Hi,
Actually, having multiple HTTPS virtual hosts on the same IP address is not
possible becasue of limitations in SSL itself.
The correct and only way to handle this is to use a different IP address for
each host for which you want an HTTPS. That means setting up your servers
net interface to have multipel IP addresses, which is a simple matter on all
systems (AIX is a kind of exception though).
You will need separate certificates for each virtual host for which you want
to have an HTTPS. The config is also relatively simple. An example is:
NameVirtualHost 123.123.123.20:80
<VirtualHost webmail.myserver.com:80>
ServerName webmail.myserver.com
DocumentRoot /usr/local/apache2/htdocs/mail
SSLEngine on
SSLCertificateFile /usr/local/apache2/conf/certs/webmail_2006.key
SSLCertificateKeyFile /usr/local/apache2/conf/webmail_priv.pem
SSLCACertificateFile /usr/local/apache2/conf/certs/ca-bundle2005.crt
# All other config goes here.......
</VirtualHost>
<VirtualHost 123.123.123.21:80>
ServerName www.myserver.com
DocumentRoot /usr/local/apache2/htdocs
SSLEngine on
SSLCertificateFile /usr/local/apache2/conf/certs/www_2005.key
SSLCertificateKeyFile /usr/local/apache2/conf/lara3_priv.pem
SSLCACertificateFile /usr/local/apache2/conf/certs/ca-bundle2005.crt
# All other config goes here.......
</VirtualHost>
NameVirtualHost 123.123.123.20:443
<VirtualHost webmail.myserver.com:443>
ServerName webmail.myserver.com
DocumentRoot /usr/local/apache2/htdocs/mail
SSLEngine on
SSLCertificateFile /usr/local/apache2/conf/certs/webmail_2006.key
SSLCertificateKeyFile /usr/local/apache2/conf/webmail_priv.pem
SSLCACertificateFile /usr/local/apache2/conf/certs/ca-bundle2005.crt
# All other config goes here.......
</VirtualHost>
<VirtualHost 123.123.123.21:443>
ServerName www.myserver.com
DocumentRoot /usr/local/apache2/htdocs
SSLEngine on
SSLCertificateFile /usr/local/apache2/conf/certs/www_2005.key
SSLCertificateKeyFile /usr/local/apache2/conf/lara3_priv.pem
SSLCACertificateFile /usr/local/apache2/conf/certs/ca-bundle2005.crt
# All other config goes here.......
</VirtualHost>
You do this for each virtual host, remembering to use the same IP adsress for
each virtual host in the corresponding HTTP and HTTPS virtual host configs.
The only thing left to worry about is the IP stack - if you have too many
IP's on the same network port, maybe your network connection will have
problems because the IP stack may not handle it very well.
Hope this helps.
greetings from Austria
Markus
On Thursday 16 March 2006 10:11, Frédéric Jolliton wrote:
> Hi,
>
> [I already sent this message to modssl ML, but since it's about
> Apache 2 I'm not sure if this place was more appropriate.]
>
> (Apache 2.0.55, Linux 2.6)
>
> I can't find authoritative answer about the following question.
>
> I would like to be sure that I can have multiple VirtualHost
> configured simultaneously for HTTP and HTTPS (port 80 and port 443
> respectively) as presented below.
>
> If I've a certificate with 'cn' to '*.example.com' and the following
> Apache configuration, is that ok ? Currently it works fine, but I'm
> not sure if I'm relying on some unspecified/undefined behaviors.
>
> Also, is this dummy VirtualHost (the first one) the correct way to
> "force" a given port to answer HTTP instead of HTTPS ? (I know that
> it's the other way, where the "first" virtual host with enabled SSL
> determine port with HTTPS.)
>
> Again, there is no problems with this config, but I was just wondering
> about its validity.
>
> -=-=-
> Listen 80
> Listen 443
>
> NameVirtualHost *:80
> NameVirtualHost *:443
>
> <VirtualHost *:80>
> # Dummy empty VirtualHost to ensure than port 80 is HTTP
> </VirtualHost>
>
> <VirtualHost *:80 *:443>
> Include common-ssl.conf
> ServerName foo.example.com
> [..]
> </VirtualHost>
>
> <VirtualHost *:80 *:443>
> Include common-ssl.conf
> ServerName bar.example.com
> [..]
> </VirtualHost>
> -=-=-
>
> and common-ssl.conf contains:
>
> -=-=-
> <IfModule mod_ssl.c>
> SSLEngine on
> SSLCertificateFile conf/ssl/web.example.com-cert.pem
> SSLCertificateKeyFile conf/ssl/web.example.com-key.pem
> SSLCertificateChainFile conf/ssl/root-cert.pem
> [.. other SSL options ..]
> </IfModule>
> -=-=-
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
" from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|