[TriLUG] Apache + SSL +Virtual Hosts + Reverse Proxy

Tanner Lovelace clubjuggler at gmail.com
Mon Oct 25 09:05:21 EDT 2004


On Mon, 25 Oct 2004 07:43:33 -0400, Aaron S. Joyner <aaron at joyner.ws> wrote:
>  From a purely academic / technical perspective, this is true, and not
> true, depending on if you want to bend the rules, and accept some
> browser-side errors.  The reason for the assertion that Phil mentions,
> is that the certificate exchange is the first thing that happens when
> you connect to an SSL port (443).  The certificate exchange contains the
> name of the site you will be talking to, as part of the certificate.
> So, once the browser has established the connection with a cert
> different than the site it wants to talk to, it will obviously through
> an error stating that the site name and the certificate don't match.
> There's no way that Apache can know ahead of time which certificate to
> give back, which is why SSL hosting requires a dedicated IP for each site.

Normally, yes, this is true, but see below for how to do it with
name based hosting...
 
> So.... once you've handed out a certificate, technically speaking,
> Apache *could* then pick up on the host name sent by the browser, and
> hand back valid content to the browser based on which name based virtual
> host was being queried.  But as to if you can actually get apache to do
> that?  I don't think so.  I think the servername directive, inside of a
> VirtualHost with an "SSLEngine on" entry, simply doesn't qualify as a
> destination point for name-based virtual hosting.  I wasn't able to find
> an authoritative answer on Apache's website one way or the other, with
> just some quick looking.  Perhaps someone else can provide more insight
> into ways to configure Apache in this "broken" manner, but I don't know
> of any.

You can do name based virtual hosting with apache and ssl, but as
Aaron correctly describes, the ssl exchange does happen before the http
exchange so the question is how to get a single certificate name to match
multiple hostnames.  The answer is: use a wildcard ssl certificate.  This
is fairly simple to do using a self-signed certificate authority (google it,
there are multiple good references, including a few in the trilug archives)
but if you want to buy a certificate, a wildcard one will cost you big bucks.

If you want to do it with one certificate, I'd suggest moving the proxy 
stuff to something like https://domain.com/ntop/ and 
https://domain.com/tivo/.  You could do that with just one non-wildcard
certificate.

As far as the original problem goes, Michael,  make sure that in your
<VirtualHost> sections, you only have "SSLEngine On" (or something like
that) in the one that specifies the port as 443.  I.e. try making two 
<VirtualHost> sections one like this:

<VirtualHost _default_:80>
# Don't put any SSL stuff here...
</VirtualHost>

<VirtualHost _default_:443>
# Put all SSL stuff here...
</VirtualHost>

Other than the SSL stuff, make them identical.  Also, you may also
need these statements outside the virtual host stuff:

Listen 80
Listen 443

Good luck, and let us know how it goes.

Cheers,
Tanner



More information about the TriLUG mailing list