You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Grant <em...@gmail.com> on 2010/10/01 23:04:28 UTC
[users@httpd] Options for multiple SSL domains on 1 server
I need to set up SSL certificates for multiple domain names on a
single server. I've done some research and I think these are my
options:
1. use multiple IPs
drawbacks: requires separate apache2 config for each SSL domain, extra
IPs must be allocated by the hosting company
2. use multiple ports
drawbacks: requires separate apache2 & firewall config for each SSL
domain, port numbers look weird in the URL
3. Server Name Indication
drawbacks: browser support is not widespread enough yet
4. X.509 v3 with subjectAltName
drawbacks: ???
Are there other options? Are there drawbacks to relying on X.509 v3
with subjectAltName, or is that the way to go?
- Grant
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Options for multiple SSL domains on 1 server
Posted by Grant <em...@gmail.com>.
>> The "virtualhost for each SSL host" is what I mean by separate
>> apache2
>> configs. I'd like to be able to define different domain names on the
>> fly within my perl scripts without changing apache2 config. Maybe
>> we're just not there yet?
>
> You can also use things like mod_macro to enable that kind of flexibility.
I looked at mod_macro but it seems to essentially be a framework for
setting and reading variable values within the apache2 config files.
What I'd like to do is allow new SSL domains to be defined from the
web in an automatic fashion without the need for SSH access. At this
point I'm thinking something that generates a new vhost config file
for each domain name would be perfect. It could use a template for
each file and just change the IP address and SSL certificate/key
references. Does something like this exist?
I've read references to "pre-processing apache2 config files with
perl". Is that the way to go here?
- Grant
>> Why would you use multiple IPs instead of X.509 v3 with
>> subjectAltName? Does subjectAltName have any drawbacks?
>
> Though more widely spread, it's the same as for SNI:
> It's not supported by all Browsers/libraries
>
> One example that comes to my mind is serf.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Options for multiple SSL domains on 1 server
Posted by Igor Galić <i....@brainsware.org>.
----- "Grant" <em...@gmail.com> wrote:
> >> I need to set up SSL certificates for multiple domain names on a
> >> single server. I've done some research and I think these are my
> >> options:
> >>
> >> 1. use multiple IPs
> >> drawbacks: requires separate apache2 config for each SSL domain,
> extra
> >> IPs must be allocated by the hosting company
> >>
> >> 2. use multiple ports
> >> drawbacks: requires separate apache2 & firewall config for each
> SSL
> >> domain, port numbers look weird in the URL
> >>
> >> 3. Server Name Indication
> >> drawbacks: browser support is not widespread enough yet
> >>
> >> 4. X.509 v3 with subjectAltName
> >> drawbacks: ???
> >>
> >> Are there other options? Are there drawbacks to relying on X.509
> v3
> >> with subjectAltName, or is that the way to go?
> >
> > Options 1) and 2) don't require seperate apache2 configs. You can
> have
> > apache listen to multiple IPs or Ports. Just add the necessary
> > "Listen" statements to your config, and than a virtualhost for each
> > SSL host.
> >
> > Personally I think that until SNI adoption gets more widespread the
> > best option is 1) if you have the IPs to spare, as it doesn't have
> any
> > more config overhead than the other options and is going to work as
> > expected.
> >
> >
> > Krist
>
> Thanks Krist.
>
> The "virtualhost for each SSL host" is what I mean by separate
> apache2
> configs. I'd like to be able to define different domain names on the
> fly within my perl scripts without changing apache2 config. Maybe
> we're just not there yet?
You can also use things like mod_macro to enable that kind of flexibility.
> Why would you use multiple IPs instead of X.509 v3 with
> subjectAltName? Does subjectAltName have any drawbacks?
Though more widely spread, it's the same as for SNI:
It's not supported by all Browsers/libraries
One example that comes to my mind is serf.
