You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by Marc Perkel <ma...@perkel.com> on 2007/02/27 18:25:09 UTC

[users@httpd] Virtual SSL on one IP?

Is there a way to run multiple virtual sites on one IP using different 
certificates? Apache 2.2

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

RE: [users@httpd] Virtual SSL on one IP?

Posted by Chirouze Olivier <ol...@volvo.com>.

Hi,

I would like to say this different:
Indeed, there is no way to use NAME BASED virtual hosts on the same IP /
Port with different SSL certificates.
However, it is possible to use IP PASED virtual hosts with different SSL
certificates => they will have to be on different Ips or different
ports.

Also, something that is never said, probably because it's not officialy
supported: it is possible to use "dirty" name based virtual hosts with
the _SAME_ SSL certificate (at least with Apache 2.0).

As said previously, the server name is also encrypted. But it seems like
Apache uses the first SSL certificate it founds (the first
SSLCertificateFile directive), whatever the servername. Once the SSL
handshake has been done, name based virtual hosts work just like with
non-SSL vhosts. Obviously, this will only work with "wildcard"
certificates. You'll have to share the same "*.mydomain.com" certificate
for all your "servername1.mydomain.com", "servername2.mydomain.com"
dirty name based virtual hosts.
If you want to use this alternative, I suggest including a .conf file in
each of your <VirtualHost> directives. This .conf file will contain only
SSLCertificateFile directive to show that all your virtual hosts use the
same file and that you can't change one without affecting the others...

So, in a word, you can use name based virtual hosts with a wildcard SSL
certificate, all the "non-SSL" directives will work as expected on your
virtual hosts.

This is not a very clean alternative, but that can prove very useful
when you don't have plenty of IPs...

Olivier

Olivier CHIROUZE
I&0 Infrastructure
Volvo Information Technology
 

> -----Original Message-----
> From: Gonzalez, Miguel [mailto:miguel.gonzalez@threespot.com] 
> Sent: 27 February 2007 18:27
> To: users@httpd.apache.org
> Subject: RE: [users@httpd] Virtual SSL on one IP?
> 
> There is no way to use virtual host on the same secure port, you will
> need to use different ports. It is a question that the servername is
> also encrypted so there is no way to use virtualhosting
> 
> Miguel
> 
> > -----Original Message-----
> > From: Marc Perkel [mailto:marc@perkel.com]
> > Sent: Tuesday, February 27, 2007 12:25 PM
> > To: users@httpd.apache.org
> > Subject: [users@httpd] Virtual SSL on one IP?
> > 
> > Is there a way to run multiple virtual sites on one IP 
> using different
> > certificates? Apache 2.2
> > 
> > 
> ---------------------------------------------------------------------
> > The official User-To-User support forum of the Apache HTTP Server
> > Project.
> > See <URL:http://httpd.apache.org/userslist.html> for more info.
> > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> >    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> > For additional commands, e-mail: users-help@httpd.apache.org
> 
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP 
> Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
> 

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

RE: [users@httpd] Virtual SSL on one IP?

Posted by "Gonzalez, Miguel" <mi...@threespot.com>.

There is no way to use virtual host on the same secure port, you will
need to use different ports. It is a question that the servername is
also encrypted so there is no way to use virtualhosting

Miguel

> -----Original Message-----
> From: Marc Perkel [mailto:marc@perkel.com]
> Sent: Tuesday, February 27, 2007 12:25 PM
> To: users@httpd.apache.org
> Subject: [users@httpd] Virtual SSL on one IP?
> 
> Is there a way to run multiple virtual sites on one IP using different
> certificates? Apache 2.2
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server
> Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Virtual SSL on one IP?

Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.

On 27.02.07 09:25, Marc Perkel wrote:
> Is there a way to run multiple virtual sites on one IP using different 
> certificates? Apache 2.2

Yes, but you have to use different port numbers - you just need to have
different local endpoints. (ssl/tls key renegotiation protocol is to come,
but browsers must support it first)
-- 
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
There's a long-standing bug relating to the x86 architecture that
allows you to install Windows.   -- Matthew D. Fuller

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

[users@httpd] Re: Virtual SSL on one IP?

Posted by DevilsPGD <sp...@crazyhat.net>.

In message <20...@trutwins.homeip.net> Josh
Trutwin <jo...@trutwins.homeip.net> wrote:

>On Tue, 27 Feb 2007 09:25:09 -0800
>Marc Perkel <ma...@perkel.com> wrote:
>
>> Is there a way to run multiple virtual sites on one IP using
>> different certificates? Apache 2.2
>
>A while back I asked a similar question and was pointed at this:
>
>http://www.apsis.ch/pound/
>
>Though I never got around to playing with it so maybe it doesn't do
>what you're asking.  I also heard Squid might be able to do this.

Still can't be done -- This would let Apache see a single IP, but you'd
still need multiple IPs facing the rest of the world.
-- 
Insert something clever here.


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Virtual SSL on one IP?

Posted by Josh Trutwin <jo...@trutwins.homeip.net>.

On Tue, 27 Feb 2007 09:25:09 -0800
Marc Perkel <ma...@perkel.com> wrote:

> Is there a way to run multiple virtual sites on one IP using
> different certificates? Apache 2.2

A while back I asked a similar question and was pointed at this:

http://www.apsis.ch/pound/

Though I never got around to playing with it so maybe it doesn't do
what you're asking.  I also heard Squid might be able to do this.

Either way you're looking at something pretty complicated to do
this.  

Josh

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org