logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> Apache View previous topic :: View next topic
Reply to topic   Topic: how should a ssl virtualhost config look like?
Author
mightyspawn



Joined: 26 May 2006
Posts: 18

PostPosted: Wed 31 May '06 21:42    Post subject: how should a ssl virtualhost config look like? Reply with quote

Well im using a ssl virtual host, working fine. But i can access it with all the domains which are forwarded to my address.

https://www.adres1.com goes to my secure site
https://www.adres2.com goes to my secure site

In my normal vhost the first vhost is for everything that is unknown to the server.

Is this also in the ssl conf? But if i add one extra i dont get the ssl page anymore instead i get a can not be viewed error page.

Hope someone could help

here my ssl conf

# Semaphore:
# Configure the path to the mutual exclusion semaphore the
# SSL engine uses internally for inter-process synchronization.
#SSLMutex file:logs/ssl_mutex

##
## SSL Virtual Host Context
##
#<VirtualHost *:443>
#</VirtualHost>

<VirtualHost *:443>
ServerAdmin webmaster@domain.com
ServerName blaat.com
<Directory "/beheer">
Options Indexes FollowSymLinks
AllowOverride All
Order allow,deny
Allow from all
</Directory>
DocumentRoot /beheer

#ScriptAlias /cgi-bin/ /usr/local/apache/share/htdocs/cgi-bin/
SSLEngine on
SSLCertificateFile conf/server.crt
SSLCertificateKeyFile conf/server.pem
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>

I know its name based virtualhost, but i thought you could finally make more ssl virtualhosts with apache 2.2.
Back to top
Steffen
Moderator


Joined: 15 Oct 2005
Posts: 3092
Location: Hilversum, NL, EU

PostPosted: Mon 31 Jul '06 16:47    Post subject: Reply with quote

Try to put in the <VirtualHost *:443> container:


RewriteEngine on
RewriteRule /(.*) http://%{HTTP_HOST}/$1 [P,L]


Also you have comment out:

LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule proxy_module modules/mod_proxy.so


Steffen
Back to top
Jorge



Joined: 12 Mar 2006
Posts: 376
Location: Belgium

PostPosted: Mon 31 Jul '06 18:49    Post subject: Reply with quote

SSL hosts don't seem to work name based.
They only seem to when using IP's that a limitation of the SSL Protocal since the host name is encryted!
Back to top
ali_fareed



Joined: 04 Jul 2006
Posts: 61
Location: Bahrain

PostPosted: Mon 31 Jul '06 19:58    Post subject: Reply with quote

no I dont think it's because of the ssl protocol the hostname is sent with the http request header on the application layer in the host: header you can read about it in rfc 2817 it must be something in the configuration or a bug in apache but the problem is not in the protocol.

http://www.ietf.org/rfc/rfc2817.txt
Back to top
Steffen
Moderator


Joined: 15 Oct 2005
Posts: 3092
Location: Hilversum, NL, EU

PostPosted: Mon 31 Jul '06 20:19    Post subject: Reply with quote

With my example above you can do it:

Define one 443 vhost with inside :

RewriteEngine on
RewriteRule /(.*) http://%{HTTP_HOST}/$1 [P,L]

This proxied to your other normal Vhosts.

Also to get rid of the browser warning that the domain name is not valid, use the tip at www.apachelounge.com/viewtopic.php?t=603

Steffen
Back to top
Jorge



Joined: 12 Mar 2006
Posts: 376
Location: Belgium

PostPosted: Tue 01 Aug '06 17:20    Post subject: Reply with quote

ali_fareed wrote:
no I dont think it's because of the ssl protocol the hostname is sent with the http request header on the application layer in the host: header you can read about it in rfc 2817 it must be something in the configuration or a bug in apache but the problem is not in the protocol.

http://www.ietf.org/rfc/rfc2817.txt


I hate to burst your buble:
Quote:
<sjorge> have i missed something? some guy is claiming namebase virtual hosting is posible with ssl?
<sjorge> I though that the host header was encrypted aswel
<chipig> it is.
<sjorge> as in? its encrypted or its posiible?
<chipig> it is encrypted
<chipig> possible = Server Name Indication (SNI) or SSL Upgrade.
<quasi> or a few other options
<chipig> SNI is supported by Mozilla Trunk, Opera 8+, and IE 7.0+
<chipig> its gonna win.
<rooneg> too bad it won't make it into firefox 2
<chipig> horray sni.
<sjorge> erm, httpd 2.2 suports that atm? or is that planned form 2.3/3?
<quasi> http://wiki.cacert.org/wiki/VhostTaskForce
<chipig> rooneg: it might.
<chipig> sjorge: httpd 2.2 out of the box does not.
<sjorge> ok thanks
<rooneg> chipig: didn't sound likely rom the conversations with gerv at OSCON
<chipig> sjorge: there has been a ~50 line patch adding it to mod_ssl posted.
<chipig> sjorge: mod_gnutls also supports it natively.
<chipig> rooneg: thats too bad.
<chipig> sjorge: it also requires a development version of OpenSSL
<sjorge> ok so the easy awser to feed this little lost soil = not possible atm without huge huge amounts of work
<chipig> correct
[/code]
Back to top
Steffen
Moderator


Joined: 15 Oct 2005
Posts: 3092
Location: Hilversum, NL, EU

PostPosted: Tue 01 Aug '06 17:50    Post subject: Reply with quote

I am using, as decribed above, One certificate for all my Name based Vhosts.


Steffen
Back to top
ali_fareed



Joined: 04 Jul 2006
Posts: 61
Location: Bahrain

PostPosted: Tue 01 Aug '06 21:16    Post subject: Reply with quote

yeah the request header is encrypted but http namebased virtualhosts are application based it works by reading your host: header for example an apache server with ip address 72.36.213.18 may have several dns names when I enter foobar.com in my browser the request is sent like this by IE

Code:
GET / HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shock
wave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application
/msword, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0
.50727; FDM)
Host: foobar.com
Connection: Keep-Alive


thats what apache uses if you read the manual pages of course if it is using ssl the request will be encrypted the server will decrypt the header and read the request host: header and will respond with foobar.com virtualhost page but if for example ali.com also exists and I request it my browser will send the request with host:ali.com and such rfc 2817 says "Rather than allocating multiple IP addresses to a single host,an
HTTP/1.1 server will use the Host: header to disambiguate the
intended web service. As HTTP/1.1 usage has grown more prevalent,
more ISPs are offering name-based virtual hosting, thus delaying IP
address space exhaustion. " this is coming fom the site of the people who make the standards the internet engineering taskforce the site you mentioned http://wiki.cacert.org/wiki/VhostTaskForce discusses the use of one certificate for several virtualhosts "Currently the different browsers, servers and CA´s all implement different and incompatible ways to use SSL certificates for several VHosts on the same server. ".
Back to top
ali_fareed



Joined: 04 Jul 2006
Posts: 61
Location: Bahrain

PostPosted: Tue 01 Aug '06 22:54    Post subject: Reply with quote

ok I just thought about it and I think I get what you mean I was speaking about using one certificate for all virtualhosts like what steffen is doing but you were speaking about using a certificate for every virtualhost so the request must be encrypted by one of the public keys although you can upgrade from within http 1.1 like what the rfc specifies so if thats what you mean i'm really sorry your right in that case you cant connect directly using ssl to name based virtualhost you wil have to first connect using normal http than upgrade to ssl from within the connection.
Back to top
Jorge



Joined: 12 Mar 2006
Posts: 376
Location: Belgium

PostPosted: Wed 02 Aug '06 10:11    Post subject: Reply with quote

Steffen wrote:
I am using, as decribed above, One certificate for all my Name based Vhosts.

Steffen


Correct but they won't be valid certificated since atleast on 2 doimains the hostname doesn't match the certificate.... allthough a * certificate could fix that but there very expensive
Back to top
admin
Site Admin


Joined: 15 Oct 2005
Posts: 692

PostPosted: Wed 02 Aug '06 10:29    Post subject: Reply with quote

All my domains are matching with a self created test certificate.


Steffen
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7373
Location: Germany, Next to Hamburg

PostPosted: Wed 02 Aug '06 11:01    Post subject: Reply with quote

http://www.apachelounge.com/viewtopic.php?t=603 Wink
You need only one!!! Wink
Back to top
hph



Joined: 30 Aug 2006
Posts: 2

PostPosted: Wed 30 Aug '06 22:33    Post subject: Reply with quote

Cool stuff. I was able to create certificates but the virtual host configuration is not really working. Not really working means the rewriterule doesn't really work.
Code:
<IfModule mod_ssl.c>
        Listen 443
        <VirtualHost a.b.c.d:443>
            SSLEngine on
            SSLCertificateFile    /etc/ssl/certs/multicert.crt
            SSLCertificateKeyFile /etc/ssl/private/multikey.pem

            <Directory "/var/www">
                Order allow,deny
                Allow from all
                RewriteEngine on
                RewriteRule /(.*) http://%{HTTP_HOST}/$1 [P,L]
            </Directory>
            ErrorLog /var/log/apache2/error.log-443
            LogLevel warn
            CustomLog /var/log/apache2/access.log-443 combined

        </VirtualHost>
</IfModule>

So far so good ... when I tried this the error log said:
[Wed Aug 30 22:26:17 2006] [error] [client 8a.b.c.d] File does not exist: /htdocs

???

I have no clue where that /htdocs comes from. I linked a webfolder to /htdocs (yes, under root!) and I saw it's content when using https (with any hostname pointing to that server).

Any ideas? Steffen, maybe you could post your Virtual Host config?

Cheers,
Heinz Peter ('HP')
Back to top
hph



Joined: 30 Aug 2006
Posts: 2

PostPosted: Thu 31 Aug '06 11:03    Post subject: Reply with quote

Slept a night over it. Worked. Problem solved. See below.

Code:
<IfModule mod_ssl.c>
        Listen 443
        <VirtualHost a.b.c.d:443>
            SSLEngine on
            SSLCertificateFile    /etc/ssl/certs/multicert.crt
            SSLCertificateKeyFile /etc/ssl/private/multikey.pem

            RewriteEngine on
            RewriteRule /(.*) http://%{HTTP_HOST}/$1 [P,L]
            ErrorLog /var/log/apache2/error.log-443
            LogLevel warn
            CustomLog /var/log/apache2/access.log-443 combined

        </VirtualHost>
</IfModule>


Cheers,
Heinz Peter ('HP')
Back to top


Reply to topic   Topic: how should a ssl virtualhost config look like? View previous topic :: View next topic
Post new topic   Forum Index -> Apache