You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by Phil Forrest <fo...@physics.Auburn.EDU> on 2002/04/29 08:09:05 UTC

Is this possible?

I checked the docs, and they seem to indicate this is possible.

What I need to do is serve name-based vhosts with IP based vhosts.
I would go solely with name-based if I could, but I need to SSL one
of the hosts (it's going to run IMP), and I've heard that SSL requires
an IP address to work.

What I don't know is if this combination with plain http name-based
vhosts can live beside an IP based https vhost in the same httpd.conf??

Thanks for any tutelage,
-Phil


Phil Forrest
334-844-6910
Auburn University Dept. of Physics
Network & Scientific Computing
207 Leach Science Center


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: Is this possible?

Posted by Owen Boyle <ob...@bourse.ch>.

Phil Forrest wrote:
> 
> I checked the docs, and they seem to indicate this is possible.
> 
> What I need to do is serve name-based vhosts with IP based vhosts.
> I would go solely with name-based if I could, but I need to SSL one
> of the hosts (it's going to run IMP), and I've heard that SSL requires
> an IP address to work.
> 
> What I don't know is if this combination with plain http name-based
> vhosts can live beside an IP based https vhost in the same httpd.conf??

There are three ways to distinguish VirtualHosts:

IP-based: all VHs have a different IP address
port-based: same IP, different ports
name-based: same IP and port, different ServerNames.

Note that the first two (IP and port) use attributes of the TCP/IP layer
to define the VHs while name-based uses an attribute of the HTTP
protocol (viz. the "Host:" header) - i.e. one layer deeper.

Name-based is the most versatile since you can have an arbitrary number
of VHs all on one IP address on port 80. However.... for any SSL VH, you
can't use name-based. This is because the ServerName in the request only
arrives *after* the SSL session is established - but this is too late
since you need to know the ServerName in order to fetch the certificate
to start the session. In other words, with SSL, you cannot use any
attributes of the HTTP layer to define the VH. 

The upshot is that you can have any mix of the above possibilities, but
for an SSL VH, you can only use TCP/IP attributes to define the VH (i.e.
IP and port). You can think of the SSL VH as simply an IP-based VH.

One simple configuration is to have one IP address, umpteen name-based
HTTP-VHs on port 80 and exactly one SSL-VH on port 443. This would look
like:

NameVirtualHost ip-addr:80

<VirtualHost ip-addr:80>
  ServerName Server1
...
</VirtualHost>

<VirtualHost ip-addr:80>
  ServerName Server2
...
</VirtualHost>

etc.

<VirtualHost ip-addr:443>
  ServerName SSL_server
... ssl directives
</VirtualHost>

You could add additional IP-based VHs or port-based VHs as you like -
the only restriction is that SSL VHs must have unique ip-port
definitions and that no VHs should overlap.

Rgds

Owen Boyle.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: Is this possible?

Posted by Hans Juergen von Lengerke <le...@sixt.de>.

Phil Forrest <fo...@physics.Auburn.EDU> on Apr 29, 2002:

> I checked the docs, and they seem to indicate this is possible.
>
> What I need to do is serve name-based vhosts with IP based vhosts.
> I would go solely with name-based if I could, but I need to SSL one
> of the hosts (it's going to run IMP), and I've heard that SSL requires
> an IP address to work.
>
> What I don't know is if this combination with plain http name-based
> vhosts can live beside an IP based https vhost in the same httpd.conf??

Yes this is no problem, you need to look at VirtualHost, NameVirtualHost
and Listen directives.  However, if you only need _one_ SSL-enabled
virtual host on that machine, you do not need additional IP addresses.
It's just that one IP address can only serve one SSL-enabled vitual host
(unless you use non-standard SSL ports next to 443 - not recommended
because many firewalls won't allow this).  The IP address that serves
the SSL-enabled virtual host can however serve as many other non-SSL
virtual hosts as you like - no problem, so maybe you don't actually need
an additional IP.



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org