httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Gregory S. Michaels" <>
Subject RE: [users@httpd] SSL, Cookies, Post Variables
Date Wed, 06 Nov 2002 16:16:29 GMT

Again thanks for the reply. I believe I have solved my problem. In my
httpd.conf file the ServerName was set to an internal IP address (inside the
firewall) and not the domain name or public IP address I used to register my
test certificate. After correcting this I could at least get the web site to
function properly by redirecting the virtual domain to the CA registered
domain/server name. The reason I felt my virtual domains would work as well
had to do with the test results I got after installing the test certificate.
I read that if my install of the test certificate was successful I would get
an Apache confirmation page when going secure. When I tried this test under
all my various virtual domain names, the confirmation page was displayed. So
all these variations resulted in the Apache confirmation page being
displayed:	Server name
 and so on.

I assumed this meant I could go secure on all these domains. Apparently
there is more to the story. Anyway I have gotten past the problem and at
least have a working solution.

> Thank your for the reply. I understand the issue of having
> different domain
> names and trying to pass the cookies. This makes sense to me.
> However, I
> think this goes a little bit deeper. I assumed my test
> certificate is tied
> to a specific domain/ip. So when I went secure I used the domain I
> registered the certificate under ( In
> testing I tried
> going secure using the other virtual domain names I am
> hosting and this
> seemed to work as far as being secure went. So I was able to
> maintain the
> same domain name when going secure. However, the secure URL
> needed to be
> coded a bit differently:
> needed to be
> https:/ when going
> secure. So there is
> more going on there under the hood. This still did not work
> for me even
> though I could maintain the same domain name. I see in some
> of the SSL docs
> that virtual domain names are and issue:

This is right.  It's rather common to be able to access the same docs under
different domains by using different paths.  As far as the SSL goes, it
requires the use of an IP.  The client will attempt to make a connection to
domain by resolving its IP address and connecting to that.  The
problem is, since the SSL connection is made before the actual HTTP request,
Apache will serve up the default site.  It's kind of the same thing it does
if the Host HTTP header isn't sent (like in HTTP/1.0 connections).

> This seems to imply I cannot even attempt to go secure using virtual
> domains, yet it appears to allow it when I try it on my server. I am
> thoroughly confused and perhaps in over my head.

I'm a little confused myself as to your question.  As is well documented,
you can't use name-based virtual hosts with SSL certs.  The SSL connection
may work, but Apache can't work with the request properly.  If you want and to both use SSL, you need two IPs and ip-based
virtual hosts.  Your other option is to have one "main" domain that has SSL
(eg and call the objects from the virtual host via the path (eg would be

As far as the cookie thing goes, you should set the cookie with a value in the "domain" field.  You may also want to set it with
"/" in the "path" field so it is accessable by any URL with the
domain.  If you do this, you should be able to access the cookie by any
programs that are called from...
 etc, etc, etc

Maybe if you explain your question a little better we can be more specific.

 ~ Robert

The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message