You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by br...@kanka.de on 2010/12/07 19:08:51 UTC

[users@httpd] Alias-ed directory appears on multiple virtual hosts

Hello,

I've switched to a new debian server with apache 2.2.9 and installed the 
'phpgadmin'
tool via a debian package.
This copies the php sources outside of /var/www and sets an 'alias ..'
directive in /etc/apache2/conf.d/

Now what happens to my surprise is that /phppgadmin is accessible via
all my virtual hosts, not just the one (base host) where it is
defined.

I also decided to serve the tool only via https, so I moved the
directive to the SSL part of my config.
Simplified, my vhost.conf (included by httpd.conf) looks like this:

NameVirtualHost 1.2.3.4:80

<VirtualHost  1.2.3.4:80>
         ServerName www.onesite.com
         ServerAlias onesite.com *.onesite.com
         DocumentRoot /var/www/
</VirtualHost>
<VirtualHost  1.2.3.4:80>
         ServerName www.twosite.com
         ServerAlias twosite.com *.twosite.com
         DocumentRoot /var/www/two/
</VirtualHost>

## SSL ##
NameVirtualHost 1.2.3.4:443
<VirtualHost 1.2.3.4:443>
         ServerName www.onesite.com
         ServerAlias onesite.com *.onesite.com
         DocumentRoot /var/www/
# pgAdmin
Alias /phppgadmin /usr/share/phppgadmin/
<Directory /usr/share/phppgadmin/>
         DirectoryIndex index.php
         Options +FollowSymLinks
</Directory>
</VirtualHost>

# end vhost.conf

So, what works as designed:
http://onesite.com
http://twosite.com
https://onesite.com/phppgadmin

What works not and should not work - i.e. throws a 404 error:
http://onesite.com/phppgadmin
http://twosite.com/phppgadmin

What works and should _not_ work:
https://twosite.com/phppgadmin

It seems that the Alias directive is applied to _all_ hosts, not just
the one inside the <VirtualHost .. /> block. From the apache docs:
http://httpd.apache.org/docs/current/mod/mod_alias.html#alias
I read the "context: Virtual host" means it is only effective in the
respective host, but maybe I misunderstood this?
Any hints how to restrict /phppgadmin on the first domain?

/ Bernd

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

[users@httpd] Hacked / Re: [users@httpd] Alias-ed directory appears on multiple virtual hosts

Posted by br...@kanka.de.

Ho,

On 07.12.2010 20:33, Eric Covener wrote:
> Apache uses the first virtual host in each set of NameVirtualHost's as
> a default/catch-all after IP-based vhosting ...

Now I understand, thanks for your patience in explaining it.

What I did now is add a dummy-domain on top of my SSL config:

## SSL ##
NameVirtualHost 1.2.3.4:443
<VirtualHost 1.2.3.4:443>
	DocumentRoot    /var/www/
	ServerName      www.catch-dummy.xx
	SSLEngine on
	SSLProtocol all -SSLv2
	SSLCertificateFile      ...
</VirtualHost>

<VirtualHost 1.2.3.4:443>
         ServerName www.onesite.com
         ServerAlias onesite.com *.onesite.com
         DocumentRoot /var/www/
# pgAdmin
Alias /phppgadmin /usr/share/phppgadmin/
<Directory /usr/share/phppgadmin/>
         DirectoryIndex index.php
         Options +FollowSymLinks
</Directory>
</VirtualHost>
## end

This works, albeit looks more like a hack than a solution...

/ Bernd

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Alias-ed directory appears on multiple virtual hosts

Posted by Eric Covener <co...@gmail.com>.

> So apache should throw an error, right?

Apache uses the first virtual host in each set of NameVirtualHost's as
a default/catch-all after IP-based vhosting as selected that
host:port.

-- 
Eric Covener
covener@gmail.com

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Alias-ed directory appears on multiple virtual hosts

Posted by br...@kanka.de.

Hi,

On 07.12.2010 20:27, Joost de Heer wrote:
>> Now what happens to my surprise is that /phppgadmin is accessible via
>> all my virtual hosts, not just the one (base host) where it is
>> defined.
>
> All your virtual hosts or all your SSL virtual hosts?

The latter.

>> https://onesite.com/phppgadmin
>> https://twosite.com/phppgadmin
>
> SSL namebased virtualhosting will not work.

