[TriLUG] Apache + SSL +Virtual Hosts + Reverse Proxy

Michael Hrivnak mhrivnak at triad.rr.com
Mon Oct 25 22:31:53 EDT 2004 

Good advice Tanner.  Here's how I ended up changing things.

I changed:
	NameVirtualHost *
to
	NameVirtualHost *:443

and
	<VirtualHost *>
to either
	<VirtualHost *:443>
or
	<VirtualHost *:80>

It took me good bit of digging and experimentation with other factors, but 
ultimately that's what I settled on.  I hadn't realized that Apache is 
configured to provide https by using a virtual host, in part because it's 
configured in a different file in a different location.  Once I had a look at 
what was going on there, it wasn't so bad.

Lastly, I'll mention that it was a pain in the ass trying to dig through all 
the different config files that get used.  It's nice that files seem to be 
well-commented, but they don't flow logically or seem to be very well 
organized to my taste.  Is that just a Mandrake thing?  There are:

/etc/httpd/conf/commonhttpd.conf
/etc/httpd/conf/httpd2.conf
/etc/httpd/conf.d/[6 different files]
/etc/httpd/conf/vhosts/[3 different files]

Plus, there are several others that as far as I can tell don't get looked at.  
There is ssl configuration in:

/etc/httpd/conf/ssl/mod_ssl.conf
/etc/httpd/conf/ssl/ssl.default-vhost.conf
/etc/httpd/conf.d/40_mod_ssl.conf
/etc/httpd/conf.d/41_ssl.default-vhost.conf

The latter two are looked at, the prior to are not, and no they are not 
symlinked, but yes by default they are identical.  Yikes!

Anyway, thanks a lot for the help.  I always enjoy pushing the limits!

Michael

On Monday 25 October 2004 09:05 am, Tanner Lovelace wrote:
> On Mon, 25 Oct 2004 07:43:33 -0400, Aaron S. Joyner <aaron at joyner.ws> wrote:
> >  From a purely academic / technical perspective, this is true, and not
> > true, depending on if you want to bend the rules, and accept some
> > browser-side errors.  The reason for the assertion that Phil mentions,
> > is that the certificate exchange is the first thing that happens when
> > you connect to an SSL port (443).  The certificate exchange contains the
> > name of the site you will be talking to, as part of the certificate.
> > So, once the browser has established the connection with a cert
> > different than the site it wants to talk to, it will obviously through
> > an error stating that the site name and the certificate don't match.
> > There's no way that Apache can know ahead of time which certificate to
> > give back, which is why SSL hosting requires a dedicated IP for each
> > site.
>
> Normally, yes, this is true, but see below for how to do it with
> name based hosting...
>
> > So.... once you've handed out a certificate, technically speaking,
> > Apache *could* then pick up on the host name sent by the browser, and
> > hand back valid content to the browser based on which name based virtual
> > host was being queried.  But as to if you can actually get apache to do
> > that?  I don't think so.  I think the servername directive, inside of a
> > VirtualHost with an "SSLEngine on" entry, simply doesn't qualify as a
> > destination point for name-based virtual hosting.  I wasn't able to find
> > an authoritative answer on Apache's website one way or the other, with
> > just some quick looking.  Perhaps someone else can provide more insight
> > into ways to configure Apache in this "broken" manner, but I don't know
> > of any.
>
> You can do name based virtual hosting with apache and ssl, but as
> Aaron correctly describes, the ssl exchange does happen before the http
> exchange so the question is how to get a single certificate name to match
> multiple hostnames.  The answer is: use a wildcard ssl certificate.  This
> is fairly simple to do using a self-signed certificate authority (google
> it, there are multiple good references, including a few in the trilug
> archives) but if you want to buy a certificate, a wildcard one will cost
> you big bucks.
>
> If you want to do it with one certificate, I'd suggest moving the proxy
> stuff to something like https://domain.com/ntop/ and
> https://domain.com/tivo/.  You could do that with just one non-wildcard
> certificate.
>
> As far as the original problem goes, Michael,  make sure that in your
> <VirtualHost> sections, you only have "SSLEngine On" (or something like
> that) in the one that specifies the port as 443.  I.e. try making two
> <VirtualHost> sections one like this:
>
> <VirtualHost _default_:80>
> # Don't put any SSL stuff here...
> </VirtualHost>
>
> <VirtualHost _default_:443>
> # Put all SSL stuff here...
> </VirtualHost>
>
> Other than the SSL stuff, make them identical.  Also, you may also
> need these statements outside the virtual host stuff:
>
> Listen 80
> Listen 443
>
> Good luck, and let us know how it goes.
>
> Cheers,
> Tanner

More information about the TriLUG mailing list