httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jonathan Hilgeman" <jhilge...@red-tea-rooibos.com>
Subject Re: [users@httpd] IP Based Virtual Host
Date Tue, 29 Jul 2003 00:16:21 GMT
Not true - I have this working on my server. Each server has its own
certificate. The important thing is the domain names. If you have 1 IP, then
you need to rely on the domain names. Apache will "select" the virtualhost
that has a matching domain name.

So if you go to https://www.domain2.com , Apache should basically look up
the <VirtualHost> for domain1.com and see that the ServerName and
ServerAlias are not domain2.com, and ignore it. Then it goes to the next
<VirtualHost> and sees ServerName domain2.com and says, "Hey, this is the
right virtual host, so I'll use the certificate listed here."

Now, if you don't have the right configuration for domain2.com, then Apache
might ignore it, too. If it can't find any other <VirtualHost> entries, THEN
it will default to the first one. But if the <VirtualHost> entries are set
up right, it should work fine. So double-check everything and make sure you
have the ServerName and ServerAlias (optional) set up correctly.

Just a side note - you should turn on "UseCanonicalName" if it is off. Just
search for that in your httpd.conf and if you don't see it or if it's
commented out, make sure it looks like:

UseCanonicalName On

- Jonathan


----- Original Message ----- 
From: "Gustavo A. Baratto" <gbaratto@superb.net>
To: <users@httpd.apache.org>
Sent: Monday, July 28, 2003 9:11 AM
Subject: Re: [users@httpd] IP Based Virtual Host


> Hi Jonathan,
>
> This solution doesn't work... if two domains are sharing the same IP,
> the first one is going to be used for both sites... if you read the cert
> when you go to https://www.domain2.com, you'll see that it the exactly
> the same if you go to https://www.domain1.com, ie domain1.com.crt
>
> If you put the virtualhost container of domain2.com before domain1.com,
> the certs are going be domain2.com.crt
>
> The data is being encrypted, but you users
>
> Except if there is a new workaround that I'm not aware of, https can
> just encrypt the headers if it finds the IP first...the old chicken and
> problem.
>
>
>
> Jonathan Hilgeman wrote:
> > Hi,
> >
> > Yes, you can do this. I have a similar setup - I have one IP and several
> > (about 50-80) domains all on name-based vhosting. Two of my domains are
> > e-commerce stores and each have their own SSL certificate.
> >
> > Maybe my configuration file (using ModSSL) can help you. It's not
perfect,
> > but it works. My configuration looks something like:
> >
> > httpd.conf:
> > --------------------------------
> >
> > .... all the regular stuff that's in httpd.conf ....
> >
> > <IfModule mod_ssl.c>
> >    SSLPassPhraseDialog  builtin
> >    SSLSessionCache         dbm:/usr/local/apache/logs/ssl_scache
> >    SSLSessionCacheTimeout  300
> >    SSLMutex  file:/usr/local/apache/logs/ssl_mutex
> >    SSLRandomSeed startup builtin
> >    SSLRandomSeed connect builtin
> >    SSLLogLevel info
> >    SSLLog  /usr/local/apache/logs/ssl_engine_log
> > </IfModule>
> >
> > NameVirtualHost MY_IP_ADDRESS:443
> >
> > <VirtualHost MY_IP_ADDRESS:443>
> >    ServerAdmin webmaster@domain1.com
> >    DocumentRoot /www/sites/www.domain1.com
> >    ServerName domain1.com
> >    ServerAlias www.domain1.com
> >    SSLEngine on
> >    SSLCipherSuite
> > ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
> >    SSLCertificateFile /usr/local/apache/conf/ssl.key/www.domain1.com.crt
> >    SSLCertificateKeyFile
/usr/local/apache/conf/ssl.key/www.domain1.com.key
> >    <Files ~ "\.(cgi|shtml|phtml|php3|php?)$">
> >       SSLOptions +StdEnvVars
> >    </Files>
> >    <Directory "/usr/local/apache/cgi-bin">
> >       SSLOptions +StdEnvVars
> >    </Directory>
> >    SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
> > downgrade-1.0 force-response-1.0
> > </VirtualHost>
> >
> > <VirtualHost MY_IP_ADDRESS:443>
> >    ServerAdmin webmaster@domain2.com
> >    DocumentRoot /www/sites/www.domain2.com
> >    ServerName domain2.com
> >    ServerAlias www.domain2.com
> >    SSLEngine on
> >    SSLCipherSuite
> > ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
> >    SSLCertificateFile /usr/local/apache/conf/ssl.key/www.domain2.com.crt
> >    SSLCertificateKeyFile
/usr/local/apache/conf/ssl.key/www.domain2.com.key
> >    <Files ~ "\.(cgi|shtml|phtml|php3|php?)$">
> >       SSLOptions +StdEnvVars
> >    </Files>
> >    <Directory "/usr/local/apache/cgi-bin">
> >       SSLOptions +StdEnvVars
> >    </Directory>
> >    SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
> > downgrade-1.0 force-response-1.0
> > </VirtualHost>
> >
> > I hope this helps!
> >
> > - Jonathan
> >
> > ----- Original Message ----- 
> > From: <zebabr@ig.com.br>
> > To: <users@httpd.apache.org>
> > Sent: Monday, July 28, 2003 1:41 PM
> > Subject: [users@httpd] IP Based Virtual Host
> >
> >
> >
> >>I have 4 domains on the same server and just one external IP. Can I use
> >
> > ssl
> >
> >>with different certificates for each of the domains using name based
> >
> > vhosts?
> >
> >>I've tried to set my server with ip based virtual host but cannot make
my
> >>router forward the packets to the right ip. I've created one virtual ip
> >
> > for
> >
> >>each domain.
> >>
> >>Thanks,
> >>
> >>_________________________________________________________
> >>Voce quer um iGMail protegido contra vírus e spams?
> >>Clique aqui: http://www.igmailseguro.ig.com.br
> >>Ofertas imperdíveis! Link: http://www.americanas.com.br/ig/
> >>
> >>
> >>---------------------------------------------------------------------
> >>The official User-To-User support forum of the Apache HTTP Server
Project.
> >>See <URL:http://httpd.apache.org/userslist.html> for more info.
> >>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> >>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
> >>For additional commands, e-mail: users-help@httpd.apache.org
> >>
> >>
> >
> >
> >
> >
> > ---------------------------------------------------------------------
> > The official User-To-User support forum of the Apache HTTP Server
Project.
> > See <URL:http://httpd.apache.org/userslist.html> for more info.
> > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> >    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> > For additional commands, e-mail: users-help@httpd.apache.org
>
> -- 
>   ------------------------------------------------------------------------
--
>   Gustavo Baratto - Programming and Technical Support
>   GBaratto@SUPERB.NET * (604) 638-2525 ext. 408
>
>   Technical support web-site: http://support.superb.net
>   Superb Internet Corp. "Ahead of the Rest"
>   ------------------------------------------------------------------------
-
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message