So apache should throw an error, right?

/ Bernd

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Alias-ed directory appears on multiple virtual hosts

Posted by br...@kanka.de.

Hello,

On 08.12.2010 14:13, Tom Evans wrote:
...
>> And the experienced user has seen these warnings often, so he regularly
>> clicked on "I understand the risks" and accepted the ssl session anyway -
>> and it's even wiser in most cases to do because mostly you're better off (in
>> web 2.0 services for example) with an encrypted transfer and non-secure
>> identity than with both non-secure...
>
> What 'experienced' (stupid?) users do is neither here nor there. I
> rarely trust self signed certs and would never accept a certificate
> for a host that isn't what it claims to be. Since 'experienced' users
> do do this sort of thing, don't give them an option to do so.

I don't give them this opportunity, neither do you and all the other 
responsible people on this ML.
The reality on the world wide web is different, and leads to users 
spontanously clicking "I understand the risk" even if it's not really true.

>>> The best way to avoid this problem is not dummy vhosts, it is to not
>>> serve multiple websites from the same IP ...
>>
>> In an ideal world, yes.
>> But in this world the number of available IPs is restricted, whereas the
>> quest for new domains seems endless.
>
> IPv4 addresses aren't exactly tricky to lay your hands on, despite the
> endless yearly warnings that IPv4 will run out in the next N years.

If you have a direct contract with the backbone provider, fine.
If your server has a rented place in a data center your IP range is normally 
restricted.

> If you have one SSL site, and many non SSL sites, you should host on 2
> distinct IPs, ...

I prefer to keep my few IPs for real SSL services instead of nicer-written 
configuration.

> ... The cost of
> obtaining a second IP is small compared to the brand cost of having
> badly served SSL sites.

My SSL and non-SSL sites are served perfectly now that I found the hack-around 
(with the help of this ML).
I'd just prefer that apache offered a more concise way to configure that.

/ Bernd

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Alias-ed directory appears on multiple virtual hosts

Posted by Tom Evans <te...@googlemail.com>.

On Wed, Dec 8, 2010 at 12:55 PM,  <br...@kanka.de> wrote:
> Hello,
>
> On 08.12.2010 13:45, Tom Evans wrote:
>>>
>>> .. but at this point apache knows that there is something wrong with the
>>> request or the configuration, and should throw an error instead of
>>> serving
>>> the wrong data.
>>
>> Typically, you don't even get to that point. Most browsers will throw
>> a fit if they request www.hostb.com and are served certificates for
>> www.hosta.com.
>
> And the experienced user has seen these warnings often, so he regularly
> clicked on "I understand the risks" and accepted the ssl session anyway -
> and it's even wiser in most cases to do because mostly you're better off (in
> web 2.0 services for example) with an encrypted transfer and non-secure
> identity than with both non-secure...

What 'experienced' (stupid?) users do is neither here nor there. I
rarely trust self signed certs and would never accept a certificate
for a host that isn't what it claims to be. Since 'experienced' users
do do this sort of thing, don't give them an option to do so.

>
>> The best way to avoid this problem is not dummy vhosts, it is to not
>> serve multiple websites from the same IP ...
>
> In an ideal world, yes.
> But in this world the number of available IPs is restricted, whereas the
> quest for new domains seems endless.
> ".. over 240 Million active and deleted domains in the .com .net .org .biz
> .info .mobi .asia .ie .eu .de .co.uk Top Level Domains.."
> ( http://www.hosterstats.com )

IPv4 addresses aren't exactly tricky to lay your hands on, despite the
endless yearly warnings that IPv4 will run out in the next N years.

>
>> ... if you intend on handling SSL
>> for any one of those websites and not the others. SSL sites that share
>> a certificate (eg, if you have a wildcard certificate) are fine to
>> share an IP.
>
> If there is exactly one SSL site a wildcard cert is not needed and makes
> little sense IMHO.
>

Indeed, I was just trying to make it clear I didn't mean you must have
1 IP per SSL vhost, to avoid someone jumping on that :)

If you have one SSL site, and many non SSL sites, you should host on 2
distinct IPs, one for the SSL enabled site, and one for the all  the
non SSL sites. It's just cleaner and works better. The cost of
obtaining a second IP is small compared to the brand cost of having
badly served SSL sites.

