httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Robert Fox <>
Subject Re: [users@httpd] Virtual Hosts and SSL
Date Tue, 28 Nov 2006 13:35:13 GMT
You only need a separate IP for every virtual host if you are not using a wildcard certificate.
Wildcard certs cost a 
little more, but they are good for all hosts within a particular domain. Then, you can run
all of your vhosts on port 
443 with the same IP, and the cert will work for all of the vhosts.

Also, if you choose to go with a non-wildcard cert, you can actually run several virtual hosts
on the same IP, using 
different certs for each vhost, but then you are forced to run SSL over a non-standard port.
At that point, you need to 
tell Apache to listen on that port, and configure each of your virtual hosts to listen on
both port 80 and whatever port 
you assign it for SSL transactions. SSL binds to a particular socket, so it's a combination
of IP + port number that is 

And, it's always necessary to have a separate and complete set of configuration directives
for each port that a vhost 
runs under.


Frode E. Moe wrote:
> On Tue, Nov 28, 2006 at 09:09:20 +0000, Steve Swift wrote:
>>Where should I go to learn about configuring Virtual Hosts and SSL in the
>>same apache?
>>I have virtual hosts woking using "NameVirtualHost *:80"
>>SSL works for the Virtual Hosts *I* have defined
>>But in the (default) ssl.conf file installed with apache I find:
>><VirtualHost _default_:443>
>>SSLEngine on
>>SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt
>>SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key
>>... (other, less interesting lines)
>>What puzzles me is this:
>>The VirtualHost definition above seems to be working as SSL is finding the
>>Certificate File (otherwise how would SSL work at all?)
>>How is this VirtualHost definition working in conjunction with
>>"NameVirtualHost *:80" ?
> You need a separate IP for each SSL virtualhost, since SSL certificates
> are exchanged before any HTTP headers (especially the Host: header) are
> transferred. So my guess is that apache just picks the first SSL
> certificate applicable for a given IP. In other words, it makes no sense
> to use NameVirtualHost for SSL / port 443. I don't think your *:80 stuff
> makes any difference either way as that sould be independent of anything
> on :443.

The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message