[TriLUG] Apache + SSL +Virtual Hosts + Reverse Proxy
Michael Hrivnak
mhrivnak at triad.rr.com
Mon Oct 25 22:31:53 EDT 2004
Good advice Tanner. Here's how I ended up changing things.
I changed:
NameVirtualHost *
to
NameVirtualHost *:443
and
<VirtualHost *>
to either
<VirtualHost *:443>
or
<VirtualHost *:80>
It took me good bit of digging and experimentation with other factors, but
ultimately that's what I settled on. I hadn't realized that Apache is
configured to provide https by using a virtual host, in part because it's
configured in a different file in a different location. Once I had a look at
what was going on there, it wasn't so bad.
Lastly, I'll mention that it was a pain in the ass trying to dig through all
the different config files that get used. It's nice that files seem to be
well-commented, but they don't flow logically or seem to be very well
organized to my taste. Is that just a Mandrake thing? There are:
/etc/httpd/conf/commonhttpd.conf
/etc/httpd/conf/httpd2.conf
/etc/httpd/conf.d/[6 different files]
/etc/httpd/conf/vhosts/[3 different files]
Plus, there are several others that as far as I can tell don't get looked at.
There is ssl configuration in:
/etc/httpd/conf/ssl/mod_ssl.conf
/etc/httpd/conf/ssl/ssl.default-vhost.conf
/etc/httpd/conf.d/40_mod_ssl.conf
/etc/httpd/conf.d/41_ssl.default-vhost.conf
The latter two are looked at, the prior to are not, and no they are not
symlinked, but yes by default they are identical. Yikes!
Anyway, thanks a lot for the help. I always enjoy pushing the limits!
Michael
On Monday 25 October 2004 09:05 am, Tanner Lovelace wrote:
> On Mon, 25 Oct 2004 07:43:33 -0400, Aaron S. Joyner <aaron at joyner.ws> wrote:
> > From a purely academic / technical perspective, this is true, and not
> > true, depending on if you want to bend the rules, and accept some
> > browser-side errors. The reason for the assertion that Phil mentions,
> > is that the certificate exchange is the first thing that happens when
> > you connect to an SSL port (443). The certificate exchange contains the
> > name of the site you will be talking to, as part of the certificate.
> > So, once the browser has established the connection with a cert
> > different than the site it wants to talk to, it will obviously through
> > an error stating that the site name and the certificate don't match.
> > There's no way that Apache can know ahead of time which certificate to
> > give back, which is why SSL hosting requires a dedicated IP for each
> > site.
>
> Normally, yes, this is true, but see below for how to do it with
> name based hosting...
>
> > So.... once you've handed out a certificate, technically speaking,
> > Apache *could* then pick up on the host name sent by the browser, and
> > hand back valid content to the browser based on which name based virtual
> > host was being queried. But as to if you can actually get apache to do
> > that? I don't think so. I think the servername directive, inside of a
> > VirtualHost with an "SSLEngine on" entry, simply doesn't qualify as a
> > destination point for name-based virtual hosting. I wasn't able to find
> > an authoritative answer on Apache's website one way or the other, with
> > just some quick looking. Perhaps someone else can provide more insight
> > into ways to configure Apache in this "broken" manner, but I don't know
> > of any.
>
> You can do name based virtual hosting with apache and ssl, but as
> Aaron correctly describes, the ssl exchange does happen before the http
> exchange so the question is how to get a single certificate name to match
> multiple hostnames. The answer is: use a wildcard ssl certificate. This
> is fairly simple to do using a self-signed certificate authority (google
> it, there are multiple good references, including a few in the trilug
> archives) but if you want to buy a certificate, a wildcard one will cost
> you big bucks.
>
> If you want to do it with one certificate, I'd suggest moving the proxy
> stuff to something like https://domain.com/ntop/ and
> https://domain.com/tivo/. You could do that with just one non-wildcard
> certificate.
>
> As far as the original problem goes, Michael, make sure that in your
> <VirtualHost> sections, you only have "SSLEngine On" (or something like
> that) in the one that specifies the port as 443. I.e. try making two
> <VirtualHost> sections one like this:
>
> <VirtualHost _default_:80>
> # Don't put any SSL stuff here...
> </VirtualHost>
>
> <VirtualHost _default_:443>
> # Put all SSL stuff here...
> </VirtualHost>
>
> Other than the SSL stuff, make them identical. Also, you may also
> need these statements outside the virtual host stuff:
>
> Listen 80
> Listen 443
>
> Good luck, and let us know how it goes.
>
> Cheers,
> Tanner
More information about the TriLUG
mailing list