You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Dan Schaefer <da...@performanceadmin.com> on 2009/12/11 16:49:54 UTC
[users@httpd] Questions about implementing SSL/VirtualHosts
Background info: My company's server's Apache is currently configured
without Virtual Hosts. Which means any request in the *.example.com
(example.com is a placeholder here) domain, that is not specifically
setup on our public DNS, will be directed to our web server and any
other DNS hack that points to our public IP, for that matter (i.e.
adding it to the host file). I.e. dan.example.com, example.com,
www.example.com all show the same site with a few minor differences
written in the code that resides in DocumentRoot.
My company is wanting to keep this configuration for port 80 and add an
SSL certificate for just the www.example.com and example.com hostnames.
Is it possible to have Virtualhosts for just the 443 port and still
allow *.example.com to react the same way it does now? Or will I have to
add a VirtualHost for every subdomain? If this is possble, what would
my httpd.conf configuration look like? Please let me know if you need
more information.
Thank you in advance,
Dan Schaefer
Web Developer/Systems Analyst
Performance Administration Corp.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Questions about implementing SSL/VirtualHosts
Posted by Dan Schaefer <da...@performanceadmin.com>.
Peter Schober wrote:
> * Boyle Owen <Ow...@six-group.com> [2009-12-15 10:22]:
>
>>> -----Original Message-----
>>> From: Justin Pasher [mailto:justinp@newmediagateway.com]
>>> (a) Single FQDN, single DocumentRoot - Single IP.
>>> (b) Multiple FQDN, single DocumentRoot - Single IP, assuming cert
>>> supports all (sub)domains listed. Otherwise Multiple IP
>>> (c) Multiple FQDN, multiple DocumentRoot - Multiple IP addresses (one
>>> for each FQDN)
>>>
>> Why is no-one mentioning the SubjectAltName solution
>> (http://marc.info/?l=apache-httpd-users&m=125889530300657&w=2)? Does it
>> not really work or is no-one actually using it?
>>
>
> Because I'm tired of constantly repeating myself ;)
>
>
>
I sounds like the Apache list is a little crankier than other lists that
I'm subscribed to. ;-)
My situation is described in option (b) including the assumption. I
think I'm going to be ok. I will just plan on making the change on a
Sunday when our customers are not using our system (car dealerships).
Thanks all for your advice and incite.
Dan Schaefer
Web Developer/Systems Analyst
Performance Administration Corp.
Re: [users@httpd] Questions about implementing SSL/VirtualHosts
Posted by Peter Schober <pe...@univie.ac.at>.
* Boyle Owen <Ow...@six-group.com> [2009-12-15 10:22]:
> > -----Original Message-----
> > From: Justin Pasher [mailto:justinp@newmediagateway.com]
> > (a) Single FQDN, single DocumentRoot - Single IP.
> > (b) Multiple FQDN, single DocumentRoot - Single IP, assuming cert
> > supports all (sub)domains listed. Otherwise Multiple IP
> > (c) Multiple FQDN, multiple DocumentRoot - Multiple IP addresses (one
> > for each FQDN)
>
> Why is no-one mentioning the SubjectAltName solution
> (http://marc.info/?l=apache-httpd-users&m=125889530300657&w=2)? Does it
> not really work or is no-one actually using it?
Because I'm tired of constantly repeating myself ;)
But I guess it'S actually contained in variant (b) listed above, since
all hostnames are listed in a single certificate. Just not using
wildcard certs (which our CA-contract does not allow, btw).
And yes, this works just fine (we're stuffing as many vhosts into a
cert as the CA allows and split off a new IP/certificate once that
overflows).
-peter
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] Questions about implementing SSL/VirtualHosts
Posted by Boyle Owen <Ow...@six-group.com>.
> -----Original Message-----
> From: Justin Pasher [mailto:justinp@newmediagateway.com]
>
> Many others have provided some information, but here's a
> basic summary
> (assuming no SNI support):
>
> (a) Single FQDN, single DocumentRoot - Single IP.
> (b) Multiple FQDN, single DocumentRoot - Single IP, assuming cert
> supports all (sub)domains listed. Otherwise Multiple IP
> (c) Multiple FQDN, multiple DocumentRoot - Multiple IP addresses (one
> for each FQDN)
Why is no-one mentioning the SubjectAltName solution
(http://marc.info/?l=apache-httpd-users&m=125889530300657&w=2)? Does it
not really work or is no-one actually using it?
