> -----Original Message----- > From: Arun Ponniah S [mailto:saponniah@xxxxxxxxx] > Sent: Thursday, August 03, 2006 11:33 PM > To: users@xxxxxxxxxxxxxxxx > Subject: [users@httpd] IP based Virtual hosts with SSL in a > private network machine > > Hello, > I'm facing some problems, when configuring IP based virtual hosts in > a machine. > > Info regarding the my machine and network settings are here, > > My machine lies in a private network behind a firewall. And obviously you have opened the FW to traffic on port 443... (just checking) > The machine > has multiple local IPs (10.0.0.x) assigned to it on a single interface > using vlan configurations. I have two domain names, > > www.a.com > www.b.com > > these two domain names map to two different public IP addresses. And > in the firewall, these two public IPs are being NATed to my private > network IPs. So, the final mappings would be like, > > www.a.com --> 74.52.63.x --> 10.0.0.2 > www.b.com --> 74.52.63.y --> 10.0.0.3 > > I have to setup two different web apps in this machine, for these two > domain names with SSL support. This is what is in my apache httpd conf > file, > > Note: Both my domain will use the same docroot, because my app will > take of showing different content depending on the domain name. > > Listen 80 > Listen 443 > > <VirtualHost *:80> > ServerName www.a.com > ServerAlias www.b.com > DocumentRoot "/home/user/docroot" > > ErrorLog logs/http_error_log > CustomLog logs/http_access_log common > </VirtualHost> > > <VirtualHost 10.0.0.2:443> > ServerName www.a.com > DocumentRoot "/home/user/docroot" > > ErrorLog logs/https_error_log > CustomLog logs/https_access_log combined > CustomLog logs/ssl_request_log "%t %h %{SSL_PROTOCOL}x > %{SSL_CIPHER}x \"%r\" %b" > > SSLEngine on > SSLCipherSuite > ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL > SSLCertificateFile /home/user/ssl.crt/www.a.com.crt > SSLCertificateKeyFile /home/user/ssl.key/www.a.com > </VirtualHost> > > <VirtualHost 10.0.0.3:443> > ServerName www.b.com > DocumentRoot "/home/user/docroot" > > ErrorLog logs/https_error_log > CustomLog logs/https_access_log combined > CustomLog logs/ssl_request_log "%t %h %{SSL_PROTOCOL}x > %{SSL_CIPHER}x \"%r\" %b" > > SSLEngine on > SSLCipherSuite > ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL > SSLCertificateFile /home/user/ssl.crt/www.b.com.crt > SSLCertificateKeyFile /home/user/ssl.key/www.b.com > </VirtualHost> > > When I hit the both the domain names with http, it works perfectly. > But, when I use hit either, > https://www.a.com/xxx or http://www.b.com/xxx, an alert appears > saying, "The connection to www.a/b.com has terminated unexpectedely. > Some data might have been transferred". > > In the error logs I can see something like this, > > [Thu Aug 03 16:25:35 2006] [error] [client 203.101.103.131] Invalid > method in request \x80g\x01\x03 > > I think, I'm doing something wrong in the Virtual Hosts > configurations. I'm not very clear on what should go into the > <VirtualHost xxx> tag, for the current situation (public IPs to > private IPs and all those stuffs). The apache server doesn't know about the public IPs, all it knows are the private IPs so your config is fine. The error you see arises when the VH is speaking plain HTTP but then an SSL handshake comes in.. So the server is not actually listening in SSL-mode on port 443. Usually this is because you don't have "SSLEngine on", but you have that... So the only other possibility is that you must have another VH (plain HTTP) that is trapping the SSL traffic before it gets to your VHs. Something like: <VH *:443> .. non-ssl stuff </VH> Are you sure about the IPs? If your machine is listening to, for example 10.0.0.1, .2, .3, .4 and the FW is really forwarding to .1 & .2 then it will never hit your VHs... Use ifconfig to check. BTW, do the sites work from inside the private network, ie, https://10.0.0.3/ from a browser on the server or connected to the server? Rgds, Owen Boyle Disclaimer: Any disclaimer attached to this message may be ignored. > > Any help would be a great help for me. Thanks. > > -- sap -- > > The harder and smarter you work, > the more luck you seem to have. > > Blog : http://saponniah.blogspot.com/ > > --------------------------------------------------------------------- > The official User-To-User support forum of the Apache HTTP > Server Project. > See <URL:http://httpd.apache.org/userslist.html> for more info. > To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx > " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx > For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx > This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. The sender's company reserves the right to monitor all e-mail communications through their networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of the sender's company. --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx