Author |
|
mightyspawn
Joined: 26 May 2006 Posts: 18
|
Posted: Wed 31 May '06 21:42 Post subject: how should a ssl virtualhost config look like? |
|
|
Well im using a ssl virtual host, working fine. But i can access it with all the domains which are forwarded to my address.
https://www.adres1.com goes to my secure site
https://www.adres2.com goes to my secure site
In my normal vhost the first vhost is for everything that is unknown to the server.
Is this also in the ssl conf? But if i add one extra i dont get the ssl page anymore instead i get a can not be viewed error page.
Hope someone could help
here my ssl conf
# Semaphore:
# Configure the path to the mutual exclusion semaphore the
# SSL engine uses internally for inter-process synchronization.
#SSLMutex file:logs/ssl_mutex
##
## SSL Virtual Host Context
##
#<VirtualHost *:443>
#</VirtualHost>
<VirtualHost *:443>
ServerAdmin webmaster@domain.com
ServerName blaat.com
<Directory "/beheer">
Options Indexes FollowSymLinks
AllowOverride All
Order allow,deny
Allow from all
</Directory>
DocumentRoot /beheer
#ScriptAlias /cgi-bin/ /usr/local/apache/share/htdocs/cgi-bin/
SSLEngine on
SSLCertificateFile conf/server.crt
SSLCertificateKeyFile conf/server.pem
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
I know its name based virtualhost, but i thought you could finally make more ssl virtualhosts with apache 2.2. |
|
Back to top |
|
Steffen Moderator
Joined: 15 Oct 2005 Posts: 3092 Location: Hilversum, NL, EU
|
Posted: Mon 31 Jul '06 16:47 Post subject: |
|
|
Try to put in the <VirtualHost *:443> container:
RewriteEngine on
RewriteRule /(.*) http://%{HTTP_HOST}/$1 [P,L]
Also you have comment out:
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule proxy_module modules/mod_proxy.so
Steffen |
|
Back to top |
|
Jorge
Joined: 12 Mar 2006 Posts: 376 Location: Belgium
|
Posted: Mon 31 Jul '06 18:49 Post subject: |
|
|
SSL hosts don't seem to work name based.
They only seem to when using IP's that a limitation of the SSL Protocal since the host name is encryted! |
|
Back to top |
|
ali_fareed
Joined: 04 Jul 2006 Posts: 61 Location: Bahrain
|
Posted: Mon 31 Jul '06 19:58 Post subject: |
|
|
no I dont think it's because of the ssl protocol the hostname is sent with the http request header on the application layer in the host: header you can read about it in rfc 2817 it must be something in the configuration or a bug in apache but the problem is not in the protocol.
http://www.ietf.org/rfc/rfc2817.txt |
|
Back to top |
|
Steffen Moderator
Joined: 15 Oct 2005 Posts: 3092 Location: Hilversum, NL, EU
|
Posted: Mon 31 Jul '06 20:19 Post subject: |
|
|
With my example above you can do it:
Define one 443 vhost with inside :
RewriteEngine on
RewriteRule /(.*) http://%{HTTP_HOST}/$1 [P,L]
This proxied to your other normal Vhosts.
Also to get rid of the browser warning that the domain name is not valid, use the tip at www.apachelounge.com/viewtopic.php?t=603
Steffen |
|
Back to top |
|
Jorge
Joined: 12 Mar 2006 Posts: 376 Location: Belgium
|
Posted: Tue 01 Aug '06 17:20 Post subject: |
|
|
ali_fareed wrote: | no I dont think it's because of the ssl protocol the hostname is sent with the http request header on the application layer in the host: header you can read about it in rfc 2817 it must be something in the configuration or a bug in apache but the problem is not in the protocol.
http://www.ietf.org/rfc/rfc2817.txt |
I hate to burst your buble:
Quote: | <sjorge> have i missed something? some guy is claiming namebase virtual hosting is posible with ssl?
<sjorge> I though that the host header was encrypted aswel
<chipig> it is.
<sjorge> as in? its encrypted or its posiible?
<chipig> it is encrypted
<chipig> possible = Server Name Indication (SNI) or SSL Upgrade.
<quasi> or a few other options
<chipig> SNI is supported by Mozilla Trunk, Opera 8+, and IE 7.0+
<chipig> its gonna win.
<rooneg> too bad it won't make it into firefox 2
<chipig> horray sni.
<sjorge> erm, httpd 2.2 suports that atm? or is that planned form 2.3/3?
<quasi> http://wiki.cacert.org/wiki/VhostTaskForce
<chipig> rooneg: it might.
<chipig> sjorge: httpd 2.2 out of the box does not.
<sjorge> ok thanks
<rooneg> chipig: didn't sound likely rom the conversations with gerv at OSCON
<chipig> sjorge: there has been a ~50 line patch adding it to mod_ssl posted.
<chipig> sjorge: mod_gnutls also supports it natively.
<chipig> rooneg: thats too bad.
<chipig> sjorge: it also requires a development version of OpenSSL
<sjorge> ok so the easy awser to feed this little lost soil = not possible atm without huge huge amounts of work
<chipig> correct | [/code] |
|
Back to top |
|
Steffen Moderator
Joined: 15 Oct 2005 Posts: 3092 Location: Hilversum, NL, EU
|
Posted: Tue 01 Aug '06 17:50 Post subject: |
|
|
I am using, as decribed above, One certificate for all my Name based Vhosts.
