You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Jonathan Mast <jh...@gmail.com> on 2009/12/18 16:27:37 UTC
[users@httpd] Enabling SSL on VirtualHosts Revisited
There's a problem with the 2 VirtualHost entries I had to add for SSL. Now
every request to httpd is being handled by these VirtualHosts, even requests
for with hostnames that don't match them.
Here's my current config:
<VirtualHost *>
ServerName blah.mysite.com
...
<VirtualHost foo.mysite.com:80>
ServerName foo.mysite.com
...
<VirtuaHost foo.mysite.com:443>
ServerName foo.mysite.com
...
SSL stuff
<VirtualHost *>
ServerName bar.othersite.com
...
Since added the 2 for foo.mysite.com, EVERY request is handled by
foo.mysite.com, even those for blah.mysite.com and bar.mysite.com. Even
after changing the first one to <VirtualHost blah.mysite.com:80>, httpd
would still try to use foo.mysite.com for http://blah.mysite.com/test.html!
!!
Any ideas?
httpd 2.2
Re: [users@httpd] Enabling SSL on VirtualHosts Revisited
Posted by Frank Gingras <fr...@gmail.com>.
Jonathan Mast wrote:
> There's a problem with the 2 VirtualHost entries I had to add for SSL. Now
> every request to httpd is being handled by these VirtualHosts, even requests
> for with hostnames that don't match them.
>
> Here's my current config:
>
> <VirtualHost *>
> ServerName blah.mysite.com
> ...
>
> <VirtualHost foo.mysite.com:80>
> ServerName foo.mysite.com
> ...
>
> <VirtuaHost foo.mysite.com:443>
> ServerName foo.mysite.com
> ...
> SSL stuff
>
> <VirtualHost *>
> ServerName bar.othersite.com
> ...
>
> Since added the 2 for foo.mysite.com, EVERY request is handled by
> foo.mysite.com, even those for blah.mysite.com and bar.mysite.com. Even
> after changing the first one to <VirtualHost blah.mysite.com:80>, httpd
> would still try to use foo.mysite.com for http://blah.mysite.com/test.html!
> !!
>
> Any ideas?
>
> httpd 2.2
>
>
Hello Jonathan,
You should only use <VirtualHost *:PORT> or <VirtualHost IP:PORT> when
setting up vhosts.
Also, you'll need a NameVirtualHost that matches that IP:PORT if you use
more than one virtual host on that port.
Finally, when doing name-based vhosts with SSL, note that the
certificate for the first listed virtual host will always be used,
unless you implement SNI.
Frank.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Re: Enabling SSL on VirtualHosts Revisited
Posted by Frank Gingras <fr...@gmail.com>.
Jonathan Mast wrote:
> Frank, I've always used the ServerName directive, here's what my configs
> look like:
> NameVirtualHost foo.mysite.com:80
> <VirtualHost foo.mysite.com:80>
> ServerName foo.mysite.com
>
> </VirtualHost>
>
> NameVirtualHost foo.mysite.com:443
> <VirtualHost foo.mysite.com:443>
> ServerName foo.mysite.com
>
> SSL Stuff...
> </VirtualHost>
>
> My question was specifically why putting the hostname as opposed to the addr
> in the NameVirtualHost was discouraged in the docs (they don't explain it
> any further)?
>
>
> On Fri, Dec 18, 2009 at 11:41 AM, Frank Gingras
> <fr...@gmail.com>wrote:
>
>
>> Jonathan Mast wrote:
>>
>>
>>> OK, so I added NameVirtualHost foo.mysite.com:80 and NameVirtualHost
>>> foo.mysite.com:443 above their respective sections and it seems to work
>>> despite not being recommended as per the docs, but this was the only way
>>> to
>>> do it because all my domains: mysite.com, othersite.com, etc point to a
>>> single IP.
>>>
>>> Any idea on why using hostnames in NameVirtualHost directives is not
>>> recommended? Is this something that could come back and bite me?