> - Grant
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server
> Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
--
Igor Galić
Tel: +43 (0) 664 886 22 883
Mail: i.galic@brainsware.org
URL: http://brainsware.org/
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Options for multiple SSL domains on 1 server
Posted by Grant <em...@gmail.com>.
>> I need to set up SSL certificates for multiple domain names on a
>> single server. I've done some research and I think these are my
>> options:
>>
>> 1. use multiple IPs
>> drawbacks: requires separate apache2 config for each SSL domain, extra
>> IPs must be allocated by the hosting company
>>
>> 2. use multiple ports
>> drawbacks: requires separate apache2 & firewall config for each SSL
>> domain, port numbers look weird in the URL
>>
>> 3. Server Name Indication
>> drawbacks: browser support is not widespread enough yet
>>
>> 4. X.509 v3 with subjectAltName
>> drawbacks: ???
>>
>> Are there other options? Are there drawbacks to relying on X.509 v3
>> with subjectAltName, or is that the way to go?
>
> Options 1) and 2) don't require seperate apache2 configs. You can have
> apache listen to multiple IPs or Ports. Just add the necessary
> "Listen" statements to your config, and than a virtualhost for each
> SSL host.
>
> Personally I think that until SNI adoption gets more widespread the
> best option is 1) if you have the IPs to spare, as it doesn't have any
> more config overhead than the other options and is going to work as
> expected.
>
>
> Krist
Thanks Krist.
The "virtualhost for each SSL host" is what I mean by separate apache2
configs. I'd like to be able to define different domain names on the
fly within my perl scripts without changing apache2 config. Maybe
we're just not there yet?
Why would you use multiple IPs instead of X.509 v3 with
subjectAltName? Does subjectAltName have any drawbacks?
- Grant
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Options for multiple SSL domains on 1 server
Posted by Grant <em...@gmail.com>.
>>>> actually, it's a good item to have in the vhost, the server uses it to
>>>> present names in the urls instead of ip addresses
>>>
>>> I'm surprised it's necessary since I'm not using name-based virtual
>>> hosting. Should I have ServerName in the port 80 vhost blocks or is
>>> it sufficient in the SSL blocks?
>>
>> without it, the site visitors will only get the ip address url. even on
>> http sites.
>
> Not in 2.2.x by default they won't. See UseCanonicalName.
In case it's useful for anyone:
Default: UseCanonicalName Off
With UseCanonicalName Off Apache will form self-referential URLs using
the hostname and port supplied by the client if any are supplied
(otherwise it will use the canonical name, as defined above). These
values are the same that are used to implement name based virtual
hosts, and are available with the same clients. The CGI variables
SERVER_NAME and SERVER_PORT will be constructed from the client
supplied values as well.
http://httpd.apache.org/docs/current/mod/core.html#usecanonicalname
- Grant
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Options for multiple SSL domains on 1 server
Posted by Eric Covener <co...@gmail.com>.
On Fri, Oct 8, 2010 at 2:03 PM, Grant <em...@gmail.com> wrote:
>>> Strange that https URLs don't work in Opera without ServerName isn't
>>> it? They work in firefox.
>>
>> Can you elaborate on "don't work"?
>
> Yes, if I remove ServerName from my apache2 config files entirely,
> Firefox behavior doesn't change but if Opera is directed to load an
> https page it displays the same error page it displays when the SSL
> cert is invalid.
Is there text on the page or in your error log?
--
Eric Covener
covener@gmail.com
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Options for multiple SSL domains on 1 server
Posted by Grant <em...@gmail.com>.
>> Strange that https URLs don't work in Opera without ServerName isn't
>> it? They work in firefox.
>
> Can you elaborate on "don't work"?
Yes, if I remove ServerName from my apache2 config files entirely,
Firefox behavior doesn't change but if Opera is directed to load an
https page it displays the same error page it displays when the SSL
cert is invalid.
- Grant
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Options for multiple SSL domains on 1 server
Posted by Eric Covener <co...@gmail.com>.
> Strange that https URLs don't work in Opera without ServerName isn't
> it? They work in firefox.