Rgds,
Owen Boyle
Disclaimer: Any disclaimer attached to this message may be ignored.
>
> --
> Justin Pasher
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP
> Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message.
The sender's company reserves the right to monitor all e-mail communications through their networks.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Questions about implementing SSL/VirtualHosts
Posted by Justin Pasher <ju...@newmediagateway.com>.
Dan Schaefer wrote:
> Does it help to mention that my example.com and www.example.com
> certificates are the exact same cert? My apologies for not mentioning
> this in the beginning. If and when we do add SSL to other subdomains,
> they will be different certs. I *don't* see that happening in the near
> future, however. Will I be able to use the same public IP for both
> example.com and www.example.com?
Many others have provided some information, but here's a basic summary
(assuming no SNI support):
(a) Single FQDN, single DocumentRoot - Single IP.
(b) Multiple FQDN, single DocumentRoot - Single IP, assuming cert
supports all (sub)domains listed. Otherwise Multiple IP
(c) Multiple FQDN, multiple DocumentRoot - Multiple IP addresses (one
for each FQDN)
--
Justin Pasher
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Questions about implementing SSL/VirtualHosts
Posted by Dan Schaefer <da...@performanceadmin.com>.
Peter Schober wrote:
> * Roger <rn...@gmail.com> [2009-12-14 17:26]:
>
>> Is the content under example.com and www.example.com the same?
>> If it is, then just redirect all requests to example.com, www.example.com to one
>> location. You don't need two certificates. In my opinion, if it is the same
>> content then having multiple certificates is not cost effective.
>>
>
> If both vhosts are accessed via https you'll need both covered, as the
> ssl connection happens before the redirect (as has been pointed out
> dozens of times in recent weeks),
> -peter
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
I'm sorry, but I just joined the list in Friday.
Dan Schaefer
Web Developer/Systems Analyst
Performance Administration Corp.
Re: [users@httpd] Questions about implementing SSL/VirtualHosts
Posted by Roger <rn...@gmail.com>.
>
> http://markmail.org/message/yr52ptnpgbocgvad
>
> But we should just push for SNI, I guess.
> -peter
Yea I agree.
-r
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Questions about implementing SSL/VirtualHosts
Posted by Peter Schober <pe...@univie.ac.at>.
* Roger <rn...@gmail.com> [2009-12-14 17:47]:
> The situation that I was talking about is that if someone access
> http://example.com or http://www.example.com
> then redirect to either https://www.example.com OR https://example.com.
Sure.
> But of course, you cannot stop someone for trying to access
> https://www.example.com when you only have SSL for
> https://example.com or the other way around.
Given that hardly anyone ever types complete URLs including the
schema, sticking with a single SSL vhost and redirecting to that from
all the plain HTTP vhosts is very probably "good enough".
> But sometimes multiple public IPs are not an option.
http://markmail.org/message/yr52ptnpgbocgvad
But we should just push for SNI, I guess.
-peter
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Questions about implementing SSL/VirtualHosts
Posted by Roger <rn...@gmail.com>.
> If both vhosts are accessed via https you'll need both covered, as the
> ssl connection happens before the redirect (as has been pointed out
> dozens of times in recent weeks),
> -peter
>
The situation that I was talking about is that if someone access
http://example.com or http://www.example.com
then redirect to either https://www.example.com OR https://example.com.
But of course, you cannot stop someone for trying to access
https://www.example.com when you only have SSL for https://example.com
or the other
way around. But sometimes multiple public IPs are not an option.
-r
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Questions about implementing SSL/VirtualHosts
Posted by Peter Schober <pe...@univie.ac.at>.
* Roger <rn...@gmail.com> [2009-12-14 17:26]:
> Is the content under example.com and www.example.com the same?
> If it is, then just redirect all requests to example.com, www.example.com to one
> location. You don't need two certificates. In my opinion, if it is the same
> content then having multiple certificates is not cost effective.
If both vhosts are accessed via https you'll need both covered, as the
ssl connection happens before the redirect (as has been pointed out
dozens of times in recent weeks),
-peter
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Questions about implementing SSL/VirtualHosts
Posted by Dan Schaefer <da...@performanceadmin.com>.
Roger wrote:
>> Does it help to mention that my example.com and www.example.com certificates
>> are the exact same cert? My apologies for not mentioning this in the
>> beginning. If and when we do add SSL to other subdomains, they will be
>> different certs. I don't see that happening in the near future, however.
