[users@httpd] Re: users Digest 4 Jun 2003 15:01:52 -0000 Issue 1039

[an...@frameweb.it]

Date: Wed, 4 Jun 2003 09:29:20 +0200
To: <us...@httpd.apache.org>
From: "Boyle Owen" <Ow...@swx.com>
Subject: RE: [users@httpd] http and https together in a virtualhost
Message-ID:
<FA...@SOMEXEVS001.ex.ordersx.org>

>-----Original Message-----
>From: andrea.lanza@frameweb.it [mailto:andrea.lanza@frameweb.it]
>
>I have a configuration file httpd.conf with multiple virtualhosts
>
>Each of them works with a different name (Name-based VirtualHost)
>I added SSL and evrything work well, but I have to specify twice the
>directive per each VirtualHost

The HTTPS protocol doesn't support name-based VHs so your
"NameVirtualHost *:443" directive won't work (it won't do what you think
it does). If you want to have SSL, you must define it in a separate
port-based VH (hence the use of port 443).

Do you want to have the same site available via HTTP or HTTPS?

First, have you really thought about this? This means that a user can
retrieve pages and send form data either "en clair" or encrypted. Why
would you want this? The point of SSL is to protect sensitive data
during transmission over the public internet. If you allow the user to
choose whether to use SSL or not, you have no control over it. Put it
another way, if a user accidentally sends you his credit card details
via the plain HTTP site and the card number is intercepted and misused,
who do you think the user will accuse? Your scheme is like having two
doors into your house - one with a big lock and one with no locks at
all.

Anyway, assuming that you have a compelling reason for doing this, one
way would be to define the site as HTTP and then proxy the HTTPS version
to it (or vice versa), e.g.

<VirtualHost *:80>
  DocRoot ...
  ServerName www.yoursite.com
  etc.
</VirtualHost>

<VirtualHost *:443>
  SSLEngine on
  SSLDirectivesHere...

  ProxyPass / http://www.yoursite.com/
  ProxyPassReverse / http://www.yoursite.com/
</VirtualHost>

Rgds,
Owen Boyle
Disclaimer: Any disclaimer attached to this message may be ignored.=20

First of all, I don't know how to reply to thi thread initiated by me,
receiving the digested version.
So i cut the pieces I need and paste it here.

Some answers:
First, I would like that all accesses to my server were https. But practice
is different:
A lot of our customer lies behind a firewall, and have access to only a
very little number of internet site.
So you, when you are in their buildings, can consider you lucky person if
you can reach your site in http, but almost never they have the 443 port
opened for navigation....
We could talk all our lives about how silly is it , but it is.

So, if it is possible all my collegues MUST reach our site using https.
But if they need something urgently and the SSL is not available, they CAN
use http.

Second: I saw that virtualhost https nearly work. I have a linux-suse
Apache opened to internet, acting as a reverse proxy towards my internal
http servers (Lotus Domino and Tomcat) and I choose to have named virtual
host adding aliases on the DNS. On the basis of the URL entered, you are
pxoxied to the appropriate internal server. I added the ProxyPass and
ProxyReverse directive to both Virtual Host, on port 80 and 443. Everything
work on both http and https.

So, if there isn't a better way to handle this, I will stay in this
situation: I have to administer 8 Virtual Host
each one with only one ProxyPass-ProxyReverse directive insted of 4
VirtualHost: It is not so terrible to do !

thanks,
Andrea





---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org