Can you elaborate on "don't work"?
--
Eric Covener
covener@gmail.com
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Options for multiple SSL domains on 1 server
Posted by Grant <em...@gmail.com>.
>>>> actually, it's a good item to have in the vhost, the server uses it to
>>>> present names in the urls instead of ip addresses
>>>
>>> I'm surprised it's necessary since I'm not using name-based virtual
>>> hosting. Should I have ServerName in the port 80 vhost blocks or is
>>> it sufficient in the SSL blocks?
>>
>> without it, the site visitors will only get the ip address url. even on
>> http sites.
>
> Not in 2.2.x by default they won't. See UseCanonicalName.
Strange that https URLs don't work in Opera without ServerName isn't
it? They work in firefox.
- Grant
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Options for multiple SSL domains on 1 server
Posted by Eric Covener <co...@gmail.com>.
>>> actually, it's a good item to have in the vhost, the server uses it to
>>> present names in the urls instead of ip addresses
>>
>> I'm surprised it's necessary since I'm not using name-based virtual
>> hosting. Should I have ServerName in the port 80 vhost blocks or is
>> it sufficient in the SSL blocks?
>
> without it, the site visitors will only get the ip address url. even on
> http sites.
Not in 2.2.x by default they won't. See UseCanonicalName.
--
Eric Covener
covener@gmail.com
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Options for multiple SSL domains on 1 server
Posted by "J. Greenlees" <li...@jaqui-greenlees.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Grant wrote:
>>>
>> actually, it's a good item to have in the vhost, the server uses it to
>> present names in the urls instead of ip addresses
>
> I'm surprised it's necessary since I'm not using name-based virtual
> hosting. Should I have ServerName in the port 80 vhost blocks or is
> it sufficient in the SSL blocks?
without it, the site visitors will only get the ip address url. even on
http sites.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkyuI0YACgkQ3Z/m3C3esu3SrQCfe+caF3zFp7D7Nu0xjy+FVhF5
81AAoMKFWdD7GF34w/Z3IxP7m243iO51
=k13c
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Options for multiple SSL domains on 1 server
Posted by Grant <em...@gmail.com>.
>> It was ServerName. I had ServerName defined as www.example1.com in
>> Gentoo's /etc/apache2/vhosts.d/default_vhost.include. I removed it
>> from there and added it to each of my SSL VirtualHost blocks and now
>> everything works. I noticed that removing ServerName entirely works
>> for Firefox, but in that case SSL wouldn't work for either domain in
>> Opera.
>>
>> I thought ServerName was just a label like ServerAdmin. Should I be
>> OK having it defined only in each of my SSL VirtualHost blocks?
>>
>> Thanks a lot for everyone's help with this.
>>
>> - Grant
>>
> actually, it's a good item to have in the vhost, the server uses it to
> present names in the urls instead of ip addresses
I'm surprised it's necessary since I'm not using name-based virtual
hosting. Should I have ServerName in the port 80 vhost blocks or is
it sufficient in the SSL blocks?
- Grant
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Options for multiple SSL domains on 1 server
Posted by "J. Greenlees" <li...@jaqui-greenlees.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Grant wrote:
> It was ServerName. I had ServerName defined as www.example1.com in
> Gentoo's /etc/apache2/vhosts.d/default_vhost.include. I removed it
> from there and added it to each of my SSL VirtualHost blocks and now
> everything works. I noticed that removing ServerName entirely works
> for Firefox, but in that case SSL wouldn't work for either domain in
> Opera.
>
> I thought ServerName was just a label like ServerAdmin. Should I be
> OK having it defined only in each of my SSL VirtualHost blocks?
>
> Thanks a lot for everyone's help with this.
>
> - Grant
>
actually, it's a good item to have in the vhost, the server uses it to
present names in the urls instead of ip addresses
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkytW2oACgkQ3Z/m3C3esu1bEACeNz3x0imhevClTZw9T8lxTk1w
H84AoL7QhysHxsb2606X+boiyH2j0AmM
=HJNe
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Options for multiple SSL domains on 1 server
Posted by Grant <em...@gmail.com>.