>> Will I be able to use the same public IP for both example.com and
>> www.example.com?
>>
>
> Is the content under example.com and www.example.com the same?
> If it is, then just redirect all requests to example.com, www.example.com to one
> location. You don't need two certificates. In my opinion, if it is the same
> content then having multiple certificates is not cost effective.
>
> -r
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
Roger,
You make a good point. Yes, the DocumentRoot is the exact same and shows
the same content. In fact, as stated in my OP, although not very clear,
all http and https sites will have the same DocumentRoot on this server.
Will the said redirect need to be a htaccess rule?
Dan Schaefer
Web Developer/Systems Analyst
Performance Administration Corp.
Re: [users@httpd] Questions about implementing SSL/VirtualHosts
Posted by Roger <rn...@gmail.com>.
>
> Does it help to mention that my example.com and www.example.com certificates
> are the exact same cert? My apologies for not mentioning this in the
> beginning. If and when we do add SSL to other subdomains, they will be
> different certs. I don't see that happening in the near future, however.
> Will I be able to use the same public IP for both example.com and
> www.example.com?
Is the content under example.com and www.example.com the same?
If it is, then just redirect all requests to example.com, www.example.com to one
location. You don't need two certificates. In my opinion, if it is the same
content then having multiple certificates is not cost effective.
-r
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Questions about implementing SSL/VirtualHosts
Posted by Dan Schaefer <da...@performanceadmin.com>.
Justin Pasher wrote:
> Dan Schaefer wrote:
>> So are you suggesting that I need multiple public IPs to implement
>> this, or just multiple private IPs? Private IPs is not a problem,
>> however, due to the fact that we have limited public IPS in our
>> range, it could be a problem when if and when we add new SSL certs.
>> We would need to re-evaluate our ISP contract before it expires.
>
> You will need a unique public IP address for each SSL site (e.g. FQDN)
> you are planning on running, unless you have a wildcard cert for
> multiple subdomains that should all pull the same VirtualHost content.
> Since SSL encrypts all of the data sent between the server, including
> the Host: header, there's no way for Apache to know which VirtualHost
> should handle the request unless it is IP based. SNI[1] is a new
> extension that allows the Host header to be sent separately, thus
> eliminating the need for dedicated IP addresses, but it does not have
> universal browser support (most notably for IE 7.0 only on Vista or
> higher).
>
> Now, if these sites are being used by the general public, then you
> don't have to assign unique public IP addresses, assuming the sites
> are only being accessed through the private IP address on the local
> network.
>
>
> [1] http://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI
>
Does it help to mention that my example.com and www.example.com
certificates are the exact same cert? My apologies for not mentioning
this in the beginning. If and when we do add SSL to other subdomains,
they will be different certs. I *don't* see that happening in the near
future, however. Will I be able to use the same public IP for both
example.com and www.example.com?
Dan Schaefer
Web Developer/Systems Analyst
Performance Administration Corp.
Re: [users@httpd] Questions about implementing SSL/VirtualHosts
Posted by Justin Pasher <ju...@newmediagateway.com>.
Dan Schaefer wrote:
> So are you suggesting that I need multiple public IPs to implement
> this, or just multiple private IPs? Private IPs is not a problem,
> however, due to the fact that we have limited public IPS in our range,
> it could be a problem when if and when we add new SSL certs. We would
> need to re-evaluate our ISP contract before it expires.
You will need a unique public IP address for each SSL site (e.g. FQDN)
you are planning on running, unless you have a wildcard cert for
multiple subdomains that should all pull the same VirtualHost content.
Since SSL encrypts all of the data sent between the server, including
the Host: header, there's no way for Apache to know which VirtualHost
should handle the request unless it is IP based. SNI[1] is a new
extension that allows the Host header to be sent separately, thus
eliminating the need for dedicated IP addresses, but it does not have
universal browser support (most notably for IE 7.0 only on Vista or higher).
Now, if these sites are being used by the general public, then you don't
have to assign unique public IP addresses, assuming the sites are only
being accessed through the private IP address on the local network.
[1] http://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI
--
Justin Pasher
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Questions about implementing SSL/VirtualHosts
Posted by Dan Schaefer <da...@performanceadmin.com>.
Justin Pasher wrote:
> Serge Fonville wrote:
>> Hi,
>>
>>
>>>> My company is wanting to keep this configuration for port 80 and
>>>> add an
>>>> SSL certificate for just the www.example.com and example.com
>>>> hostnames. Is
>>>> it possible to have Virtualhosts for just the 443 port and still allow
>>>> *.example.com to react the same way it does now?
