httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Boyle Owen" <Owen.Bo...@swx.com>
Subject RE: [users@httpd] Multiple SSL enabled Virtual Servers and mod_rewrite
Date Wed, 16 Mar 2005 14:44:57 GMT


> -----Original Message-----
> From: Diego M. Vadell [mailto:dvadell@lantech.com.ar]
> Sent: Mittwoch, 16. März 2005 15:37
> To: users@httpd.apache.org
> Subject: Re: [users@httpd] Multiple SSL enabled Virtual Servers and
> mod_rewrite
> 

The effect you're seeing (where SSL *appears* to work with multiple
HTTPS VHs) is an accidental feature of apache. The default rule, if a
request cannot be matched to a particular VH, is to serve the *first*
VH. So when the initial request comes in, apache sets up the SSL
connection using the cert from the first VH. Once the connection is
established, apache can decrypt the requests, read the host header and
so serve the content from the correct VH. 

> 
> Hello Sylvain,
>     Thank you, its clear enought. But given you have only one 
> IP, isnt it 
> useful to have the traffic encrypted? I know its only half of 
> what SSL brings 
> to HTTP.

HTTPS provides encryption and *authentication*. With your setup you get
encryption only. Look at it from the client's point-of-view: Imagine a
guy turned up at your door with a armoured car but no ID and said "I'm
from your bank. They told me to come and take all your money. As you
see, it'll be safe in transit in my armoured car." 

It will certainly be safe, but would it get to your bank?

Rgds,
Owen Boyle
Disclaimer: Any disclaimer attached to this message may be ignored. 

>     But, also: is there any scenario where, using mod_rewrite 
> to serve the 
> correct page based on the HTTP_HOST env variable, something wont work?
> 
>    For example, when I applied the "VirtualHost without Virtualhosts" 
> mod_rewrite example, pointing to directories without a final 
> slash would 
> redirect me to the "real" SSL host. 
> 
> -------------------------------8<--------------------8<-------
> ----------------
> <VirtualHost *:443>
> ServerName www.domain1.com
> [...]
> RewriteEngine on
> 
> RewriteCond   %{HTTP_HOST} ^www.domain2.com$
> RewriteRule   ^/(.*)$ /var/www/www.domain2.com/$1 
> [E=VHOST:%{HTTP_HOST},E=SCRI
> PT_URI:https://%{HTTP_HOST}/$1]
> 
> </VirtualHost>
> -------------------------------8<--------------------8<-------
> ----------------
> 
> https://www.domain2.com/wiki will redirect to 
https://www.domain1.com/wiki/

So I added, also from mod_rewrite's documentation:

RewriteCond    %{REQUEST_FILENAME}  -d
RewriteRule    ^/var/www/www.domain2.com/(.+[^/])$        
https://%{HTTP_HOST}/$1/  [R]

And it worked. I have Mediawiki working now in www.domain2.com/wiki.
I would like to know if anybody knows any other case where I will get
the 
wrong domain, or that it wont work... or just a thought :)

Thank you Sylvain,
 -- Diego.

On Wednesday 16 March 2005 11:12, Sylvain COUTANT wrote:
> > Clearly you cannot
> > use multiple <VirtualHost> with SSL, but I dont undestand *why*.
>
> Because the SSL Layer is set up *before* any data (HTTP request
content) is
> sent to the server. That means, it must be setup before the virtual
host
> name is known by the server.
>
> This way the server have to choose a certificate to setup the SSL
> connection without having received any information from the client. So
you
> can only virtual host SSL using different server IPs and/or ports.
>
> Hopefully, it is clear enough.
> Regards,
> Sylvain.
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server
Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org

-- 
-----
:( >> $$
Hi! I'm a .signature virus! Copy me into your ~/.signature to help me
spread!

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server
Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Diese E-mail ist eine private und persönliche Kommunikation. Sie hat
keinen Bezug zur Börsen- bzw. Geschäftstätigkeit der SWX Gruppe. This
e-mail is of a private and personal nature. It is not related to the
exchange or business activities of the SWX Group. Le présent e-mail est
un message privé et personnel, sans rapport avec l'activité boursière du
Groupe SWX.

This message is for the named person's use only. It may contain
confidential, proprietary or legally privileged information. No
confidentiality or privilege is waived or lost by any mistransmission.
If you receive this message in error, please notify the sender urgently
and then immediately delete the message and any copies of it from your
system. Please also immediately destroy any hardcopies of the message.
You must not, directly or indirectly, use, disclose, distribute, print,
or copy any part of this message if you are not the intended recipient.
The sender's company reserves the right to monitor all e-mail
communications through their networks. Any views expressed in this
message are those of the individual sender, except where the message
states otherwise and the sender is authorised to state them to be the
views of the sender's company. 



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message