>> I'm sorry that this message is not as detailed as it could be. This
>> is my third attempt at sending it. It keeps tripping the spam filter,
>> probably because of all the IP and domain references.
> odd, the list isn't configured to trip on ip or domain references. must
> be a glitch somewhere between then, unless your own mail system is
> scanning outbound and it's triggering the spam there.
I got:
Delivery to the following recipient failed permanently:
users@httpd.apache.org
Technical details of permanent failure:
Google tried to deliver your message, but it was rejected by the
recipient domain. We recommend contacting the other email provider for
further information about the cause of this error. The error that the
other server returned was: 552 552 spam score (5.5) exceeded threshold
(state 18).
>> I'm baffled because even if I enter the IP after https in a browser,
>> I'm presented with the wrong SSL cert. I used openssl on the command
>> line to be sure I had named the certificates correctly. Any ideas?
>
> we really will need to see the conf file for the listen and the vhost
> sections, someone may see the issue faster then.
It was ServerName. I had ServerName defined as www.example1.com in
Gentoo's /etc/apache2/vhosts.d/default_vhost.include. I removed it
from there and added it to each of my SSL VirtualHost blocks and now
everything works. I noticed that removing ServerName entirely works
for Firefox, but in that case SSL wouldn't work for either domain in
Opera.
I thought ServerName was just a label like ServerAdmin. Should I be
OK having it defined only in each of my SSL VirtualHost blocks?
Thanks a lot for everyone's help with this.
- Grant
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Options for multiple SSL domains on 1 server
Posted by "J. Greenlees" <li...@jaqui-greenlees.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Grant wrote:
>>> <VirtualHost 12.34.56.1:443>
>>> ...
>>> SSLCertificateFile /etc/apache2/ssl/www.example1.com.crt
>>> SSLCertificateKeyFile /etc/apache2/ssl/www.example1.com.key
>>> ...
>>> </VirtualHost>
>>>
>>> <VirtualHost 12.34.56.2:443>
>>> ...
>>> SSLCertificateFile /etc/apache2/ssl/www.example2.com.crt
>>> SSLCertificateKeyFile /etc/apache2/ssl/www.example2.com.key
>>> ...
>>> </VirtualHost>
>> no listen directive for each ip address?
>> or is apache using listen 0.0.0.0:443?
>
> I'm sorry that this message is not as detailed as it could be. This
> is my third attempt at sending it. It keeps tripping the spam filter,
> probably because of all the IP and domain references.
odd, the list isn't configured to trip on ip or domain references. must
be a glitch somewhere between then, unless your own mail system is
scanning outbound and it's triggering the spam there.
> I had 'Listen 443' but I also tried specifying the exact IP addresses
> along with the port number on 2 Listen lines with the same results.
>
> I'm baffled because even if I enter the IP after https in a browser,
> I'm presented with the wrong SSL cert. I used openssl on the command
> line to be sure I had named the certificates correctly. Any ideas?
we really will need to see the conf file for the listen and the vhost
sections, someone may see the issue faster then.
> # ifconfig
> eth0 Link encap:Ethernet HWaddr [removed]
> inet addr:12.34.56.1 Bcast:[removed] Mask:255.255.255.248
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:46047 errors:0 dropped:0 overruns:0 frame:0
> TX packets:65703 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:1000
> RX bytes:6131194 (5.8 MiB) TX bytes:82568335 (78.7 MiB)
> Interrupt:40
>
> eth0:1 Link encap:Ethernet HWaddr [removed]
> inet addr:12.34.56.2 Bcast:[removed] Mask:255.255.255.248
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> Interrupt:40
>
> - Grant
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkytCSoACgkQ3Z/m3C3esu0hqgCg00CUKq87adKhi3IY6YkNgaCv
ABIAn3wh6YNtWSGJFGv4BKLy9/bRK3n5
=VeoB
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Options for multiple SSL domains on 1 server
Posted by Grant <em...@gmail.com>.