>>>
>>> Thanks for the help!
>>>
>>> On Fri, Dec 18, 2009 at 10:34 AM, Philip Wigg <ph...@philipwigg.co.uk>
>>> wrote:
>>>
>>>
>>>
>>>
>>>> Possibly the information you need is here:-
>>>>
>>>> http://httpd.apache.org/docs/2.2/vhosts/name-based.html
>>>>
>>>> When adding a name-based Virtual Host the...
>>>>
>>>> "Main host goes away
>>>>
>>>> If you are adding virtual hosts to an existing web server, you must
>>>> also create a <VirtualHost> block for the existing host. The
>>>> ServerName and DocumentRoot included in this virtual host should be
>>>> the same as the global ServerName and DocumentRoot. List this virtual
>>>> host first in the configuration file so that it will act as the
>>>> default host."
>>>>
>>>> Cheers,
>>>> Phil.
>>>>
>>>> ---------------------------------------------------------------------
>>>> The official User-To-User support forum of the Apache HTTP Server
>>>> Project.
>>>> See <URL:http://httpd.apache.org/userslist.html> for more info.
>>>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>>> " from the digest: users-digest-unsubscribe@httpd.apache.org
>>>> For additional commands, e-mail: users-help@httpd.apache.org
>>>>
>>>>
>>>>
>>>>
>>>>
>>>
>>>
>> Jonathan,
>>
>> Using a hostname in the <VirtualHost> line will active DNS resolution for
>> EVERY HTTP request. Surely, you don't want that to happen.
>>
>> Instead, use a ServerName in your virtual host.
>>
>> Frank.
>>
>>
>> ---------------------------------------------------------------------
>> The official User-To-User support forum of the Apache HTTP Server Project.
>> See <URL:http://httpd.apache.org/userslist.html> for more info.
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> " from the digest: users-digest-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>>
>>
>
>
I believe the fact I just gave you was compelling enough; a DNS lookup
for every HTTP request is *extremely* expensive. You don't want that to
happen.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Re: Enabling SSL on VirtualHosts Revisited
Posted by Eric Covener <co...@gmail.com>.
On Fri, Dec 18, 2009 at 12:06 PM, Jonathan Mast
<jh...@gmail.com> wrote:
> Frank, I've always used the ServerName directive, here's what my configs
> look like:
> NameVirtualHost foo.mysite.com:80
> <VirtualHost foo.mysite.com:80>
> ServerName foo.mysite.com
>
> </VirtualHost>
>
> NameVirtualHost foo.mysite.com:443
> <VirtualHost foo.mysite.com:443>
> ServerName foo.mysite.com
>
> SSL Stuff...
> </VirtualHost>
>
> My question was specifically why putting the hostname as opposed to the addr
> in the NameVirtualHost was discouraged in the docs (they don't explain it
> any further)?
It's just unnecessarily confusing, because anyone looking at yout
config needs to know what set of addresses that resolved to when you
started your webserver. It's also going to mysteriously send
requests to the base server config, or other vhosts, when you get a
request for that hostname that arrive on a different interface.
Most people who a) have vhost trouble and b) put hostnames as the
first parm in VirtualHost are misunderstanding name-based virtualhosts
configuration. Most of them don't even need to discriminate between
IP addresses at all, and should just have *:port.
--
Eric Covener
covener@gmail.com
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Re: Enabling SSL on VirtualHosts Revisited
Posted by Jonathan Mast <jh...@gmail.com>.
Frank, I've always used the ServerName directive, here's what my configs
look like:
NameVirtualHost foo.mysite.com:80
<VirtualHost foo.mysite.com:80>
ServerName foo.mysite.com
</VirtualHost>
NameVirtualHost foo.mysite.com:443
<VirtualHost foo.mysite.com:443>
ServerName foo.mysite.com
SSL Stuff...
