Re: SSL + name-based virtual host

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

To: users@xxxxxxxxxxxxxxxx
Subject: Re: SSL + name-based virtual host
From: "Liz Kim" <lizkim270@xxxxxxxxx>
Date: Wed, 9 May 2007 13:17:26 -0700
In-reply-to: <e498c1660705091043n2c5dcc88raf36aabad7d430e6@xxxxxxxxxxxxxx>
Reply-to: users@xxxxxxxxxxxxxxxx

It would be ideal to the ssl enabled for NAME1.com only.
NAME2.com and NAME3.com would stay as is.

I've tried the following but not sure if I've taken your input correctly:
=============================
LoadModule ssl_module modules/mod_ssl.so
<IfDefine SSL>
Listen 443
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl    .crl
SSLPassPhraseDialog builtin
SSLSessionCache         shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout 300
SSLMutex default
SSLRandomSeed startup file:/dev/urandom 256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin
</IfDefine>

/*......*/

NameVirtualHost OUR_IP_ADDRESS:80

<VirtualHost OUR_IP_ADDRESS:80>
ServerName    NAME1.com
DocumentRoot /var/www/html1
</VirtualHost>

<VirtualHost OUR_IP_ADDRESS:443>
DocumentRoot /var/www/html1
ServerName NAME1.com
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
SSLCertificateFile /etc/httpd/conf/ssl.crt/hostcert.pem
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/hostkey.pem

<Files ~ "\.(cgi|shtml|phtml|php3?)$">
    SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
    SSLOptions +StdEnvVars
</Directory>
SetEnvIf User-Agent ".*MSIE.*" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
           "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

</VirtualHost>

<VirtualHost OUR_IP_ADDRESS:80>
ServerName    NAME2.com
DocumentRoot /var/www/html2
</VirtualHost>

<VirtualHost OUR_IP_ADDRESS:80>
ServerName    NAME3.com
DocumentRoot /var/www/html3
</VirtualHost>
=================================

Apache is failing to restart when I try this.

httpd -D SSL -S gives out:

VirtualHost configuration:
192.5.166.40:80        is a NameVirtualHost
         default server NAME1.com (/etc/httpd/conf/httpd.conf:xxx)
         port 80 namevhost NAME1.com (/etc/httpd/conf/httpd.conf:xxx)
         port 80 namevhost NAME2.com (/etc/httpd/conf/httpd.conf:yyy)
         port 80 namevhost NAME3.com (/etc/httpd/conf/httpd.conf:zzz)

I've also tried adding:
"NameVirtualHost OUR_IP_ADDRESS:433" and "Listen 433" but did not help.
Any ideas?

Thank you so much.

On 5/9/07, Joshua Slive <joshua@xxxxxxxx> wrote:

On 5/9/07, Liz Kim <lizkim270@xxxxxxxxx> wrote:

> <IfModule mod_ssl.c>
>     Include conf.d/ssl.conf
> </IfModule>
>
> /*......*/
>
> NameVirtualHost OUR_IP_ADDRESS:80
>
>  <VirtualHost OUR_IP_ADDRESS:443>
>  ServerName    NAME1.com
>   DocumentRoot  /var/www/html1
>  </VirtualHost>
>
>
>  <VirtualHost OUR_IP_ADDRESS:80>
>   ServerName    NAME2.com
>   DocumentRoot /var/www/html2
>  </VirtualHost>
>
>
>  <VirtualHost OUR_IP_ADDRESS:80>
>   ServerName     NAME3.com
>   DocumentRoot /var/www/html3
>  </VirtualHost>
>  =================================
> where conf.d/ssl.conf file contains all the appropriate codes for enabling
> SSL - loading the module, certificate and key definitions, etc.
> However, when I do this, http://www.NAME1.com will point to
> http://www.NAME2.com and https://www.NAME1.com does not work.
> The certificate is issued to NAME1.com which is also the name of the
> server....
>
> Any help would be greatly appreciated!!!
> Are there any easy to follow guides on how to ssl enable name-based virtual
> hosts?

In general, you can't have SSL with name-based virtual hosts, because
the ssl negotiation happens before the name is known.

It is hard to tell exactly what you are trying to achieve, but you CAN
have a bunch of non-ssl name-based virtual hosts plus ONE ssl virtual
host on the same server.

What you have doesn't work for two reasons:

1. You removed the non-ssl (port 80) virtual host for name1.com. You
need to put that back and have the port 443 virtual host as a separate
<VirtualHost> block.

2. Instead of using conf.d/ssl.conf, just put the ssl directives
directly inside the <VirtualHost IP:443>. If you look inside ssl.conf,
you'll probably find it is defining a separate <VirtualHost> block
which is being ignored due to your <VirtualHost IP:443>.

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx

Follow-Ups:
- Re: SSL + name-based virtual host
  - From: Joshua Slive

References:
- SSL + name-based virtual host
  - From: Liz Kim
- Re: SSL + name-based virtual host
  - From: Joshua Slive

Prev by Date: Re: Using apache as proxy only on specific folder
Next by Date: Re: ssl on windows server 2003
Previous by thread: Re: SSL + name-based virtual host
Next by thread: Re: SSL + name-based virtual host
Index(es):
- Date
- Thread

[Index of Archives] [Open SSH Users] [Linux ACPI] [Linux Kernel] [Linux Laptop] [Kernel Newbies] [Security] [Netfilter] [Bugtraq] [Squid] [Yosemite News] [MIPS Linux] [ARM Linux] [Linux Security] [Linux RAID] [Samba] [Video 4 Linux] [Device Mapper]

Powered by Linux