You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Alan Chandler <al...@chandlerfamily.org.uk> on 2004/08/30 23:13:32 UTC
[users@httpd] SSL and virtual hosts
I am having a problem with SSL and virtual hosts. Its a bit complicated so
before I can explain the problem I need to give the background..
I have two virtual hosts set up as follows
VirtualHost 192.168.0.31 192.168.0.30:443>
ServerName home.chandlerfamily.org.uk
DocumentRoot /var/www/external/
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/home_crt.pem
SSLCertificateKeyFile /etc/apache2/ssl/home_key.pem
DirectoryIndex index.html
<Directory /var/www/external/ >
Order Allow,Deny
Allow from All
</Directory>
CustomLog /var/log/apache2/webmail.log simple
</VirtualHost>
<VirtualHost 192.168.0.30:80>
ServerName home.chandlerfamily.org.uk:80
DocumentRoot /usr/share/drupal/
DirectoryIndex index.php
<Directory /usr/share/drupal/>
# Network Access Control
Order allow,deny
Allow from all
# Need to set allowoverride because drupal has an .htaccess file
AllowOverride All
</Directory>
# Provide drupal with some file space to write into
<Directory /var/www/drupal/>
# Network Access Control
Order allow,deny
Allow from all
</Directory>
CustomLog /var/log/apache2/www.log simple
</VirtualHost>
The reason for the strange combination of ip addresses and hosts in the first
virtual host directive is to do with my firewall. home.chandlerfamily.org.uk
- outside of my firewall is the ip address of the external interface - port
80 is port forwarded to 192.168.0.30 and port 443 is forwarded to
192.168.0.31.
Inside my firewall, I have to have a local dns server which tells machines
inside my network that home.chandlerfamily.org.uk is 192.168.0.30. This is
the wan address of my firewall seems to be the one address on the outside
world that is inaccessible from by home lan. To complete the picture, this
internal dns provides all the internal machines with *.home domain names (and
maps these to internal ip addresses and vice versa). So 192.168.0.30 is also
called www.home and 192.168.0.31 is called webmail.home.
192.168.0.30 on port 80 is a drupal web site that I am setting up for internal
and external access.
192.168.0.31 (on both port 80 and 443 and 192.168.0.30 on port 443 will be a
sqwebmail site for accessing e-mail.
The reason therefore for the strange combinations in the virtual hosts
directories is that I want the link https://home.chandlerfamily.org.uk from
inside or from the outside the firewall (ie so that they can be links on the
drupal web site) to reach sqwebmail ( and I also would like
http://webmail.home to do so too).
However, it doesn't quite work (all from within my network)
http://home.chandlerfamily.org.uk gets my drupal web site
https://home.chandlerfamily.org.uk gets my default page (prior to setting up
sqwebmail)
https://webmail.home gets the default page (prior to setting up sqwebmail)
http://webmail.home gives a error - thus
Bad request!
Your browser (or proxy) sent a request that this server could not understand.
If you think this is a server error, please contact the webmaster.
Which implies the virtual host is not seeing and interpreting correctly the
http protocol as opposed to https. All the example snippets in the manual
imply is should work, so
WHAT AM I DOING WRONG.=?
--
Alan Chandler
alan@chandlerfamily.org.uk
First they ignore you, then they laugh at you,
then they fight you, then you win. --Gandhi
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] SSL and virtual hosts
Posted by Alan Chandler <al...@chandlerfamily.org.uk>.
On Monday 30 August 2004 23:05, James Hughbanks wrote:
> ok, easy,
Perfect thanks
--
Alan Chandler
alan@chandlerfamily.org.uk
First they ignore you, then they laugh at you,
then they fight you, then you win. --Gandhi
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] SSL and virtual hosts
Posted by James Hughbanks <ja...@mikro-data.net>.
ok, easy,
<VirtualHost 192.168.0.30:443>
ServerName home.chandlerfamily.org.uk
DocumentRoot /var/www/external/
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/home_crt.pem
SSLCertificateKeyFile /etc/apache2/ssl/home_key.pem
DirectoryIndex index.html
<Directory /var/www/external/ >
Order Allow,Deny
Allow from All
</Directory>
CustomLog /var/log/apache2/webmail.log simple
</VirtualHost>
<VirtualHost 192.168.0.31>
ServerName home.chandlerfamily.org.uk
DocumentRoot /var/www/external/
DirectoryIndex index.html
<Directory /var/www/external/ >
Order Allow,Deny
Allow from All
</Directory>
CustomLog /var/log/apache2/webmail.log simple
</VirtualHost>
try that, that should fix it, you were specifing SSLEngine on for port
80 as well as the other, so to fix this you break them out into two
different virt hosts.
