[users@httpd] Security using alias directive in a https vhost

[Roland Wegmann <go...@gmx.net>]

Dear apache2 experts

I run three name-based apache2 vhosts on an Ubuntu 12.04 LTS server.
I can reach all three vhosts from the internet using https and FQDN.
My CA is CACert and I adapted the original default-ssl (in 
sites-available) config file for my three vhosts.

So lets the three name-based vhost call

example.com
foo1.example.com
foo2.example.com

for example. I can reach them from the internet using

https://example.com
https://foo1.example.com
https://foo2.example.com

Now I have added to alias directives in the vhost config file of example.com

Alias /foo1 "/var/www/foo1.example.com/public"
<Directory "/var/www/foo1.example.com/public/">
Options Indexes MultiViews FollowSymLinks
AllowOverride all
Order allow,deny
Allow from all
</Directory>

Alias /foo2 "/var/www/foo2.example.com/public"
<Directory "/var/www/foo2.example.com/public/">
Options Indexes MultiViews FollowSymLinks
AllowOverride all
Order allow,deny
Allow from all
</Directory>

so I can reach the three vohosts using

https://example.com
https://example.com/foo1
https://example.com/foo2

Now my question is: when I use the alias directives for foo1 and foo2, 
what happens whit the ssl encription in relation to foo1 and foo2? Does 
foo1 and foo2 use the ssl encription from example.com? Or are logins and 
the data excange from and to foo1 and foo2 unencrypted?

Kind regards, Roland

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Security using alias directive in a https vhost

[Tom Evans <te...@googlemail.com>]

On Fri, May 17, 2013 at 7:26 AM, Roland Wegmann <go...@gmx.net> wrote:
> Dear apache2 experts
>
> I run three name-based apache2 vhosts on an Ubuntu 12.04 LTS server.
> I can reach all three vhosts from the internet using https and FQDN.
> My CA is CACert and I adapted the original default-ssl (in sites-available)
> config file for my three vhosts.
>
> So lets the three name-based vhost call
>
> example.com
> foo1.example.com
> foo2.example.com
>
> for example. I can reach them from the internet using
>
> https://example.com
> https://foo1.example.com
> https://foo2.example.com
>
> Now I have added to alias directives in the vhost config file of example.com
>
> Alias /foo1 "/var/www/foo1.example.com/public"
> <Directory "/var/www/foo1.example.com/public/">
> Options Indexes MultiViews FollowSymLinks
> AllowOverride all
> Order allow,deny
> Allow from all
> </Directory>
>
> Alias /foo2 "/var/www/foo2.example.com/public"
> <Directory "/var/www/foo2.example.com/public/">
> Options Indexes MultiViews FollowSymLinks
> AllowOverride all
> Order allow,deny
> Allow from all
> </Directory>
>
> so I can reach the three vohosts using
>
> https://example.com
> https://example.com/foo1
> https://example.com/foo2


No you cannot. You can reach exactly one vhost, 'example.com'. You can
access the files that are served from the other vhosts in this
'example.com' vhost, but they are not served from the other vhost,
they are served from the 'example.com' vhost - nothing in the vhost
configuration is looked at or considered.

>
> Now my question is: when I use the alias directives for foo1 and foo2, what
> happens whit the ssl encription in relation to foo1 and foo2? Does foo1 and
> foo2 use the ssl encription from example.com? Or are logins and the data
> excange from and to foo1 and foo2 unencrypted?
>

There is no exchange from example.com to/from foo1/foo2. The files are
served from example.com vhost, and so only directives that apply to
the example.com vhost are relevant.

Cheers

Tom

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org