httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Robert Andersson" <rob...@profundis.nu>
Subject Re: [users@httpd] Apache2/SSL/VirtualHost/single external IP
Date Sun, 17 Aug 2003 01:15:40 GMT
Leif W wrote:
> I think I remember seeing somewhere that you can only run one secure
> per IP,

You read right.

> but I've tried a setup something like this config (see EXAMPLE 1
> below), just to see what happens.  What I get is I can see
> www.site1.org:80 ok, I can't see www.site2.net:80

What do you mean by "can't see"? Wrong contents, forbidden, document not
found, host not found? What does the error log has to say?

> I can see www.site1.org:443 and www.site2.net:443 correctly.

You may *see* www.site2.net:443, but not *correctly*. What happens is that
when you request it, Apache will use the certificate you defined for your
first SSL host.

Apache can't determine which (named) host is being requested, because that
piece of information is encrypted. This discussion comes up at least once
per week, so go back in the archives for more detailed information about
this.

> So would I have to have my NAT/ipmasq box somehow determine which site
> is being called, and let it do masquerading/address translations to the
> appropriate internal IP for that website?

Your NAT has absolutely no way of telling which hostname the request is for,
and thus cannot forward requests on 443 to different internal IPs. It will
just see requests for port 443 with a lot of nonsense garbage.

> Or is there something I can do in the Apache's httpd.conf file?

No. If you can live with it, you can use the same certificate for all your
SSL sites, although all browsers will complain that the certificate doesn't
match the hostname.

> EXAMPLE 1
> --------------
> NameVirtualHost *
> <VirtualHost *>
>     #
>     ServerName default
>     (stuff)
> </VirtualHost>
>
> NameVirtualHost 192.168.7.7:80

This is redundant. 'NameVirtualHost *' will accept requests on all
interfaces (on port 80).


Regards,
Robert Andersson


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message