httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Leif W" <warp-...@usa.net>
Subject Re: [users@httpd] virtual host does not show up correctly when Apache/SSL is enabled
Date Thu, 21 Aug 2003 02:04:32 GMT
----- Original Message ----- 
From: "Carlo Florendo" <carlo@hq.astra.ph>
To: <users@httpd.apache.org>
Sent: Wednesday, August 20, 2003 8:49 PM
Subject: Re: [users@httpd] virtual host does not show up correctly when
Apache/SSL is enabled


> ----- Original Message -----
> From: "Leif W"
> Sent: Wednesday, August 20, 2003 9:17 PM
> Subject: Re: [users@httpd] virtual host does not show up correctly when
Apache/SSL is enabled
>
> Thanks a lot Leif.
>
> > One thing I don't see in your code is the NameVirtualHost directive.
Also
> > noticed that one site was not a VirtualHost at all, and am not sure if
that
> > is what was intended,
>
> Yes, I intended the other site not to be virtual hosted.   I simply
changed the default parameters of the httpd.conf sample file to
> serve my main site.  Then I wanted to add another site so I did the
obvious--added a virtual host.
>
> What difference does it make if:
>
> a) I have two sites; One is virtual hosted and the other is not
>
> and
>
> b) I have two sites; Both are virtual hosted.

For one, it's generally a lot easier to keep track of all sites in one
section of the conf file.  Maybe this is personal choice?  Just because one
site is the "main" site and another is a "second" site, does not require you
to put the "main" as a non virtualhost.  I've seen web servers with several
dozen sites, and not use any of the "main" server configs at all, except
perhaps the /icons/ and /error/ directories.  It's a very common practice.

> >so I assumed it was not and stuck it in a VirtualHost
> > for the example.  Maybe something like the following would work?

For each virtual host, you have to be listening on the right port:IP pair,
you have to tell Apache that the IP:port pair is a virtual host with
NameVirtualHost directive, and each VirtualHost must match a
NameVirtualHost, otherwise it is probably going to fallback on the "main"
page.

> Yes it did!  but only if I appended the port number in the IP address part
of the virtual host directive (e.g <VirtualHost
> 192.168.30.10:80>)

Maybe my example was not 100% correct.  You'll always have to assume that to
learn this stuff you must "try it and see", as omissions or inaccuracies in
the best-intended responses do occur.  :)

> I'm still not so clear why I need to append the port number.   What does
this have to do with SSL?  (Please remember that my virtual
> hosts don't work when I run apache/SSL)

I'm not sure if I'm explaining it the best way.  I just understand it on an
intuitive level after trying many combinations on my own and seeing what
happens.  About the unencrypted sites, as I understand it, Apache listens on
the IP:port you tell it to.  When a request comes in, the browser sends a
Host: header with the name of the website requested, and Apache will go to
the IP and port that the request came in on, and then look for a matching
ServerName (or ServerAlias) under VirtualHost blocks with matching IP:port
pairs.  This allows you to have several unencrypted sites using the same IP
and pot (i.e. all your unencrypted sites might be *:80 to match all IPs, or
IP:80 to specify each IP).  That is what VIrtualHost was invented for, to
reuse IP addresses.

About encrypted sessions, as it was explained to me recently, SSL needs a
unique IP:port pair to function, as the server can't peek at the Host
headers as they are encrypted, and the server can not unencrypt the session
unless it knows which certificate/key to use, which you need the Host to
determine.  The usage of VirtualHost for secure sessions can therefore be
seen as counter to the original intent of the VirtualHost, as if you want to
listen to https on the default port of 443 for all your sites, then each
site must have a unique IP.  The other option, to maintain a unique IP:port
pair, is to use the same IP but use non-standard ports for https, i.e.
something unused by your other servers (for me 4300+ was open).

With that understanding going on in your mind, try to then picture what is
happening with your configuration.  Apache is receiving a request that is
encrypted.  It may not know which IP:port pair to use (maybe it doesn't
match in the VirtualHost or there's a missing or incorrect NameVirtualHost,
or Listen directive), so it falls back to the "main" site.