Cheers

Tom

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Alias-ed directory appears on multiple virtual hosts

Posted by br...@kanka.de.

Hello,

On 08.12.2010 13:45, Tom Evans wrote:
>> .. but at this point apache knows that there is something wrong with the
>> request or the configuration, and should throw an error instead of serving
>> the wrong data.
>
> Typically, you don't even get to that point. Most browsers will throw
> a fit if they request www.hostb.com and are served certificates for
> www.hosta.com.

And the experienced user has seen these warnings often, so he regularly 
clicked on "I understand the risks" and accepted the ssl session anyway - and 
it's even wiser in most cases to do because mostly you're better off (in web 
2.0 services for example) with an encrypted transfer and non-secure identity 
than with both non-secure...

> The best way to avoid this problem is not dummy vhosts, it is to not
> serve multiple websites from the same IP ...

In an ideal world, yes.
But in this world the number of available IPs is restricted, whereas the quest 
for new domains seems endless.
".. over 240 Million active and deleted domains in the .com .net .org .biz 
.info .mobi .asia .ie .eu .de .co.uk Top Level Domains.."
( http://www.hosterstats.com )

> ... if you intend on handling SSL
> for any one of those websites and not the others. SSL sites that share
> a certificate (eg, if you have a wildcard certificate) are fine to
> share an IP.

If there is exactly one SSL site a wildcard cert is not needed and makes 
little sense IMHO.

/ Bernd

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Alias-ed directory appears on multiple virtual hosts

Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.

On 08.12.10 12:45, Tom Evans wrote:
> The best way to avoid this problem is not dummy vhosts, it is to not
> serve multiple websites from the same IP if you intend on handling SSL
> for any one of those websites and not the others. SSL sites that share
> a certificate (eg, if you have a wildcard certificate) are fine to
> share an IP.

but when anyone points any hostname to the same address, he can ONLY process
it as 
- the main and only host on the adress
- throw and error "host not configured".
for the latter, he must configure one more virtual host on the same IP/port
pair because apache does NOT know the "host not configured" error so we must
"create" it.

-- 
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
The early bird may get the worm, but the second mouse gets the cheese. 

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Alias-ed directory appears on multiple virtual hosts

Posted by Tom Evans <te...@googlemail.com>.

On Wed, Dec 8, 2010 at 12:21 PM,  <br...@kanka.de> wrote:
> Hello,
>
> On 08.12.2010 12:48, Tom Evans wrote:
>>
>> Until the incoming request has been received and decrypted, apache has
>> no clue that the domain requested was 'not-ssl-configured-domain.xx'.
>> That's kind of the point of SSL.
>
> Ok, thanks for pointing that out.
>
>> Apache determines which vhost to use to send certificates from based
>> on the ip:port, since no other information is available.
>
> Makes perfect sense.
>
>> Because of this, if you have two hosts, www.hosta.com and
>> www.hostb.com, that resolve to the same IP address, and configure SSL
>> for www.hosta.com, then requesting www.hostb.com via SSL will connect
>> and handshake using certificates from www.hosta.com ...
>
> Fine so far ...
>
>> ... and serve data from the www.hosta.com vhost.
>
> .. but at this point apache knows that there is something wrong with the
> request or the configuration, and should throw an error instead of serving
> the wrong data.

Typically, you don't even get to that point. Most browsers will throw
a fit if they request www.hostb.com and are served certificates for
www.hosta.com.

The best way to avoid this problem is not dummy vhosts, it is to not
serve multiple websites from the same IP if you intend on handling SSL
for any one of those websites and not the others. SSL sites that share
a certificate (eg, if you have a wildcard certificate) are fine to
share an IP.

>
>> It's not quirky, it's a direct consequence of how things work, ..
>
> Look at my "solution" - having to define a dummy-vhost to catch the
> ssl-requests for all domains not explicitely ssl-defined, in order to
> restrain the service to the one domain it was meant for.

But you still able to connect and request https://www.hostb.com/, it
will still fail with a certificate error message to the user that
doesn't make sense. It is better if the site does not exist, that you
cannot connect to it, which you cannot do if you share an IP. To my
mind, this is a consequence of choosing a less than ideal hosting
structure, Apache shouldn't/can't do any more.

