httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tom Evans <tevans...@googlemail.com>
Subject Re: [users@httpd] Alias-ed directory appears on multiple virtual hosts
Date Wed, 08 Dec 2010 12:45:01 GMT
On Wed, Dec 8, 2010 at 12:21 PM,  <breg@kanka.de> wrote:
> Hello,
>
> On 08.12.2010 12:48, Tom Evans wrote:
>>
>> Until the incoming request has been received and decrypted, apache has
>> no clue that the domain requested was 'not-ssl-configured-domain.xx'.
>> That's kind of the point of SSL.
>
> Ok, thanks for pointing that out.
>
>> Apache determines which vhost to use to send certificates from based
>> on the ip:port, since no other information is available.
>
> Makes perfect sense.
>
>> Because of this, if you have two hosts, www.hosta.com and
>> www.hostb.com, that resolve to the same IP address, and configure SSL
>> for www.hosta.com, then requesting www.hostb.com via SSL will connect
>> and handshake using certificates from www.hosta.com ...
>
> Fine so far ...
>
>> ... and serve data from the www.hosta.com vhost.
>
> .. but at this point apache knows that there is something wrong with the
> request or the configuration, and should throw an error instead of serving
> the wrong data.

Typically, you don't even get to that point. Most browsers will throw
a fit if they request www.hostb.com and are served certificates for
www.hosta.com.

The best way to avoid this problem is not dummy vhosts, it is to not
serve multiple websites from the same IP if you intend on handling SSL
for any one of those websites and not the others. SSL sites that share
a certificate (eg, if you have a wildcard certificate) are fine to
share an IP.

>
>> It's not quirky, it's a direct consequence of how things work, ..
>
> Look at my "solution" - having to define a dummy-vhost to catch the
> ssl-requests for all domains not explicitely ssl-defined, in order to
> restrain the service to the one domain it was meant for.

But you still able to connect and request https://www.hostb.com/, it
will still fail with a certificate error message to the user that
doesn't make sense. It is better if the site does not exist, that you
cannot connect to it, which you cannot do if you share an IP. To my
mind, this is a consequence of choosing a less than ideal hosting
structure, Apache shouldn't/can't do any more.

> At least at this point a kind of "ServerName ... exclusive" directive for
> the config (and logic behind) could make sense, or maybe it exists and my
> weary eyes overread it.
>
> / Bernd
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>  "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message