httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Markus Mayer <mymailli...@gmx.at>
Subject Re: [users@httpd] Are multiple <VirtualHost *:80 *:443> ok with wildcard cert ?
Date Thu, 16 Mar 2006 11:14:10 GMT
Hi,

Actually, having multiple HTTPS virtual hosts on the same IP address is not 
possible becasue of limitations in SSL itself.  

The correct and only way to handle this is to use a different IP address for 
each host for which you want an HTTPS.  That means setting up your servers 
net interface to have multipel IP addresses, which is a simple matter on all 
systems (AIX is a kind of exception though).

You will need separate certificates for each virtual host for which you want 
to have an HTTPS.  The config is also relatively simple.  An example is:


NameVirtualHost 123.123.123.20:80
<VirtualHost webmail.myserver.com:80>
    ServerName webmail.myserver.com
    DocumentRoot /usr/local/apache2/htdocs/mail

    SSLEngine on
    SSLCertificateFile /usr/local/apache2/conf/certs/webmail_2006.key
    SSLCertificateKeyFile /usr/local/apache2/conf/webmail_priv.pem
    SSLCACertificateFile /usr/local/apache2/conf/certs/ca-bundle2005.crt

# All other config goes here.......

</VirtualHost>

<VirtualHost 123.123.123.21:80>
    ServerName www.myserver.com
    DocumentRoot /usr/local/apache2/htdocs

    SSLEngine on
    SSLCertificateFile /usr/local/apache2/conf/certs/www_2005.key
    SSLCertificateKeyFile /usr/local/apache2/conf/lara3_priv.pem
    SSLCACertificateFile /usr/local/apache2/conf/certs/ca-bundle2005.crt

# All other config goes here.......

</VirtualHost>


NameVirtualHost 123.123.123.20:443
<VirtualHost webmail.myserver.com:443>
    ServerName webmail.myserver.com
    DocumentRoot /usr/local/apache2/htdocs/mail

    SSLEngine on
    SSLCertificateFile /usr/local/apache2/conf/certs/webmail_2006.key
    SSLCertificateKeyFile /usr/local/apache2/conf/webmail_priv.pem
    SSLCACertificateFile /usr/local/apache2/conf/certs/ca-bundle2005.crt

# All other config goes here.......

</VirtualHost>


<VirtualHost 123.123.123.21:443>
    ServerName www.myserver.com
    DocumentRoot /usr/local/apache2/htdocs

    SSLEngine on
    SSLCertificateFile /usr/local/apache2/conf/certs/www_2005.key
    SSLCertificateKeyFile /usr/local/apache2/conf/lara3_priv.pem
    SSLCACertificateFile /usr/local/apache2/conf/certs/ca-bundle2005.crt

# All other config goes here.......

</VirtualHost>


You do this for each virtual host, remembering to use the same IP adsress for 
each virtual host in the corresponding HTTP and HTTPS virtual host configs.  
The only thing left to worry about is the IP stack - if you have too many 
IP's on the same network port, maybe your network connection will have 
problems because the IP stack may not handle it very well.

Hope this helps.

greetings from Austria
Markus


On Thursday 16 March 2006 10:11, Frédéric Jolliton wrote:
> Hi,
>
> [I already sent this message to modssl ML, but since it's about
> Apache 2 I'm not sure if this place was more appropriate.]
>
> (Apache 2.0.55, Linux 2.6)
>
> I can't find authoritative answer about the following question.
>
> I would like to be sure that I can have multiple VirtualHost
> configured simultaneously for HTTP and HTTPS (port 80 and port 443
> respectively) as presented below.
>
> If I've a certificate with 'cn' to '*.example.com' and the following
> Apache configuration, is that ok ? Currently it works fine, but I'm
> not sure if I'm relying on some unspecified/undefined behaviors.
>
> Also, is this dummy VirtualHost (the first one) the correct way to
> "force" a given port to answer HTTP instead of HTTPS ? (I know that
> it's the other way, where the "first" virtual host with enabled SSL
> determine port with HTTPS.)
>
> Again, there is no problems with this config, but I was just wondering
> about its validity.
>
> -=-=-
> Listen 80
> Listen 443
>
> NameVirtualHost *:80
> NameVirtualHost *:443
>
> <VirtualHost *:80>
>   # Dummy empty VirtualHost to ensure than port 80 is HTTP
> </VirtualHost>
>
> <VirtualHost *:80 *:443>
>   Include common-ssl.conf
>   ServerName foo.example.com
>   [..]
> </VirtualHost>
>
> <VirtualHost *:80 *:443>
>   Include common-ssl.conf
>   ServerName bar.example.com
>   [..]
> </VirtualHost>
> -=-=-
>
> and common-ssl.conf contains:
>
> -=-=-
> <IfModule mod_ssl.c>
>   SSLEngine on
>   SSLCertificateFile conf/ssl/web.example.com-cert.pem
>   SSLCertificateKeyFile conf/ssl/web.example.com-key.pem
>   SSLCertificateChainFile conf/ssl/root-cert.pem
>   [.. other SSL options ..]
> </IfModule>
> -=-=-

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message