> At least at this point a kind of "ServerName ... exclusive" directive for
> the config (and logic behind) could make sense, or maybe it exists and my
> weary eyes overread it.
>
> / Bernd
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>  "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Alias-ed directory appears on multiple virtual hosts

Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.

> On 08.12.2010 12:48, Tom Evans wrote:
>> ... and serve data from the www.hosta.com vhost.

On 08.12.10 13:21, breg@kanka.de wrote:
> .. but at this point apache knows that there is something wrong with the  
> request or the configuration, and should throw an error instead of 
> serving the wrong data.

I am also sorry but apache does not support any "host not configured" error,
it just uses default (first configured) vhost in such case.

I'd love if apache supported the "host not configured" error.
-- 
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I drive way too fast to worry about cholesterol. 

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Alias-ed directory appears on multiple virtual hosts

Posted by br...@kanka.de.

Hello,

On 08.12.2010 16:01, Eric Covener wrote:
>> .. I propose a less quirky configuration, for example
>> with "ServerName .. exclusive"
>
> So it would handshake with the "wrong" information and serve the wrong
> virtualhosts error documents?

The "exclusive" defined vhost would do what the second vhost in my solution 
does, okay?

So it would do what the admin intented it to do, and it would do right so.

/ Bernd

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Alias-ed directory appears on multiple virtual hosts

Posted by Eric Covener <co...@gmail.com>.

On Wed, Dec 8, 2010 at 9:54 AM,  <br...@kanka.de> wrote:
> Hello,
>
> On 08.12.2010 15:03, Eric Covener wrote:
>>
>> And at least 50% of the world would think whatever you intuitively
>> expect to happen in this case is quirky. That's why there's a
>> configuration file.
>
> I expect nothing to happen intuitively.
> What happens now, serving any-SSL violating the vhost definition, is simply
> wrong.
> Then, to overcome this, I propose a less quirky configuration, for example
> with "ServerName .. exclusive"
>

So it would handshake with the "wrong" information and serve the wrong
virtualhosts error documents?

Sounds wrong.


-- 
Eric Covener
covener@gmail.com

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Alias-ed directory appears on multiple virtual hosts

Posted by br...@kanka.de.

Hello,

On 08.12.2010 15:03, Eric Covener wrote:
> And at least 50% of the world would think whatever you intuitively
> expect to happen in this case is quirky. That's why there's a
> configuration file.

I expect nothing to happen intuitively.
What happens now, serving any-SSL violating the vhost definition, is simply wrong.
Then, to overcome this, I propose a less quirky configuration, for example 
with "ServerName .. exclusive"

/ Bernd

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Alias-ed directory appears on multiple virtual hosts

Posted by Eric Covener <co...@gmail.com>.

On Wed, Dec 8, 2010 at 7:43 AM,  <br...@kanka.de> wrote:
> Hello,
>
> On 08.12.2010 13:31, Eric Covener wrote:
>>>
>>> "ServerName ... exclusive" directive for
>>> the config (and logic behind) could make sense, ...
>>
>> This facility is effectively already there by creating a default
>> (first-listed) name-based virtual host and handling unspecified
>> domains that show up on that interface however you desire.
>
> Having to define a dummy ssl-vhost, including the SSLProtocol and
> Certificate directives, then repeating these directives for the domain that
> is actually used - that's exactly what I call 'quirky'.
>
> And the situation of having one IP and various vhosts, while offering
> ssl-encrypted services from one domain only, is not too rare.
>

And at least 50% of the world would think whatever you intuitively
expect to happen in this case is quirky. That's why there's a
configuration file.


-- 
Eric Covener
covener@gmail.com

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Alias-ed directory appears on multiple virtual hosts

Posted by br...@kanka.de.

Hello,

On 08.12.2010 13:31, Eric Covener wrote:
>> "ServerName ... exclusive" directive for
>> the config (and logic behind) could make sense, ...
>
> This facility is effectively already there by creating a default
> (first-listed) name-based virtual host and handling unspecified
> domains that show up on that interface however you desire.

Having to define a dummy ssl-vhost, including the SSLProtocol and Certificate 
directives, then repeating these directives for the domain that is actually 
used - that's exactly what I call 'quirky'.

And the situation of having one IP and various vhosts, while offering 
ssl-encrypted services from one domain only, is not too rare.