>> <VirtualHost 12.34.56.1:443>
>> ...
>> SSLCertificateFile /etc/apache2/ssl/www.example1.com.crt
>> SSLCertificateKeyFile /etc/apache2/ssl/www.example1.com.key
>> ...
>> </VirtualHost>
>>
>> <VirtualHost 12.34.56.2:443>
>> ...
>> SSLCertificateFile /etc/apache2/ssl/www.example2.com.crt
>> SSLCertificateKeyFile /etc/apache2/ssl/www.example2.com.key
>> ...
>> </VirtualHost>
>
> no listen directive for each ip address?
> or is apache using listen 0.0.0.0:443?
I'm sorry that this message is not as detailed as it could be. This
is my third attempt at sending it. It keeps tripping the spam filter,
probably because of all the IP and domain references.
I had 'Listen 443' but I also tried specifying the exact IP addresses
along with the port number on 2 Listen lines with the same results.
I'm baffled because even if I enter the IP after https in a browser,
I'm presented with the wrong SSL cert. I used openssl on the command
line to be sure I had named the certificates correctly. Any ideas?
# ifconfig
eth0 Link encap:Ethernet HWaddr [removed]
inet addr:12.34.56.1 Bcast:[removed] Mask:255.255.255.248
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:46047 errors:0 dropped:0 overruns:0 frame:0
TX packets:65703 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:6131194 (5.8 MiB) TX bytes:82568335 (78.7 MiB)
Interrupt:40
eth0:1 Link encap:Ethernet HWaddr [removed]
inet addr:12.34.56.2 Bcast:[removed] Mask:255.255.255.248
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:40
- Grant
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Options for multiple SSL domains on 1 server
Posted by "J. Greenlees" <li...@jaqui-greenlees.net>.
Grant wrote:
> <VirtualHost 12.34.56.1:443>
> ...
> SSLCertificateFile /etc/apache2/ssl/www.example1.com.crt
> SSLCertificateKeyFile /etc/apache2/ssl/www.example1.com.key
> ...
> </VirtualHost>
>
> <VirtualHost 12.34.56.2:443>
> ...
> SSLCertificateFile /etc/apache2/ssl/www.example2.com.crt
> SSLCertificateKeyFile /etc/apache2/ssl/www.example2.com.key
> ...
> </VirtualHost>
no listen directive for each ip address?
or is apache using listen 0.0.0.0:443?
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Options for multiple SSL domains on 1 server
Posted by Grant <em...@gmail.com>.
> You should use separate IPs as a best practice. As for your last
> threaded discussion concerning how you serve the correct SSL cert for
> each domain please see this article about mod_gnutls:
>
> http://www.g-loaded.eu/2007/08/10/ssl-enabled-name-based-apache-virtual-hosts-with-mod_gnutls/
>
> Craig
Thanks but I'm a bit confused. My intention is to use separate IPs.
I don't want to use SNI because of its lacking browser support.
Aren't I using separate IPs in my configuration? "12.34.56.1" and
"12.34.56.2" are example IPs meant to represent my separate IPs.
<VirtualHost 12.34.56.1:443>
...
SSLCertificateFile /etc/apache2/ssl/www.example1.com.crt
SSLCertificateKeyFile /etc/apache2/ssl/www.example1.com.key
...
</VirtualHost>
<VirtualHost 12.34.56.2:443>
...
SSLCertificateFile /etc/apache2/ssl/www.example2.com.crt
SSLCertificateKeyFile /etc/apache2/ssl/www.example2.com.key
...
</VirtualHost>
- Grant
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Options for multiple SSL domains on 1 server
Posted by Craig Huffstetler <cr...@gmail.com>.
