httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Michael" <michael-mailingl...@sallaway.com>
Subject [users@httpd] SSL name based virtualhosts -- no, not the normal question!
Date Mon, 09 Apr 2007 16:04:09 GMT
Hi everyone,

I'm having issues with getting SSL and virtualhosts working with Apache.
Now, before you point me at the FAQ, it's not the obvious question. What I'm
trying to do is get multiple HTTPS hosts working on the same IP -- but using
a wildcard SSL certificate.

My config is doing using mod_perl configuration, and I've copied it below.
Essentially, the idea is that I have a directory tree that looks like
/srv/www/<ip>/<domain-name>/[content|secure_content]/<subdomain>/ . That
way, I can just make a new directory/subdomain/etc., reload the apache
config, and it's all done and listening for me. And, since you can only have
one SSL cert per IP, I just have /srv/www/<ip>/server.crt and server.key --
and that's the certificate used for that IP (so any HTTPS vhost created for
that IP will use that certificate). You may think that's a bit weird, but
there's a few circumstances that I want to use that - for example, wildcard
certificates I can have many vhosts per IP (within the same domain), and
also other times when I don't care if it cert mismatches, I just want an SSL
connection.

Anyway, the HTTP stuff is working great, and the config *appears* to check
out OK: 

[ root@bob:~ ] # apache2 -S
VirtualHost configuration:
1.2.3.4:80     is a NameVirtualHost
 default server www.non.existant.host.com
(/etc/apache2/sites-enabled/allsites-1-custom:5)
 port 80 namevhost www.non.existant.host.com
(/etc/apache2/sites-enabled/allsites-1-custom:5)
 port 80 namevhost sallaway.org (mod_perl:121)
 port 80 namevhost www.sallaway.org (mod_perl:177)
1.2.3.4:443    is a NameVirtualHost
 default server www.non.existant.host.com
(/etc/apache2/sites-enabled/allsites-1-custom:8)
 port 443 namevhost www.non.existant.host.com
(/etc/apache2/sites-enabled/allsites-1-custom:8)
 port 443 namevhost sallaway.org (mod_perl:1)
 port 443 namevhost www.sallaway.org (mod_perl:78)
Syntax OK


and when I try to reload the config file, it warns about SSL conflicts,
which I can live with (error.log):

[warn] Init: SSL server IP/port conflict: bob.sallaway.org:443 (mod_perl:12)
vs. www.sallaway.org:443 (mod_perl:78)
[warn] Init: SSL server IP/port conflict: sallaway.org:443 (mod_perl:1) vs.
www.sallaway.org:443 (mod_perl:78)
[warn] Init: You should not use name-based virtual hosts in conjunction with
SSL!!


I was sort of hoping "hmmm, they're just warnings, maybe it will be OK", but
it appears not -- when I load the page, it gives me a "Connection
Interrupted" or "Action Cancelled" (pick your browser) and I get this in the
error.log:

[error] [client 192.168.0.4] Invalid method in request \x80L\x01\x03


Does anyone have any ideas what I can do to fix it at all, or why it's
happening? Or, if nothing else, how I can diagnose it further? :-)

Thanks for your help.

Cheers,
Michael


--------------------------------------------------------


Server version: Apache/2.2.3
Server built:   Mar 27 2007 15:06:55


relevant apache config:


NameVirtualHost 1.2.3.4:80
NameVirtualHost 1.2.3.4:443

<VirtualHost 1.2.3.4:80>
  ServerName www.non.existant.host.com
</VirtualHost>
<VirtualHost 1.2.3.4:443>
  ServerName www.non.existant.host.com
</VirtualHost>

<Perl>
  my $www_path = "/srv/www";
  my @ip_array;
  my $ip_number;
  my @subdomain_array;
  my $subdomain_name;
  my $subdomain_address;
  my $domain_name;

  for $ip (<$www_path/*>) {

    @ip_array = split /\//, "$ip";
    $ip_number = $ip_array[-1];

    for $domain (<$ip/*>) {

      for $http_subdomain (<$domain/content/*>) {

        @subdomain_array = split /\//, "$http_subdomain";
        $subdomain_name = $subdomain_array[-1];
        $subdomain_address = $subdomain_name . ".";
        $domain_name = $subdomain_array[-3];

        $subdomain_address = "" if $subdomain_name eq "_";

        push @{ $VirtualHost{"$ip_number:80"} },
        {
          ServerName => "${subdomain_address}${domain_name}",
          DocumentRoot => "${domain}/content/${subdomain_name}",
          ServerSignature => "On",
          ErrorLog => "$domain/logs/error.log",
          CustomLog => ["$domain/logs/access.log", "virtual"],
          LogLevel => "warn",
        };
      };

      next if ! -e "$ip/server.crt";
      next if ! -e "$ip/server.key";

      for $https_subdomain (<$domain/secure_content/*>) {

        @subdomain_array = split /\//, "$https_subdomain";
        $subdomain_name = $subdomain_array[-1];
        $subdomain_address = $subdomain_name . ".";
        $domain_name = $subdomain_array[-3];

        $subdomain_address = "" if $subdomain_name eq "_";

        push @{ $VirtualHost{"$ip_number:443"} },
        {
          ServerName => "${subdomain_address}${domain_name}",
          DocumentRoot => "${domain}/secure_content/${subdomain_name}",
          ServerSignature => "On",
          ErrorLog => "$domain/logs/error.log",
          CustomLog => ["$domain/logs/access.log", "virtual"],
          LogLevel => "warn",
          SSLEngine => "on",
          SSLCertificateFile => "$ip/server.crt",
          SSLCertificateKeyFile => "$ip/server.key",
        };
      };
    };
  };

</Perl>


ExtendedStatus On

<Location /server-status>
  SetHandler server-status
  Order allow,deny
  Allow from all
</Location>


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message