</VirtualHost>
My question was specifically why putting the hostname as opposed to the addr
in the NameVirtualHost was discouraged in the docs (they don't explain it
any further)?
On Fri, Dec 18, 2009 at 11:41 AM, Frank Gingras
<fr...@gmail.com>wrote:
> Jonathan Mast wrote:
>
>> OK, so I added NameVirtualHost foo.mysite.com:80 and NameVirtualHost
>> foo.mysite.com:443 above their respective sections and it seems to work
>> despite not being recommended as per the docs, but this was the only way
>> to
>> do it because all my domains: mysite.com, othersite.com, etc point to a
>> single IP.
>>
>> Any idea on why using hostnames in NameVirtualHost directives is not
>> recommended? Is this something that could come back and bite me?
>>
>> Thanks for the help!
>>
>> On Fri, Dec 18, 2009 at 10:34 AM, Philip Wigg <ph...@philipwigg.co.uk>
>> wrote:
>>
>>
>>
>>> Possibly the information you need is here:-
>>>
>>> http://httpd.apache.org/docs/2.2/vhosts/name-based.html
>>>
>>> When adding a name-based Virtual Host the...
>>>
>>> "Main host goes away
>>>
>>> If you are adding virtual hosts to an existing web server, you must
>>> also create a <VirtualHost> block for the existing host. The
>>> ServerName and DocumentRoot included in this virtual host should be
>>> the same as the global ServerName and DocumentRoot. List this virtual
>>> host first in the configuration file so that it will act as the
>>> default host."
>>>
>>> Cheers,
>>> Phil.
>>>
>>> ---------------------------------------------------------------------
>>> The official User-To-User support forum of the Apache HTTP Server
>>> Project.
>>> See <URL:http://httpd.apache.org/userslist.html> for more info.
>>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>> " from the digest: users-digest-unsubscribe@httpd.apache.org
>>> For additional commands, e-mail: users-help@httpd.apache.org
>>>
>>>
>>>
>>>
>>
>>
>>
> Jonathan,
>
> Using a hostname in the <VirtualHost> line will active DNS resolution for
> EVERY HTTP request. Surely, you don't want that to happen.
>
> Instead, use a ServerName in your virtual host.
>
> Frank.
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
Re: [users@httpd] Re: Enabling SSL on VirtualHosts Revisited
Posted by Frank Gingras <fr...@gmail.com>.
Jonathan Mast wrote:
> OK, so I added NameVirtualHost foo.mysite.com:80 and NameVirtualHost
> foo.mysite.com:443 above their respective sections and it seems to work
> despite not being recommended as per the docs, but this was the only way to
> do it because all my domains: mysite.com, othersite.com, etc point to a
> single IP.
>
> Any idea on why using hostnames in NameVirtualHost directives is not
> recommended? Is this something that could come back and bite me?
>
> Thanks for the help!
>
> On Fri, Dec 18, 2009 at 10:34 AM, Philip Wigg <ph...@philipwigg.co.uk> wrote:
>
>
>> Possibly the information you need is here:-
>>
>> http://httpd.apache.org/docs/2.2/vhosts/name-based.html
>>
>> When adding a name-based Virtual Host the...
>>
>> "Main host goes away
>>
>> If you are adding virtual hosts to an existing web server, you must
>> also create a <VirtualHost> block for the existing host. The
>> ServerName and DocumentRoot included in this virtual host should be
>> the same as the global ServerName and DocumentRoot. List this virtual
>> host first in the configuration file so that it will act as the
>> default host."
>>
>> Cheers,
>> Phil.
>>
>> ---------------------------------------------------------------------
>> The official User-To-User support forum of the Apache HTTP Server Project.
>> See <URL:http://httpd.apache.org/userslist.html> for more info.
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> " from the digest: users-digest-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>>
>>
>
>
Jonathan,
Using a hostname in the <VirtualHost> line will active DNS resolution
for EVERY HTTP request. Surely, you don't want that to happen.