So maybe it's better to err on the side of caution, and be specific about
your IP:port in all your Listen, NameVirtualHost, and VirtualHost
directives.

Hope this helps, and if anyone else can comment, please do.

Leif

> > ----------------start snippet of httpd.conf----------------
> > Listen 192.168.30.10:80
> > NameVirtualHost 192.168.30.10
> > <VirtualHost 192.168.30.10>
> >     DocumentRoot "/var/www/html"
> >     ServerName manila.astra.ph
> > </VirtualHost>
> >
> > Listen 192.168.30.12:80
> > NameVirtualHost 192.168.30.12
> > <VirtualHost 192.168.30.12>
> >     DocumentRoot "/var/www/tokyo/"
> >     ServerName tokyo.astra.ph
> > </VirtualHost>
> > ----------------end snippet of httpd.conf----------------
> >
> > ----------------start snippet of ssl.conf----------------
> > Listen 192.168.30.10:443
> > <VirtualHost 192.168.10.10>
> >     DocumentRoot "/var/www/tokyo/"
> >     ServerName manila.astra.ph
> > </VirtualHost>
> >
> > Listen 192.168.30.12:443
> > <VirtualHost 192.168.10.12>
> >     DocumentRoot "/var/www/tokyo/"
> >     ServerName tokyo.astra.ph
> > </VirtualHost>
> > ----------------end snippet of ssl.conf----------------
> >
> > ----- Original Message -----
> > From: "Carlo Florendo" <carlo@hq.astra.ph>
> > To: <users@httpd.apache.org>
> > Sent: Wednesday, August 20, 2003 4:27 AM
> > Subject: [users@httpd] virtual host does not show up correctly when
> > Apache/SSL is enabled
> >
> >
> > > Hello,
> > >
> > > I've configured apache to listen to both http and https requests on
one
> > virtual host.  So I effectively have one non-virtual hosted
> > > site and another that is virtual hosted.
> > >
> > > The virtual hosted site is configured to accept both http and https
> > requests.
> > >
> > > Whenever I run apache with https enabled, I'm *incorrectly* redirected
to
> > the main page of the non-virtual host site
> > > whenever I access the virtual hosted site.  However, when I restart
apache
> > without https enabled, I am correctly directed to the
> > > virtual hosted site.
> > >
> > > Here are the relevant portions of my configuration files.
> > >
> > > ----------------start snippet of httpd.conf----------------
> > >
> > > Listen 192.168.30.10:80
> > > Listen 192.168.30.12:80
> > >
> > > DocumentRoot "/var/www/html"
> > > ServerName manila.astra.ph
> > >
> > > <VirtualHost 192.168.30.12>
> > >     DocumentRoot "/var/www/tokyo/"
> > >     ServerName tokyo.astra.ph
> > > </VirtualHost>
> > >
> > > ----------------end snippet of httpd.conf----------------
> > >
> > > Both manila.astra.ph and tokyo.astra.ph are valid DNS names and are
> > respectively mapped to 192.168.30.10 and 192.168.30.12
> > >
> > > ----------------start snippet of ssl.conf----------------
> > > Listen 192.168.30.10:443
> > > Listen 192.168.30.12:443
> > >
> > > <VirtualHost 192.168.10.12:443>
> > >
> > > DocumentRoot "/var/www/tokyo/"
> > > ServerName tokyo.astra.ph
> > > ServerAdmin root@localhost
> > > ErrorLog logs/error_log
> > > TransferLog logs/access_log
> > >
> > >
> > > ----------------end snippet of ssl.conf----------------
> > >
> > > Any workaround on the matter?
> > >
> > > Thanks!
> > >
> > > Best Regards,
> > > Carlo
> > > ------
> > > Carlo Florendo
> > > Astra Philippines Inc.
> > > URL: http://www.hq.astra.ph
>
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
>



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message