>>>>
>>> Yes, it is. However, you'll generally need separate IP addresses for
>>> www.example.com and example.com. Then just define the virtual hosts
>>>
>>> <VirtualHost 12.34.56.78:443>
>>> </VirtualHost>
>>> <VirtualHost 12.34.56.79:443>
>>> </VirtualHost>
>>>
>>
>> Not neccesarily,
>>
>> You can use virtualdocumentroot instead of virtualhosts.
>> Almost all config in virtualhosts directives can also be done in
>> htaccess, which you can even put one level higher.
>>
>
> I believe he recommended multiple VirtualHost containers because the
> OP was asking about essentially two SSL sites (www.example.com and
> example.com), which requires individual IP address to get universal
> browser support (i.e. without SNI). Even with a wildcard cert for
> *.example.com, I don't believe that will work to example.com.
>
>
So are you suggesting that I need multiple public IPs to implement this,
or just multiple private IPs? Private IPs is not a problem, however, due
to the fact that we have limited public IPS in our range, it could be a
problem when if and when we add new SSL certs. We would need to
re-evaluate our ISP contract before it expires.
Dan Schaefer
Web Developer/Systems Analyst
Performance Administration Corp.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Questions about implementing SSL/VirtualHosts
Posted by Justin Pasher <ju...@newmediagateway.com>.
Serge Fonville wrote:
> Hi,
>
>
>>> My company is wanting to keep this configuration for port 80 and add an
>>> SSL certificate for just the www.example.com and example.com hostnames. Is
>>> it possible to have Virtualhosts for just the 443 port and still allow
>>> *.example.com to react the same way it does now?
>>>
>> Yes, it is. However, you'll generally need separate IP addresses for
>> www.example.com and example.com. Then just define the virtual hosts
>>
>> <VirtualHost 12.34.56.78:443>
>> </VirtualHost>
>> <VirtualHost 12.34.56.79:443>
>> </VirtualHost>
>>
>
> Not neccesarily,
>
> You can use virtualdocumentroot instead of virtualhosts.
> Almost all config in virtualhosts directives can also be done in
> htaccess, which you can even put one level higher.
>
I believe he recommended multiple VirtualHost containers because the OP
was asking about essentially two SSL sites (www.example.com and
example.com), which requires individual IP address to get universal
browser support (i.e. without SNI). Even with a wildcard cert for
*.example.com, I don't believe that will work to example.com.
--
Justin Pasher
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Questions about implementing SSL/VirtualHosts
Posted by Serge Fonville <se...@gmail.com>.
Hi,
>> My company is wanting to keep this configuration for port 80 and add an
>> SSL certificate for just the www.example.com and example.com hostnames. Is
>> it possible to have Virtualhosts for just the 443 port and still allow
>> *.example.com to react the same way it does now?
>
> Yes, it is. However, you'll generally need separate IP addresses for
> www.example.com and example.com. Then just define the virtual hosts
>
> <VirtualHost 12.34.56.78:443>
> </VirtualHost>
> <VirtualHost 12.34.56.79:443>
> </VirtualHost>
Not neccesarily,
You can use virtualdocumentroot instead of virtualhosts.
Almost all config in virtualhosts directives can also be done in
htaccess, which you can even put one level higher.
HTH
Regards,
Serge Fonville
--
http://www.sergefonville.nl
Convince Google!!
They need to support Adsense over SSL
https://www.google.com/adsense/support/bin/answer.py?hl=en&answer=10528
http://www.google.com/support/forum/p/AdSense/thread?tid=1884bc9310d9f923&hl=en
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Questions about implementing SSL/VirtualHosts
Posted by Toomas Aas <to...@raad.tartu.ee>.
Dan Schaefer wrote:
> My company is wanting to keep this configuration for port 80 and add an
> SSL certificate for just the www.example.com and example.com hostnames.
> Is it possible to have Virtualhosts for just the 443 port and still
> allow *.example.com to react the same way it does now?
Yes, it is. However, you'll generally need separate IP addresses for
www.example.com and example.com. Then just define the virtual hosts
<VirtualHost 12.34.56.78:443>
</VirtualHost>
<VirtualHost 12.34.56.79:443>
</VirtualHost>
--
Toomas Aas
... Someday we'll look back on all this and plow into a parked car.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org