httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Boyle Owen" <Owen.Bo...@swx.com>
Subject RE: [users@httpd] Virtual host question
Date Thu, 03 Oct 2002 08:33:43 GMT
What are you talking about? You simply cannot do name-based virtual hosting under SSL. No way.
Not possible. 

The problem is not with apache but with TCP/IP and HTTP. Apache has to decide which virtual
host to use based on only the TCP/IP attributes (IP and port) - it does not have access to
the "Host" header because the HTTP traffic is encrypted (Remember - the certificate is defined
*inside* the virtualhost, so apache doesn't know which cert to use until it decrypts the packet.
But it can't decrypt the packet until it gets a session going - which it can't do unless it
sends a cert! It's the old Catch-22, chicken-and-egg thing).

Apache can listen all it likes to port 4430 (just put "Listen 4430" in the config). But then
you have to tell the whole world that your server is listening to this port. Otherwise "https://yourserver/
will go to port 443.

You have two workarounds:

- IP based VHs
- port-based VHs (although the non-443 VH will need to have its port number hardcoded in URLs)

Another "pretend-SSL" solution is to use the same cert in all VHS. This will "work" but only
because apache always uses the first VH if it can't figure out which to choose. So the cert
in the first VH is used to establish a session. After that, apache can see the HTTP headers
and so routes the request to the appropriate VH so you get the correct site. The problem is
that the FQDN in the cert only matches the first VH and so all other VHs pop-up a "site name
doesn't match cert" warning in the browser. Also, you have just lost authentication - which
is as much a part of SSL as encryption.

>-----Original Message-----
>From: William C (Bill) Jones [mailto:wcjones@fccj.edu]
>Sent: Mittwoch, 2. Oktober 2002 22:10
>To: users@httpd.apache.org
>Subject: Re: [users@httpd] Virtual host question
>
>
>On 10/2/02 3:38 PM, "Chad Arimura" <news-apache@alldorm.com> wrote:
>
>> 
>> I agree with you, so how much work is involved in 
>configuring modssl and
>> apache to listen for https requests on port 4430 by default?
>
>
>Never done it - but I will know something this weekend.
>
>-Bill-  :]
>_Sx____________________
>  ('>    iudicium ferat
>  //\   Have Computer -
>  v_/_    Will Hack...
>
>
>
>---------------------------------------------------------------------
>The official User-To-User support forum of the Apache HTTP 
>Server Project.
>See <URL:http://httpd.apache.org/userslist.html> for more info.
>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
>For additional commands, e-mail: users-help@httpd.apache.org
>
>

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message