/ Bernd

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Alias-ed directory appears on multiple virtual hosts

Posted by Eric Covener <co...@gmail.com>.

> "ServerName ... exclusive" directive for
> the config (and logic behind) could make sense, or maybe it exists and my
> weary eyes overread it.

This facility is effectively already there by creating a default
(first-listed) name-based virtual host and handling unspecified
domains that show up on that interface however you desire.

--
Eric Covener
covener@gmail.com

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Alias-ed directory appears on multiple virtual hosts

Posted by br...@kanka.de.

Hello,

On 08.12.2010 12:48, Tom Evans wrote:
> Until the incoming request has been received and decrypted, apache has
> no clue that the domain requested was 'not-ssl-configured-domain.xx'.
> That's kind of the point of SSL.

Ok, thanks for pointing that out.

> Apache determines which vhost to use to send certificates from based
> on the ip:port, since no other information is available.

Makes perfect sense.

> Because of this, if you have two hosts, www.hosta.com and
> www.hostb.com, that resolve to the same IP address, and configure SSL
> for www.hosta.com, then requesting www.hostb.com via SSL will connect
> and handshake using certificates from www.hosta.com ...

Fine so far ...

> ... and serve data from the www.hosta.com vhost.

.. but at this point apache knows that there is something wrong with the 
request or the configuration, and should throw an error instead of serving the 
wrong data.

> It's not quirky, it's a direct consequence of how things work, ..

Look at my "solution" - having to define a dummy-vhost to catch the 
ssl-requests for all domains not explicitely ssl-defined, in order to restrain 
the service to the one domain it was meant for.
At least at this point a kind of "ServerName ... exclusive" directive for the 
config (and logic behind) could make sense, or maybe it exists and my weary 
eyes overread it.

/ Bernd

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Alias-ed directory appears on multiple virtual hosts

Posted by Tom Evans <te...@googlemail.com>.

On Wed, Dec 8, 2010 at 11:13 AM,  <br...@kanka.de> wrote:
>
> Just to make it clear:
> What I perceived as a .. quirky behaviour of apache was that it did _not_
> throw an error when https://not-ssl-configured-domain.xx is requested.
> How to run several https domains with one IP was not my challenge.
>
> / Bernd
>
>

Until the incoming request has been received and decrypted, apache has
no clue that the domain requested was 'not-ssl-configured-domain.xx'.
That's kind of the point of SSL.

In order to decrypt the request, apache must handshake with the
client, passing certificates to the client indicating what the host
is. This happens before the client sends any information about the
request.

Apache determines which vhost to use to send certificates from based
on the ip:port, since no other information is available.

Because of this, if you have two hosts, www.hosta.com and
www.hostb.com, that resolve to the same IP address, and configure SSL
for www.hosta.com, then requesting www.hostb.com via SSL will connect
and handshake using certificates from www.hosta.com and serve data
from the www.hosta.com vhost.

It's not quirky, it's a direct consequence of how things work, and
without changing how SSL works it will always work that way.

Cheers

Tom

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Alias-ed directory appears on multiple virtual hosts

Posted by br...@kanka.de.

Hello,

On 08.12.2010 11:38, Matus UHLAR - fantomas wrote:
>>> Now what happens to my surprise is that /phppgadmin is accessible via
>>> all my virtual hosts, not just the one (base host) where it is
>>> defined.
>...
> On 07.12.10 20:27, Joost de Heer wrote:
>> SSL namebased virtualhosting will not work.
>..
> He can have wildcard certificate or certificate with alternative names to
> avoid this error.

Just to make it clear:
What I perceived as a .. quirky behaviour of apache was that it did _not_ 
throw an error when https://not-ssl-configured-domain.xx is requested.
How to run several https domains with one IP was not my challenge.

/ Bernd


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Alias-ed directory appears on multiple virtual hosts

Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.

> > Now what happens to my surprise is that /phppgadmin is accessible via
> > all my virtual hosts, not just the one (base host) where it is
> > defined.
> 
> All your virtual hosts or all your SSL virtual hosts?
> 
> > https://onesite.com/phppgadmin
> > https://twosite.com/phppgadmin

On 07.12.10 20:27, Joost de Heer wrote:
> SSL namebased virtualhosting will not work.

Yes, it will, but browsers will apparently comply that the certificate does
not match the host provided.