Steffen |
|
Back to top |
|
ali_fareed
Joined: 04 Jul 2006 Posts: 61 Location: Bahrain
|
Posted: Tue 01 Aug '06 21:16 Post subject: |
|
|
yeah the request header is encrypted but http namebased virtualhosts are application based it works by reading your host: header for example an apache server with ip address 72.36.213.18 may have several dns names when I enter foobar.com in my browser the request is sent like this by IE
Code: | GET / HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shock
wave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application
/msword, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0
.50727; FDM)
Host: foobar.com
Connection: Keep-Alive |
thats what apache uses if you read the manual pages of course if it is using ssl the request will be encrypted the server will decrypt the header and read the request host: header and will respond with foobar.com virtualhost page but if for example ali.com also exists and I request it my browser will send the request with host:ali.com and such rfc 2817 says "Rather than allocating multiple IP addresses to a single host,an
HTTP/1.1 server will use the Host: header to disambiguate the
intended web service. As HTTP/1.1 usage has grown more prevalent,
more ISPs are offering name-based virtual hosting, thus delaying IP
address space exhaustion. " this is coming fom the site of the people who make the standards the internet engineering taskforce the site you mentioned http://wiki.cacert.org/wiki/VhostTaskForce discusses the use of one certificate for several virtualhosts "Currently the different browsers, servers and CA´s all implement different and incompatible ways to use SSL certificates for several VHosts on the same server. ". |
|
Back to top |
|
ali_fareed
Joined: 04 Jul 2006 Posts: 61 Location: Bahrain
|
Posted: Tue 01 Aug '06 22:54 Post subject: |
|
|
ok I just thought about it and I think I get what you mean I was speaking about using one certificate for all virtualhosts like what steffen is doing but you were speaking about using a certificate for every virtualhost so the request must be encrypted by one of the public keys although you can upgrade from within http 1.1 like what the rfc specifies so if thats what you mean i'm really sorry your right in that case you cant connect directly using ssl to name based virtualhost you wil have to first connect using normal http than upgrade to ssl from within the connection. |
|
Back to top |
|
Jorge
Joined: 12 Mar 2006 Posts: 376 Location: Belgium
|
Posted: Wed 02 Aug '06 10:11 Post subject: |
|
|
Steffen wrote: | I am using, as decribed above, One certificate for all my Name based Vhosts.
Steffen |
Correct but they won't be valid certificated since atleast on 2 doimains the hostname doesn't match the certificate.... allthough a * certificate could fix that but there very expensive |
|
Back to top |
|
admin Site Admin
Joined: 15 Oct 2005 Posts: 692
|
Posted: Wed 02 Aug '06 10:29 Post subject: |
|
|
All my domains are matching with a self created test certificate.
Steffen |
|
Back to top |
|
James Blond Moderator
Joined: 19 Jan 2006 Posts: 7373 Location: Germany, Next to Hamburg
|
|
Back to top |
|
hph
Joined: 30 Aug 2006 Posts: 2
|
Posted: Wed 30 Aug '06 22:33 Post subject: |
|
|
Cool stuff. I was able to create certificates but the virtual host configuration is not really working. Not really working means the rewriterule doesn't really work.
Code: | <IfModule mod_ssl.c>
Listen 443
<VirtualHost a.b.c.d:443>
SSLEngine on
SSLCertificateFile /etc/ssl/certs/multicert.crt
SSLCertificateKeyFile /etc/ssl/private/multikey.pem
<Directory "/var/www">
Order allow,deny
Allow from all
RewriteEngine on
RewriteRule /(.*) http://%{HTTP_HOST}/$1 [P,L]
</Directory>
ErrorLog /var/log/apache2/error.log-443
LogLevel warn
CustomLog /var/log/apache2/access.log-443 combined
</VirtualHost>
</IfModule> |
So far so good ... when I tried this the error log said:
[Wed Aug 30 22:26:17 2006] [error] [client 8a.b.c.d] File does not exist: /htdocs
???
I have no clue where that /htdocs comes from. I linked a webfolder to /htdocs (yes, under root!) and I saw it's content when using https (with any hostname pointing to that server).
Any ideas? Steffen, maybe you could post your Virtual Host config?
Cheers,
Heinz Peter ('HP') |
|
Back to top |
|
hph
Joined: 30 Aug 2006 Posts: 2
|
Posted: Thu 31 Aug '06 11:03 Post subject: |
|
|
Slept a night over it. Worked. Problem solved. See below.
Code: | <IfModule mod_ssl.c>
Listen 443
<VirtualHost a.b.c.d:443>
SSLEngine on
SSLCertificateFile /etc/ssl/certs/multicert.crt
SSLCertificateKeyFile /etc/ssl/private/multikey.pem
RewriteEngine on
RewriteRule /(.*) http://%{HTTP_HOST}/$1 [P,L]
ErrorLog /var/log/apache2/error.log-443
LogLevel warn
CustomLog /var/log/apache2/access.log-443 combined
</VirtualHost>
</IfModule> |
Cheers,
Heinz Peter ('HP') |
|
Back to top |
|