--James Hughbanks
Mikro-Data Engineering Dept.
support@mikro-data.net
1-866-457-6287
http://www.mikro-data.net
On Aug 30, 2004, at 5:57 PM, Alan Chandler wrote:
> On Monday 30 August 2004 22:48, James Hughbanks wrote:
>> Have you tried
>> <VirtualHost 192.168.0.31:80 192.168.0.30:443>
>> I think by specifying the port for one, you should for both, or just
>> make two separate virtual host directives. The other side of this is
>> that you are using SSL, which I would break out the :443 and :80
>> anyways. Are you trying to get ssl over port 80, if not, you would
>> definitely want to separate these two IPs.
>
> I actually tried this
>
> <VirtualHost 192.168.0.31:80 192.168.0.31:443 192.168.0.30:443>
>
> But it didn't make any difference. (and the manual doesn't say I need
> to.
>
> I don't want to get ssl over port 80, but I do want to share the
> virtual host
> accessing via both https (ie ssl over 443) or http (ordinary over port
> 80)
>
> I really think this is to do with the directives in the virtual host
> section
> rather than the header.
>
> --
> Alan Chandler
> alan@chandlerfamily.org.uk
> First they ignore you, then they laugh at you,
> then they fight you, then you win. --Gandhi
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server
> Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
Re: [users@httpd] SSL and virtual hosts
Posted by Alan Chandler <al...@chandlerfamily.org.uk>.
On Monday 30 August 2004 22:48, James Hughbanks wrote:
> Have you tried
> <VirtualHost 192.168.0.31:80 192.168.0.30:443>
> I think by specifying the port for one, you should for both, or just
> make two separate virtual host directives. The other side of this is
> that you are using SSL, which I would break out the :443 and :80
> anyways. Are you trying to get ssl over port 80, if not, you would
> definitely want to separate these two IPs.
I actually tried this
<VirtualHost 192.168.0.31:80 192.168.0.31:443 192.168.0.30:443>
But it didn't make any difference. (and the manual doesn't say I need to.
I don't want to get ssl over port 80, but I do want to share the virtual host
accessing via both https (ie ssl over 443) or http (ordinary over port 80)
I really think this is to do with the directives in the virtual host section
rather than the header.
--
Alan Chandler
alan@chandlerfamily.org.uk
First they ignore you, then they laugh at you,
then they fight you, then you win. --Gandhi
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] SSL and virtual hosts
Posted by James Hughbanks <ja...@mikro-data.net>.
Have you tried
<VirtualHost 192.168.0.31:80 192.168.0.30:443>
I think by specifying the port for one, you should for both, or just
make two separate virtual host directives. The other side of this is
that you are using SSL, which I would break out the :443 and :80
anyways. Are you trying to get ssl over port 80, if not, you would
definitely want to separate these two IPs.
--James Hughbanks
Mikro-Data Engineering Dept.
support@mikro-data.net
1-866-457-6287
http://www.mikro-data.net
On Aug 30, 2004, at 5:34 PM, Alan Chandler wrote:
> On Monday 30 August 2004 22:23, James Hughbanks wrote:
>> I don't see a 192.168.0.31:80 Directive. Since your webmail.home you
>> said was going to 192.168.0.31, and you don't have a virtual host
>> setup
>> on it, this might be the problem.
>
> The first virtual host has two ip addresses. The first one means all
> ports
> that the server is listening on (there are two listen directives in
> the main
> server config - Listen 80 and Listen 443). So should not webmail.home
> be able
> to use either port 80 or port 443.
>
>> Also what does www.home bring up?
>
> The drupal web site as expected.
>
>
>>
>> On Aug 30, 2004, at 5:13 PM, Alan Chandler wrote:
>>> I am having a problem with SSL and virtual hosts. Its a bit
>>> complicated so
>>> before I can explain the problem I need to give the background..
>>>
>>> I have two virtual hosts set up as follows
>>>
>>> VirtualHost 192.168.0.31 192.168.0.30:443>
>
> By the way, it was my post missing the opening bracket on the virtual
> host,
> its there in the config file.
>
>
>
>
>
>
> --
> Alan Chandler
> alan@chandlerfamily.org.uk
> First they ignore you, then they laugh at you,
> then they fight you, then you win. --Gandhi
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server
> Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
Re: [users@httpd] SSL and virtual hosts
Posted by Alan Chandler <al...@chandlerfamily.org.uk>.
On Monday 30 August 2004 22:23, James Hughbanks wrote:
> I don't see a 192.168.0.31:80 Directive. Since your webmail.home you
> said was going to 192.168.0.31, and you don't have a virtual host setup
> on it, this might be the problem.
The first virtual host has two ip addresses. The first one means all ports
that the server is listening on (there are two listen directives in the main
server config - Listen 80 and Listen 443). So should not webmail.home be able
to use either port 80 or port 443.
> Also what does www.home bring up?
The drupal web site as expected.