He can have wildcard certificate or certificate with alternative names to
avoid this error.

-- 
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
It's now safe to throw off your computer.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Alias-ed directory appears on multiple virtual hosts

Posted by Joost de Heer <jo...@sanguis.xs4all.nl>.

> Now what happens to my surprise is that /phppgadmin is accessible via
> all my virtual hosts, not just the one (base host) where it is
> defined.

All your virtual hosts or all your SSL virtual hosts?

> https://onesite.com/phppgadmin
> https://twosite.com/phppgadmin

SSL namebased virtualhosting will not work.

Joost

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Alias-ed directory appears on multiple virtual hosts

Posted by br...@kanka.de.

Hello,

On 07.12.2010 19:35, Eric Covener wrote:
...
> No, based on my short description of how a virtualhost is found, you
> never jump to 2nd-best IP:PORT match to match up a
> servername/serveralias ...

Right, so I'd expect apache to throw an error - instead it uses a ServerName 
from another virtualhost declaration - strange, IMHO...

So the (merely elegant) solution would be to add SSL-virtualhost definitions 
for all other domains?

/ Bernd

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Alias-ed directory appears on multiple virtual hosts

Posted by Eric Covener <co...@gmail.com>.

On Tue, Dec 7, 2010 at 1:26 PM,  <br...@kanka.de> wrote:
> Hello,
>
> On 07.12.2010 19:13, Eric Covener wrote:
>>>
>>> What works and should _not_ work:
>>> https://twosite.com/phppgadmin
>>
>> You only listed one port 443 virtualhost, and it has the Alias in it.
>>
>> Apache finds the best match for the IP:Port, then looks at the
>> ServerName/ServerAlias in that set of NameVirtualHost's.
>
> But there it finds only onsite.com definitions - so I'd expect it not to
> serve anything with https://twosite.com/... - right?
>

No, based on my short description of how a virtualhost is found, you
never jump to 2nd-best IP:PORT match to match up a
servername/serveralias (especially in this case where you'd be jumping
from HTTPS to HTTP)

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Alias-ed directory appears on multiple virtual hosts

Posted by br...@kanka.de.

Hello,

On 07.12.2010 19:13, Eric Covener wrote:
>> What works and should _not_ work:
>> https://twosite.com/phppgadmin
>
> You only listed one port 443 virtualhost, and it has the Alias in it.
>
> Apache finds the best match for the IP:Port, then looks at the
> ServerName/ServerAlias in that set of NameVirtualHost's.

But there it finds only onsite.com definitions - so I'd expect it not to serve 
anything with https://twosite.com/... - right?

/ Bernd

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Alias-ed directory appears on multiple virtual hosts

Posted by Eric Covener <co...@gmail.com>.

> What works and should _not_ work:
> https://twosite.com/phppgadmin

You only listed one port 443 virtualhost, and it has the Alias in it.

Apache finds the best match for the IP:Port, then looks at the
ServerName/ServerAlias in that set of NameVirtualHost's.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Alias-ed directory appears on multiple virtual hosts

Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.

On 07.12.10 19:08, breg@kanka.de wrote:
> I've switched to a new debian server with apache 2.2.9 and installed the  
> 'phpgadmin'
> tool via a debian package.
> This copies the php sources outside of /var/www and sets an 'alias ..'
> directive in /etc/apache2/conf.d/

> Now what happens to my surprise is that /phppgadmin is accessible via
> all my virtual hosts, not just the one (base host) where it is
> defined.

The /etc/apache2/conf.d/ directory is included from main server config
(/etc/apache2/apache2.conf) and thus aliases defined there apply in all
virtual hosts.

This is one of reasons why I dislike this "automatic" way of configuring of
apache in distributions.

I recommend you comment out the "Include /etc/apache2/conf.d/" in
/etc/apache2/apache2.conf and include it only in vhosts you need them.

The /etc/apache2/conf.d/security should be apparently included right from
apache2.conf, the other 

>From the same reason I removed some mods-enabled/*.conf and load it from
separate virtual hosts where needed, e.g.:

mods-available/alias.conf 
mods-available/info.conf
mods-available/status.conf
mods-available/userdir.conf

etc.

-- 
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"One World. One Web. One Program." - Microsoft promotional advertisement
"Ein Volk, ein Reich, ein Fuhrer!" - Adolf Hitler

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org