Instead, use a ServerName in your virtual host.
Frank.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Re: Enabling SSL on VirtualHosts Revisited
Posted by Justin Pasher <ju...@newmediagateway.com>.
Jonathan Mast wrote:
> OK, so I added NameVirtualHost foo.mysite.com:80
> <http://foo.mysite.com:80> and NameVirtualHost foo.mysite.com:443
> <http://foo.mysite.com:443> above their respective sections and it
> seems to work despite not being recommended as per the docs, but this
> was the only way to do it because all my domains: mysite.com
> <http://mysite.com>, othersite.com <http://othersite.com>, etc point
> to a single IP.
>
> Any idea on why using hostnames in NameVirtualHost directives is not
> recommended? Is this something that could come back and bite me?
Sounds like there may be some confusion on the best way to set this up.
Assuming your IP address is 1.2.3.4, you should set it up as follows:
------------------------------
NameVirtualHost 1.2.3.4:80
<VirtualHost 1.2.3.4:80>
ServerName blah.mysite.com
...
</VirtualHost>
<VirtualHost 1.2.3.4:80>
ServerName foo.mysite.com
...
</VirtualHost>
<VirtualHost 1.2.3.4:443>
ServerName foo.mysite.com
...
SSL stuff
</VirtualHost>
<VirtualHost 1.2.3.4:80>
ServerName bar.othersite.com
...
</VirtualHost>
------------------------------
If your IP address changes, you can substitute * from the IP address in
all locations for port 80. I've had trouble myself using *:443 for SSL,
so it may not be supported. As pointed out, using the hostname in the
NameVirtualHost and <VirtualHost> directives is not recommended (DNS
lookups).
--
Justin Pasher
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Re: Enabling SSL on VirtualHosts Revisited
Posted by Jonathan Mast <jh...@gmail.com>.
OK, so I added NameVirtualHost foo.mysite.com:80 and NameVirtualHost
foo.mysite.com:443 above their respective sections and it seems to work
despite not being recommended as per the docs, but this was the only way to
do it because all my domains: mysite.com, othersite.com, etc point to a
single IP.
Any idea on why using hostnames in NameVirtualHost directives is not
recommended? Is this something that could come back and bite me?
Thanks for the help!
On Fri, Dec 18, 2009 at 10:34 AM, Philip Wigg <ph...@philipwigg.co.uk> wrote:
> Possibly the information you need is here:-
>
> http://httpd.apache.org/docs/2.2/vhosts/name-based.html
>
> When adding a name-based Virtual Host the...
>
> "Main host goes away
>
> If you are adding virtual hosts to an existing web server, you must
> also create a <VirtualHost> block for the existing host. The
> ServerName and DocumentRoot included in this virtual host should be
> the same as the global ServerName and DocumentRoot. List this virtual
> host first in the configuration file so that it will act as the
> default host."
>
> Cheers,
> Phil.
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
Re: [users@httpd] Re: Enabling SSL on VirtualHosts Revisited
Posted by Philip Wigg <ph...@philipwigg.co.uk>.
Possibly the information you need is here:-
http://httpd.apache.org/docs/2.2/vhosts/name-based.html
When adding a name-based Virtual Host the...
"Main host goes away
If you are adding virtual hosts to an existing web server, you must
also create a <VirtualHost> block for the existing host. The
ServerName and DocumentRoot included in this virtual host should be
the same as the global ServerName and DocumentRoot. List this virtual
host first in the configuration file so that it will act as the
default host."
Cheers,
Phil.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
[users@httpd] Re: Enabling SSL on VirtualHosts Revisited
Posted by Dan Poirier <po...@pobox.com>.
If one or more virtual host entries match the address:port for the
request, but no server names in those entries match, then the first
virtual host definition in the config file, not the global
configuration, will control handling for that request.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org