[TriLUG] Apache + SSL +Virtual Hosts + Reverse Proxy

Aaron S. Joyner aaron at joyner.ws
Mon Oct 25 07:43:33 EDT 2004 

Phillip Rhodes wrote:

>
>> So, any thoughts?  I'm reading some things online that say it's not 
>> possible to do SSL and virtual hosts, but I'm so close.
>
>
>
> It is definitely possible to use SSL with Apache virtual hosts, but
> what isn't (well, wasn't last time I checked) is using SSL
> with name based virtual hosts.  Last time I setup Apache
> to do SSL with virtual hosts (and it's been a while) the docs
> said you have to use IP based virtual hosting if you want
> to use SSL.

 From a purely academic / technical perspective, this is true, and not 
true, depending on if you want to bend the rules, and accept some 
browser-side errors.  The reason for the assertion that Phil mentions, 
is that the certificate exchange is the first thing that happens when 
you connect to an SSL port (443).  The certificate exchange contains the 
name of the site you will be talking to, as part of the certificate.  
So, once the browser has established the connection with a cert 
different than the site it wants to talk to, it will obviously through 
an error stating that the site name and the certificate don't match.  
There's no way that Apache can know ahead of time which certificate to 
give back, which is why SSL hosting requires a dedicated IP for each site.

So.... once you've handed out a certificate, technically speaking, 
Apache *could* then pick up on the host name sent by the browser, and 
hand back valid content to the browser based on which name based virtual 
host was being queried.  But as to if you can actually get apache to do 
that?  I don't think so.  I think the servername directive, inside of a 
VirtualHost with an "SSLEngine on" entry, simply doesn't qualify as a 
destination point for name-based virtual hosting.  I wasn't able to find 
an authoritative answer on Apache's website one way or the other, with 
just some quick looking.  Perhaps someone else can provide more insight 
into ways to configure Apache in this "broken" manner, but I don't know 
of any.

Best of luck Mike,
Aaron S. Joyner

More information about the TriLUG mailing list