>
> On Aug 30, 2004, at 5:13 PM, Alan Chandler wrote:
> > I am having a problem with SSL and virtual hosts. Its a bit
> > complicated so
> > before I can explain the problem I need to give the background..
> >
> > I have two virtual hosts set up as follows
> >
> > VirtualHost 192.168.0.31 192.168.0.30:443>
By the way, it was my post missing the opening bracket on the virtual host,
its there in the config file.
--
Alan Chandler
alan@chandlerfamily.org.uk
First they ignore you, then they laugh at you,
then they fight you, then you win. --Gandhi
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] SSL and virtual hosts
Posted by James Hughbanks <ja...@mikro-data.net>.
I don't see a 192.168.0.31:80 Directive. Since your webmail.home you
said was going to 192.168.0.31, and you don't have a virtual host setup
on it, this might be the problem. Also what does www.home bring up?
--James Hughbanks
Mikro-Data Engineering Dept.
support@mikro-data.net
1-866-457-6287
http://www.mikro-data.net
On Aug 30, 2004, at 5:13 PM, Alan Chandler wrote:
> I am having a problem with SSL and virtual hosts. Its a bit
> complicated so
> before I can explain the problem I need to give the background..
>
> I have two virtual hosts set up as follows
>
> VirtualHost 192.168.0.31 192.168.0.30:443>
>
> ServerName home.chandlerfamily.org.uk
>
> DocumentRoot /var/www/external/
>
> SSLEngine on
> SSLCertificateFile /etc/apache2/ssl/home_crt.pem
> SSLCertificateKeyFile /etc/apache2/ssl/home_key.pem
>
> DirectoryIndex index.html
>
> <Directory /var/www/external/ >
> Order Allow,Deny
> Allow from All
> </Directory>
> CustomLog /var/log/apache2/webmail.log simple
> </VirtualHost>
>
> <VirtualHost 192.168.0.30:80>
>
> ServerName home.chandlerfamily.org.uk:80
>
> DocumentRoot /usr/share/drupal/
> DirectoryIndex index.php
> <Directory /usr/share/drupal/>
>
> # Network Access Control
> Order allow,deny
> Allow from all
>
> # Need to set allowoverride because drupal has an .htaccess file
> AllowOverride All
> </Directory>
>
> # Provide drupal with some file space to write into
> <Directory /var/www/drupal/>
> # Network Access Control
> Order allow,deny
> Allow from all
>
> </Directory>
>
> CustomLog /var/log/apache2/www.log simple
> </VirtualHost>
>
> The reason for the strange combination of ip addresses and hosts in
> the first
> virtual host directive is to do with my firewall.
> home.chandlerfamily.org.uk
> - outside of my firewall is the ip address of the external interface -
> port
> 80 is port forwarded to 192.168.0.30 and port 443 is forwarded to
> 192.168.0.31.
>
> Inside my firewall, I have to have a local dns server which tells
> machines
> inside my network that home.chandlerfamily.org.uk is 192.168.0.30.
> This is
> the wan address of my firewall seems to be the one address on the
> outside
> world that is inaccessible from by home lan. To complete the picture,
> this
> internal dns provides all the internal machines with *.home domain
> names (and
> maps these to internal ip addresses and vice versa). So 192.168.0.30
> is also
> called www.home and 192.168.0.31 is called webmail.home.
>
> 192.168.0.30 on port 80 is a drupal web site that I am setting up for
> internal
> and external access.
>
> 192.168.0.31 (on both port 80 and 443 and 192.168.0.30 on port 443
> will be a
> sqwebmail site for accessing e-mail.
>
> The reason therefore for the strange combinations in the virtual hosts
> directories is that I want the link https://home.chandlerfamily.org.uk
> from
> inside or from the outside the firewall (ie so that they can be links
> on the
> drupal web site) to reach sqwebmail ( and I also would like
> http://webmail.home to do so too).
>
> However, it doesn't quite work (all from within my network)
>
> http://home.chandlerfamily.org.uk gets my drupal web site
> https://home.chandlerfamily.org.uk gets my default page (prior to
> setting up
> sqwebmail)
>
> https://webmail.home gets the default page (prior to setting up
> sqwebmail)
> http://webmail.home gives a error - thus
>
> Bad request!
>
> Your browser (or proxy) sent a request that this server could not
> understand.
>
> If you think this is a server error, please contact the webmaster.
>
> Which implies the virtual host is not seeing and interpreting
> correctly the
> http protocol as opposed to https. All the example snippets in the
> manual
> imply is should work, so
>
> WHAT AM I DOING WRONG.=?
>
>
>
>
>
> --
> Alan Chandler
> alan@chandlerfamily.org.uk
> First they ignore you, then they laugh at you,
> then they fight you, then you win. --Gandhi
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server
> Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org