /var/log/apache/www.newharvestchristians.org-ssl_access_log 
> combined
> </VirtualHost>
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP 
> Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
>    "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
> 
>
 
 
This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. The sender's company reserves the right to monitor all e-mail communications through their networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of the sender's company.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux