l i n u x - u s e r s - g r o u p - o f - d a v i s
L U G O D
 
Next Meeting:
April 21: Google Glass
Next Installfest:
TBD
Latest News:
Mar. 18: Google Glass at LUGOD's April meeting
Page last updated:
2003 May 15 13:45

The following is an archive of a post made to our 'vox-tech mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
Re: [vox-tech] Setting up VirtualHosts
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [vox-tech] Setting up VirtualHosts



"Jay Strauss" <me@heyjay.com> writes:

> what I'm trying to do is impossible,
>
> http://httpd.apache.org/docs-2.0/ssl/ssl_faq.html#vhosts
>
> I'm using apache1 but I'm sure it applies

Hello Jay,

Comments below.

>> I'm googling all over, trying everything, and can't get this to
>> work.  My server works both ssl/clear text (from before I started
>> messing with
> this).
>>
>> I want my server to respond to:
>>     testwww.heyjay.com
>>     www.heyjay.com
>>     testssl.heyjay.com
>>     ssl.heyjay.com

Each of the ssl servers are going to need their own IP address.
apache+mod_ssl just doesn't work any other way (well ok, different
ports work too).  This is in the faq for apache+mod_ssl.

     "Why is it not possible to use Name-Based Virtual Hosting to
     identify different SSL virtual hosts?"

     http://httpd.apache.org/docs-2.0/ssl/ssl_faq.html#vhosts2

>>
>> NameVirtualHost *
^^^^^^^^^^^^^^^^^^^^ You need more of these. Let's start with ip
addresses.  I will use 10.0.0/8 addresses in this example.  You will
need something like this:

     DNS settings:
     testwww.heyjay.com   10.0.0.1
     www.heyjay.com       10.0.0.1
     testssl.heyjay.com   10.0.0.1
     ssl.heyjay.com       10.0.0.2

You can put the non-ssl servers all on the same ip, even one that
serves ssl traffic too.  One ssl server per ip address though, or at
least put each of them on distinct weird non standard port.  This
example puts each ssl server on a distinct ip address.

Get apache to listen on the right ip addresses and ports.

     listen 10.0.0.1:80
     listen 10.0.0.1:443
     listen 10.0.0.2:443

Setup the NameVirtualHosts directives.  These should match your listen
statements.  Once you put ip/port combinations in NameVirtualHost
directives, you can't use wildcard NameVirtualHost directives (like
you have above), or wildcard VirtualHost directives.

     NameVirtualHost 10.0.0.1:80
     NameVirtualHost 10.0.0.1:443
     NameVirtualHost 10.0.0.2:443

Now the VirtualHost sections:

>> <VirtualHost testwww.heyjay.com:80>

Change the line above to:
<VirtualHost 10.0.0.1:80>

>>    ServerName  testwww.heyjay.com
>>    SSLEngine off
>>    DocumentRoot /var/www/heyjay/testwww
>> </VirtualHost>
>>
>> <VirtualHost www.heyjay.com:80>

Change the line above to:
<VirtualHost 10.0.0.1:80>

>>    ServerName  www.heyjay.com
>>    SSLEngine off
>>    DocumentRoot /var/www/heyjay/www
>> </VirtualHost>
>>
>> <VirtualHost testssl:443>

Change the line above to:
<VirtualHost 10.0.0.1:443>

>>    ServerName  testssl.heyjay.com
>>    DocumentRoot /var/www/heyjay/testssl
>>    SSLEngine on
>>    SSLCertificateFile server.crt
>>    SSLCertificateKeyFile server.key
>>    SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
>> </VirtualHost>
>>
>> <VirtualHost ssl.heyjay.com:443>

Change the line above to:
<VirtualHost 10.0.0.2:443>

>>    ServerName  ssl.heyjay.com
>>    DocumentRoot /var/www/heyjay/ssl
>>    SSLEngine on
>>    SSLCertificateFile server.crt
>>    SSLCertificateKeyFile server.key
>>    SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
>> </VirtualHost>

Both your ssl vhost sections above refer to the same cert.  Use one
certificate for each SSL server.  This way you can give users the
option of telling their browsers to remember your cert and not bug the
user next time they load the page.

I like to strip the passphrase from my certs because I don't like to
enter a passphrase each time I restart the server, reboot or
otherwise.  <disclamer>I am aware of the risks of doing this.  You
should decide if you are ok with those risks before stripping the
passphrase from your certs. This setup works for me, make sure it
works for you.</disclamer>

#apache on freenode is a good irc channel for this sort of thing on a
real time basis.

Hope that helps.  Good luck.

-- 
Ricardo Anguiano
http://www.codesourcery.com
_______________________________________________
vox-tech mailing list
vox-tech@lists.lugod.org
http://lists.lugod.org/mailman/listinfo/vox-tech



LinkedIn
LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
facebook
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
Sunset Systems
Who graciously hosts our website & mailing lists!