httpd-docs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tony Stevenson <t...@pc-tony.com>
Subject Re: [Httpd Wiki] Update of "ScratchPad/NameBasedSSLVHosts" by slive
Date Tue, 12 Jun 2007 13:47:28 GMT
Aghhh, yes.  Much better.  :-)



Apache Wiki wrote:
> Dear Wiki user,
>
> You have subscribed to a wiki page or wiki category on "Httpd Wiki" for change notification.
>
> The following page has been changed by slive:
> http://wiki.apache.org/httpd/ScratchPad/NameBasedSSLVHosts
>
> The comment on the change is:
> Major rewrite; sorry, I couldn't resist
>
> ------------------------------------------------------------------------------
> - == NameBased VirtualHosts and SSL ==
> + == Name-Based VirtualHosts and SSL ==
>   
> + As a rule, it is impossible to host more than one SSL virtual host on the same IP address
and port. This is because Apache needs to know the name of the host in order to choose the
correct certificate to setup the encryption layer. But the name of the host being requested
is contained only in the HTTP request headers, which are part of the encrypted content. It
is therefore not available until after the encryption is already negotiated. This means that
the correct certificate cannot be selected, and clients will receive certificate mismatch
warnings and be vulnerable to man-in-the-middle attacks.
> - In {{{#Apache}}} we often see people asking how they can host more than one SSL vhost,
on the same IP address.
> - As a rule this is not something that can be done because the SSL Handshake happens
before Apache knows the !ServerName you are trying to connect to, and so doesn't know which
SSL Certificate/Key to use for the SSL Handshake!
>   
> - However, in certain scenarios this can be overcome. But there are several criteria
and caveats that must be considered and met: 
> + In reality, Apache will allow you to configure name-based SSL virtual hosts, but it
will always use the configuration from the first-listed virtual host (on the selected IP address
and port) to setup the encryption layer. In certain specific circumstances, it is acceptable
to use a single SSL configuration for several virtual hosts. In particular, this will work
if the SSL certificate applies to all the virtual hosts. For example, this will work if:
>   
> -  1. You can only host !VirtualHost's within the same domain, eg: one.example.com and
two.example.com.
> +  1. All the !VirtualHosts are within the same domain, eg: one.example.com and two.example.com.
> -  2. You need a wildcard SSL certificate (one where the Common Name begins with an asterix:
i.e  {{{*.example.com}}})
> +  2. You have a wildcard SSL certificate for that domain (one where the Common Name
begins with an asterix: i.e  {{{*.example.com}}})
> - 
> - You should still be able to do the following:
> - 
> -  1. SSL !VirtualHost for a different domain (example2.com), as long as you use a different
IP Address (i.e. one that is not used by the wildcard sites):
>   
>   
> + Here is the config snippet for two SSL !NameVirtualHost's, using a single wildcard
SSL certificate. Remember that the SSL directives from the second virtual host will be ignored
when setting up the initial SSL connection.
> - {{{
> - <VirtualHost 192.168.1.2:443>
> - ServerName www.example2.com
> - ...
> - </VirtualHost>
> - }}}
> -  2.#2 {{{NameVirtualHost <IP>:443}}} for a different domain (*.example2.com),
where {{{<IP>}}} is different from the IP Address used for *.example.com
> - {{{
> - NameVirtualHost 192.168.1.2:443
> - <VirtualHost 192.168.1.2:443>
> - ServerName one.example2.com
> - ...
> - </VirtualHost>
> - 
> - <VirtualHost 192.168.1.2:443>
> - ServerName two.example2.com
> - ...
> - </VirtualHost>
> - }}}
> - 
> - 
> - However you cannot do the following:
> - 
> - SSL !VirtualHost for a different !ServerName (three.example2.com), where the IP address
is the same as that used for *.example.com.
> - {{{
> - <VirtualHost 192.168.1.1:443>
> - ServerName three.example2.com
> - ...
> - </VirtualHost>
> - }}}
> - 
> - 
> - Here is the config snippet for two SSL !NameVirtualHost's, using a single wildcard
SSL certificate:
>   
>   {{{
>   Listen 192.168.1.1:443
> @@ -107, +70 @@
>
>   </VirtualHost>
>   }}}
>   
> + 
> + In addition to this configuration, you should still be able to do the following:
> + 
> +  1. SSL !VirtualHost for a different domain (example2.com), as long as you use a different
IP Address or port (i.e. one that is not used by the wildcard sites):
> + 
> + 
> + {{{
> + <VirtualHost 192.168.1.2:443>
> + ServerName www.example2.com
> + ...
> + </VirtualHost>
> + }}}
> +  2.#2 {{{NameVirtualHost <IP>:443}}} for a different domain (*.example2.com),
where {{{<IP>}}} is different from the IP Address used for *.example.com
> + {{{
> + NameVirtualHost 192.168.1.2:443
> + <VirtualHost 192.168.1.2:443>
> + ServerName one.example2.com
> + ...
> + </VirtualHost>
> + 
> + <VirtualHost 192.168.1.2:443>
> + ServerName two.example2.com
> + ...
> + </VirtualHost>
> + }}}
> + 
> + 
> + However you cannot do the following:
> + 
> + SSL !VirtualHost for a different !ServerName (three.example2.com), where the IP address
is the same as that used for *.example.com.
> + {{{
> + <VirtualHost 192.168.1.1:443>
> + ServerName three.example2.com
> + ...
> + </VirtualHost>
> + }}}
> + 
>   

---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org


Mime
View raw message