Grant,
You should use separate IPs as a best practice. As for your last
threaded discussion concerning how you serve the correct SSL cert for
each domain please see this article about mod_gnutls:
http://www.g-loaded.eu/2007/08/10/ssl-enabled-name-based-apache-virtual-hosts-with-mod_gnutls/
Craig
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Options for multiple SSL domains on 1 server
Posted by Grant <em...@gmail.com>.
>> I need to set up SSL certificates for multiple domain names on a
>> single server. I've done some research and I think these are my
>> options:
>>
>> 1. use multiple IPs
>> drawbacks: requires separate apache2 config for each SSL domain, extra
>> IPs must be allocated by the hosting company
>>
>> 2. use multiple ports
>> drawbacks: requires separate apache2 & firewall config for each SSL
>> domain, port numbers look weird in the URL
>>
>> 3. Server Name Indication
>> drawbacks: browser support is not widespread enough yet
>>
>> 4. X.509 v3 with subjectAltName
>> drawbacks: ???
>>
>> Are there other options? Are there drawbacks to relying on X.509 v3
>> with subjectAltName, or is that the way to go?
>
> Options 1) and 2) don't require seperate apache2 configs. You can have
> apache listen to multiple IPs or Ports. Just add the necessary
> "Listen" statements to your config, and than a virtualhost for each
> SSL host.
>
> Personally I think that until SNI adoption gets more widespread the
> best option is 1) if you have the IPs to spare, as it doesn't have any
> more config overhead than the other options and is going to work as
> expected.
I have a total of 5 usable IP addresses available from my host. I've
changed the DNS for my domain name, changed my system's network
configuration, and added a VirtualHost block in my apache2 config
like:
<VirtualHost 12.34.56.2:443>
...
SSLCertificateFile /etc/apache2/ssl/www.example2.com.crt
SSLCertificateKeyFile /etc/apache2/ssl/www.example2.com.key
...
</VirtualHost>
which is in addition to my previously existing:
<VirtualHost 12.34.56.1:443>
...
SSLCertificateFile /etc/apache2/ssl/www.example1.com.crt
SSLCertificateKeyFile /etc/apache2/ssl/www.example1.com.key
...
</VirtualHost>
I can see that pings to www.example2.com are resolved as 12.34.56.2
and http://www.example2.com works fine, but https://www.example2.com
still receives the www.example1.com SSL cert in firefox and opera.
Can anyone tell me what else I need to do to serve the correct SSL
cert for each domain?
- Grant
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Options for multiple SSL domains on 1 server
Posted by Krist van Besien <kr...@gmail.com>.
On Fri, Oct 1, 2010 at 11:04 PM, Grant <em...@gmail.com> wrote:
> I need to set up SSL certificates for multiple domain names on a
> single server. I've done some research and I think these are my
> options:
>
> 1. use multiple IPs
> drawbacks: requires separate apache2 config for each SSL domain, extra
> IPs must be allocated by the hosting company
>
> 2. use multiple ports
> drawbacks: requires separate apache2 & firewall config for each SSL
> domain, port numbers look weird in the URL
>
> 3. Server Name Indication
> drawbacks: browser support is not widespread enough yet
>
> 4. X.509 v3 with subjectAltName
> drawbacks: ???
>
> Are there other options? Are there drawbacks to relying on X.509 v3
> with subjectAltName, or is that the way to go?
Options 1) and 2) don't require seperate apache2 configs. You can have
apache listen to multiple IPs or Ports. Just add the necessary
"Listen" statements to your config, and than a virtualhost for each
SSL host.
Personally I think that until SNI adoption gets more widespread the
best option is 1) if you have the IPs to spare, as it doesn't have any
more config overhead than the other options and is going to work as
expected.
Krist
--
krist.vanbesien@gmail.com
krist@vanbesien.org
Bremgarten b. Bern, Switzerland
--
A: It reverses the normal flow of conversation.
Q: What's wrong with top-posting?
A: Top-posting.
Q: What's the biggest scourge on plain text email discussions?
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org