Return-Path: 
 <users-return-61209-apmail-httpd-users-archive=httpd.apache.org@httpd.apache.org>
Delivered-To: apmail-httpd-users-archive@www.apache.org
Received: (qmail 70751 invoked from network); 16 Mar 2006 11:14:43 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199)
  by minotaur.apache.org with SMTP; 16 Mar 2006 11:14:43 -0000
Received: (qmail 12590 invoked by uid 500); 16 Mar 2006 11:14:34 -0000
Delivered-To: apmail-httpd-users-archive@httpd.apache.org
Received: (qmail 12571 invoked by uid 500); 16 Mar 2006 11:14:33 -0000
Mailing-List: contact users-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: users@httpd.apache.org
list-help: <mailto:users-help@httpd.apache.org>
list-unsubscribe: <mailto:users-unsubscribe@httpd.apache.org>
List-Post: <mailto:users@httpd.apache.org>
List-Id: <users.httpd.apache.org>
Delivered-To: mailing list users@httpd.apache.org
Received: (qmail 12559 invoked by uid 99); 16 Mar 2006 11:14:33 -0000
Received: from asf.osuosl.org (HELO asf.osuosl.org) (140.211.166.49)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 16 Mar 2006 03:14:33 -0800
X-ASF-Spam-Status: No, hits=-0.0 required=10.0
	tests=SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (asf.osuosl.org: domain of mymaillists@gmx.at designates
 213.165.64.20 as permitted sender)
Received: from [213.165.64.20] (HELO mail.gmx.net) (213.165.64.20)
    by apache.org (qpsmtpd/0.29) with SMTP; Thu, 16 Mar 2006 03:14:32 -0800
Received: (qmail invoked by alias); 16 Mar 2006 11:14:10 -0000
Received: from bandicoot.cc.meduniwien.ac.at (EHLO bandicoot) [149.148.52.89]
  by mail.gmx.net (mp033) with SMTP; 16 Mar 2006 12:14:10 +0100
X-Authenticated: #24019945
From: Markus Mayer <mymaillists@gmx.at>
To: users@httpd.apache.org
Date: Thu, 16 Mar 2006 12:14:10 +0100
User-Agent: KMail/1.8.2
References: <868xra3fhe.fsf@mau.intra.tuxee.net>
In-Reply-To: <868xra3fhe.fsf@mau.intra.tuxee.net>
MIME-Version: 1.0
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
Message-Id: <200603161214.10191.mymaillists@gmx.at>
X-Y-GMX-Trusted: 0
X-Virus-Checked: Checked by ClamAV on apache.org
Subject: Re: [users@httpd] Are multiple <VirtualHost *:80 *:443> ok with
 wildcard cert ?
X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N

Hi,

Actually, having multiple HTTPS virtual hosts on the same IP address is not=
=20
possible becasue of limitations in SSL itself. =20

The correct and only way to handle this is to use a different IP address fo=
r=20
each host for which you want an HTTPS.  That means setting up your servers=
=20
net interface to have multipel IP addresses, which is a simple matter on al=
l=20
systems (AIX is a kind of exception though).

You will need separate certificates for each virtual host for which you wan=
t=20
to have an HTTPS.  The config is also relatively simple.  An example is:


NameVirtualHost 123.123.123.20:80
<VirtualHost webmail.myserver.com:80>
    ServerName webmail.myserver.com
    DocumentRoot /usr/local/apache2/htdocs/mail

    SSLEngine on
    SSLCertificateFile /usr/local/apache2/conf/certs/webmail_2006.key
    SSLCertificateKeyFile /usr/local/apache2/conf/webmail_priv.pem
    SSLCACertificateFile /usr/local/apache2/conf/certs/ca-bundle2005.crt

# All other config goes here.......

</VirtualHost>

<VirtualHost 123.123.123.21:80>
    ServerName www.myserver.com
    DocumentRoot /usr/local/apache2/htdocs

    SSLEngine on
    SSLCertificateFile /usr/local/apache2/conf/certs/www_2005.key
    SSLCertificateKeyFile /usr/local/apache2/conf/lara3_priv.pem
    SSLCACertificateFile /usr/local/apache2/conf/certs/ca-bundle2005.crt

# All other config goes here.......

</VirtualHost>


NameVirtualHost 123.123.123.20:443
<VirtualHost webmail.myserver.com:443>
    ServerName webmail.myserver.com
    DocumentRoot /usr/local/apache2/htdocs/mail

    SSLEngine on
    SSLCertificateFile /usr/local/apache2/conf/certs/webmail_2006.key
    SSLCertificateKeyFile /usr/local/apache2/conf/webmail_priv.pem
    SSLCACertificateFile /usr/local/apache2/conf/certs/ca-bundle2005.crt

# All other config goes here.......

</VirtualHost>


<VirtualHost 123.123.123.21:443>
    ServerName www.myserver.com
    DocumentRoot /usr/local/apache2/htdocs

    SSLEngine on
    SSLCertificateFile /usr/local/apache2/conf/certs/www_2005.key
    SSLCertificateKeyFile /usr/local/apache2/conf/lara3_priv.pem
    SSLCACertificateFile /usr/local/apache2/conf/certs/ca-bundle2005.crt

# All other config goes here.......

</VirtualHost>


You do this for each virtual host, remembering to use the same IP adsress f=
or=20
each virtual host in the corresponding HTTP and HTTPS virtual host configs.=
 =20
The only thing left to worry about is the IP stack - if you have too many=20
IP's on the same network port, maybe your network connection will have=20
problems because the IP stack may not handle it very well.

Hope this helps.

greetings from Austria
Markus


On Thursday 16 March 2006 10:11, Fr=E9d=E9ric Jolliton wrote:
> Hi,
>
> [I already sent this message to modssl ML, but since it's about
> Apache 2 I'm not sure if this place was more appropriate.]
>
> (Apache 2.0.55, Linux 2.6)
>
> I can't find authoritative answer about the following question.
>
> I would like to be sure that I can have multiple VirtualHost
> configured simultaneously for HTTP and HTTPS (port 80 and port 443
> respectively) as presented below.
>
> If I've a certificate with 'cn' to '*.example.com' and the following
> Apache configuration, is that ok ? Currently it works fine, but I'm
> not sure if I'm relying on some unspecified/undefined behaviors.
>
> Also, is this dummy VirtualHost (the first one) the correct way to
> "force" a given port to answer HTTP instead of HTTPS ? (I know that
> it's the other way, where the "first" virtual host with enabled SSL
> determine port with HTTPS.)
>
> Again, there is no problems with this config, but I was just wondering
> about its validity.
>
> -=3D-=3D-
> Listen 80
> Listen 443
>
> NameVirtualHost *:80
> NameVirtualHost *:443
>
> <VirtualHost *:80>
>   # Dummy empty VirtualHost to ensure than port 80 is HTTP
> </VirtualHost>
>
> <VirtualHost *:80 *:443>
>   Include common-ssl.conf
>   ServerName foo.example.com
>   [..]
> </VirtualHost>
>
> <VirtualHost *:80 *:443>
>   Include common-ssl.conf
>   ServerName bar.example.com
>   [..]
> </VirtualHost>
> -=3D-=3D-
>
> and common-ssl.conf contains:
>
> -=3D-=3D-
> <IfModule mod_ssl.c>
>   SSLEngine on
>   SSLCertificateFile conf/ssl/web.example.com-cert.pem
>   SSLCertificateKeyFile conf/ssl/web.example.com-key.pem
>   SSLCertificateChainFile conf/ssl/root-cert.pem
>   [.. other SSL options ..]
> </IfModule>
> -=3D-=3D-

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org