httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Mentovai <>
Subject Re: SSL Virtual Host
Date Mon, 15 Jul 2002 03:48:41 GMT
Chris Knipe wrote:
> Listen x.x.x.x:80
> Listen x.x.x.x:443
> Listen y.y.y.y:443
> Listen z.z.z.z:443
> NameVirtualHost x.x.x.x
> <VirtualHost x.x.x.x:80>
>   ServerName a.b.c
>   ...
> </VirtualHost>
> <VirtualHost x.x.x.x:80 x.x.x.x:443
>   ServerName ssl.a.b.c
>   <Location />
>     RequireSSL
>   </Location>
>   ...
> </VirtualHost>

Assuming Apache with mod_ssl, and "SSLEngine on" in the second <VirtualHost> 
block above.

SSL and name-based virtual hosting don't mix.  Name-based virtual hosting 
depends on the Host field in the HTTP request; the HTTP request is not 
transmitted until SSL/TLS negotiation is complete.  At the time of SSL/TLS 
negotiation, a web server has no idea what hostname the client used to connect.  
If you attempt to use NameVirtualHost in conjuction with SSL hosts, only the 
first configured virtual host will be used.  In order to serve SSL sites, you 
must use IP address-based hosting.  You can still mix name-based and IP 
address-based hosting in the same server, but don't expect to be able to server 
any SSL sites by name.

SSL and non-SSL don't belong in the same virtual host definition.  A server can 
either function with SSL (SSLEngine on) or without on a given socket.  There is 
no way to configure a single <VirtualHost> block for two ports (as you have 
attempted to do in your second definition above) that will use SSL on one port 
and plaintext on another.

The above configuration works the way it does due more to ordering and chance 
than anything else.  It causes SSL to not be used on port 80, as set the first 
time x.x.x.x:80 is introduced in the first <VirtualHost> block, and SSL to be 
used on port 443, as set in the second <VirtualHost> block.  Any SSL requests 
to x.x.x.x:443 will be processed according to the second virtual host, as it is 
the first time x.x.x.x:443 appears in the configuration.  Any non-SSL requests 
will be handled according to the Host field included by the client in the HTTP 
request (name-based).  You are able to connect to the second virtual host 
unencrypted because SSL is disabled on port 80, and the second virtual host is 
a member of the appropriate NameVirtualHost group.  In other words: a 
confusing anomaly that works closely enough to what you might imagine should 
happen that you may be misled into believing that the impossible is possible.

As for RequireSSL, that directive takes a boolean argument.  Try "RequireSSL 
on".  Better yet, use SSLRequireSSL; RequireSSL is provided for compatibility 
only, SSLRequireSSL (which takes no arguments) is the native directive for 
mod_ssl.  You're going to need to find another place to put it, though: 
remember, you can't mix SSL and non-SSL in the same <VirtualHost>.


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message