httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From dfn <...@tictric.net>
Subject Re: [users@httpd] Certificates for aliases?
Date Tue, 25 Nov 2003 09:58:59 GMT
I'd offer you a different approach. Use a ssl.proxy.

Make a CA.sh -newreq and get it certified for say ssl.yourdomain.tld

Then you set up a virtual host ssl.yourdomain.tld with a directory 
ssldomain in it.

Then you need mod_rewrite and mod_proxy loaded but you better don't 
uncomment the <IfModule mod_proxy.c> directive.
You don't need it and run in danger of enabling a open proxy which causes 
lots of troubles if you don't know what you're doing.

Create a file sslproxy.conf like so:

#################
# local SSL-Proxy, that redirects https://domain to http://domain
#################
RewriteLock     /var/lock/rewrite.lock

<VirtualHost 1.2.3.4:443>
    DocumentRoot "/your/doc/root"
    ServerName ssl.domain.tld
    SSLCipherSuite 
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
    SSLCertificateFile /path/to/your/ssl.crt/server.crt
    SSLCertificateKeyFile /path/to/your/ssl.key/server.key
    SSLEngine on
    # Rewrite-Engine power on
    RewriteEngine   on
    # Logging on or off
    #RewriteLog     /dev/null
    #RewriteLog     0
    RewriteLog      /var/log/httpd/sslproxy.log
    RewriteLogLevel 1
    RewriteMap      lowercase       int:tolower
    # RewriteMap for all Domains to go through your sslproxy
    # I'm using /etc/apache/ssldomains
    RewriteMap      domaindb        txt:/path/to/your/apacheconf/ssldomains
    RewriteRule     ^/icons/(.+)  -                               [L]
    # MS IE needs some extra handling
    RewriteRule     ^/w3c/(.+)      -                               [L]
    # all to lower case for database lookup
    RewriteRule     ^/([^/]+)/(.*)  /${lowercase:$1}/$2             [S=1]
    RewriteRule     ^/(.*)          /${lowercase:$1}
    # via proxy connection to http://domain/...
    # or http://www.domain/...
    # add final slash "/" if not available
    # force redirect,
    # meaning browser tries it again with "domain/"
    # if "path" cannot be found in domaindb go to ssl.domain/path
    RewriteRule     ^/www\.([^/]+)/(.*)     
/${domaindb:$1|%{HTTP_HOST}/$1}/$2      [S=2]
    RewriteRule     ^/([^/]+)/(.*)          
/${domaindb:$1|%{HTTP_HOST}/$1}/$2      [S=1]
    RewriteRule     ^/(.+)                  /$1/                    [R,L]
    RewriteRule     ^/(.*)                  http://$1               [P,L]

</VirtualHost>

Next you need the "/path/to/your/apacheconf/ssldomains" file.
I'm using /etc/apache/ssldomains like so:

#Pfad     ->     Domain

mydomain.tld    www.mydomain.tld
otherdomain.tld   www.otherdomain.tld
myssl           www.myssl.tld

This causes https://ssl.domain.tld/myssl to call www.myssl.tld and crypts 
it.
You can redirect as many domains as you like with just one certificate.

Right at the end of httpd.conf you need to add a 
(/etc/apache/sslproxy.conf)

Include /path/to/your/sslproxy.conf


btw. I didn't invent this :-)

Hope it helps.
manfred



Am Mon, 24 Nov 2003 21:53:15 -0500 (EST) hat Kyle Dent 
<kdent@seaglass.com> geschrieben:

> On Mon, 24 Nov 2003, Mark London wrote:
>
>> >From: Kyle Dent <kdent@seaglass.com>
>> >  > Hi - We are running apache on a node that we want people to access
>> >>  using the primary ip name and also an alias.  However, since the
>> >>  present certificate was created for the primary ip name, anyone who
>> >>  accesses the server using the alias are warned about this.  Is there
>> >>  any way to create a certificate that can also be used with an alias
>> >>  name, or is there a way for apache to use 2 different certificates?
>> >>  Thanks. -  Mark
>> >
>> >You'll need a certificate for each *hostname* you want to use
>> >with SSL. Apache can be configured for as many certificates as you 
>> need.
>>
>> Can you point me to documentation on how to do this?  I.e., how to
>> make the server the alias's certificate when the server is accessed
>> using the alias's ip address?  Or do I just define both certificates,
>> and the server will use the one that works?  Thanks. -  Mark
>
> Normally you would have VirtualHost entries for each hostname
> alias. The SSL directives for a particular alias go in the
> appropriate VirtualHost entry:
>
> Listen 192.168.6.60:443
> <VirtualHost 192.6.6.60:80>
> ServerName site1.example.com
> DocumentRoot /path...
> #
> # other directives plus SSL configuration for site1 here.
> #
> </VirtualHost>
>
> Listen 192.168.6.61:443
> <VirtualHost 192.6.6.61:80>
> ServerName site2.example.com
> DocumentRoot /path...
> #
> # other directives plus SSL configuration for site2 here.
> #
> </VirtualHost>
>
> The exact SSL directives depend on the SSL module you're using.
> Basically the directives point to the location of your private
> key and public certificate files.
>
> Kyle
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server 
> Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>



-- 
Erstellt mit M2, Operas revolutionärem E-Mail-Modul: 
http://www.opera.com/m2/

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message