You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by "Robert L. Harris" <Ro...@rdlg.net> on 2002/01/14 23:11:39 UTC
VHosts and SSL
I'm making what seems good progress. I have 3 vhosts up and working
very well. Config block looks like this:
NameVirtualHost *
<VirtualHost *>
ServerName site1.company.com
ServerAlias site1
ProxyPass / http://gonzo1.company.com/
ProxyPassReverse / http://gonzo1.company.com/
#
SSLCertificateFile /etc/httpd/keys/site1.crt
SSLCertificateKeyFile /etc/httpd/keys/site1.key
</VirtualHost>
(#2 and 3 are pretty much identicle). I'm trying to get them to answer
on https now. I've generated keys and self-signed certs, apache isn't
complaining about them. When I go to sslserver, I get the
standard apache welcome page as I should. If I go to https://ssslserver
I get the same page. If I go to https://site1 I also get the sslserver
page. I don't get the page that is displayed on the http port. I tried
putting the "SSLEngine on" directive in the VirtualHost block and the
only change is it asks for my password on the cert.
It's got to be something stupid I know. Care to beat me upside the
head with a blunt object?
:wq!
---------------------------------------------------------------------------
Robert L. Harris | Micros~1 :
Senior System Engineer | For when quality, reliability
at RnD Consulting | and security just aren't
\_ that important!
DISCLAIMER:
These are MY OPINIONS ALONE. I speak for no-one else.
FYI:
perl -e 'print $i=pack(c5,(41*2),sqrt(7056),(unpack(c,H)-2),oct(115),10);'
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: VHosts and SSL
Posted by Mark Constable <ma...@renta.net>.
On Tue, 15 Jan 2002 08:11, Robert L. Harris wrote:
> page. I don't get the page that is displayed on the http port. I tried
> putting the "SSLEngine on" directive in the VirtualHost block and the
> only change is it asks for my password on the cert.
>
> It's got to be something stupid I know. Care to beat me upside the
> head with a blunt object?
Well you asked for it :)
This is perfectly correct behaviour as NameVirtualHosts
will not work with SSL. The necessary "Host" header is
not available to apache via an https URL so it cannot
figure out what vhost you are trying to go to, so defaults
to the first configured vhost on the same IP.
You can only get what you are after by supplying different
IPs for each vhost. I know, it's a bummer.
--markc
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: VHosts and SSL
Posted by "Robert L. Harris" <Ro...@rdlg.net>.
Yeah, that won't work here.
I figured that's how the SSL/httpd would work, but was hoping apache had
found a way to virtualize it as well. It does some amazing stuff as is
and was just hoping they had one more trick up the sleeve I couldn't
find.
Thus spake Owen Boyle (obo@bourse.ch):
> "Robert L. Harris" wrote:
> >
> > I was hoping you were going to find a large blunt object and tell me I
> > was missing something. This was what I was thinking and just hoping
> > against. We're trying to consolidate 35+ SSL hosts to 1 IP. It looks
> > like sales is trying to increase the # of SSL as they charge more for
> > them. This could get ugly.
>
> Just to be clear, this is not a feature of apache - it is an intrinisc
> feature of HTTPS. The HTTPS session has to be established *before* any
> HTTP traffic takes place. In order to establish the HTTPS session, the
> server has to send a certificate to the client. Now it cannot do this if
> the certificate is defined in a VirtualHost, since it doesn't know which
> VH to use because no HTTP request has been received yet!
>
> There is only one pretend-workaround and that is to use the *same*
> certificate for all VHs - but then you get browser warnings (FQDN
> doesn't match certificate) and you lose server authentication which is
> an essential feature of SSL... Might be OK in a college or lab type of
> environment, however.
>
> Rgds,
>
> Owen Boyle.
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
:wq!
---------------------------------------------------------------------------
Robert L. Harris | Micros~1 :
Senior System Engineer | For when quality, reliability
at RnD Consulting | and security just aren't
\_ that important!
DISCLAIMER:
These are MY OPINIONS ALONE. I speak for no-one else.
FYI:
perl -e 'print $i=pack(c5,(41*2),sqrt(7056),(unpack(c,H)-2),oct(115),10);'
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: VHosts and SSL
Posted by Owen Boyle <ob...@bourse.ch>.
"Robert L. Harris" wrote:
>
> I was hoping you were going to find a large blunt object and tell me I
> was missing something. This was what I was thinking and just hoping
> against. We're trying to consolidate 35+ SSL hosts to 1 IP. It looks
> like sales is trying to increase the # of SSL as they charge more for
> them. This could get ugly.
Just to be clear, this is not a feature of apache - it is an intrinisc
feature of HTTPS. The HTTPS session has to be established *before* any
HTTP traffic takes place. In order to establish the HTTPS session, the
server has to send a certificate to the client. Now it cannot do this if
the certificate is defined in a VirtualHost, since it doesn't know which
VH to use because no HTTP request has been received yet!
There is only one pretend-workaround and that is to use the *same*
certificate for all VHs - but then you get browser warnings (FQDN
doesn't match certificate) and you lose server authentication which is
an essential feature of SSL... Might be OK in a college or lab type of
environment, however.
Rgds,
Owen Boyle.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: VHosts and SSL
Posted by "Robert L. Harris" <Ro...@rdlg.net>.
I was hoping you were going to find a large blunt object and tell me I
was missing something. This was what I was thinking and just hoping
against. We're trying to consolidate 35+ SSL hosts to 1 IP. It looks
like sales is trying to increase the # of SSL as they charge more for
them. This could get ugly.
Thanks for the answer though,
Robert
Thus spake Mark Constable (markc@renta.net):
> On Tue, 15 Jan 2002 08:11, Robert L. Harris wrote:
>
> > page. I don't get the page that is displayed on the http port. I tried
> > putting the "SSLEngine on" directive in the VirtualHost block and the
> > only change is it asks for my password on the cert.
> >
> > It's got to be something stupid I know. Care to beat me upside the
> > head with a blunt object?
>
> Well you asked for it :)
>
> This is perfectly correct behaviour as NameVirtualHosts
> will not work with SSL. The necessary "Host" header is
> not available to apache via an https URL so it cannot
> figure out what vhost you are trying to go to, so defaults
> to the first configured vhost on the same IP.
>
> You can only get what you are after by supplying different
> IPs for each vhost. I know, it's a bummer.
>
> --markc
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
:wq!
---------------------------------------------------------------------------
Robert L. Harris | Micros~1 :
Senior System Engineer | For when quality, reliability
at RnD Consulting | and security just aren't
\_ that important!
DISCLAIMER:
These are MY OPINIONS ALONE. I speak for no-one else.
FYI:
perl -e 'print $i=pack(c5,(41*2),sqrt(7056),(unpack(c,H)-2),oct(115),10);'
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: VHosts and SSL
Posted by -bill- <bi...@TechServSys.com>.
Mark Constable wrote:
>
> On Tue, 15 Jan 2002 08:11, Robert L. Harris wrote:
>
> > page. I don't get the page that is displayed on the http port. I tried
> > putting the "SSLEngine on" directive in the VirtualHost block and the
> > only change is it asks for my password on the cert.
> >
> > It's got to be something stupid I know. Care to beat me upside the
> > head with a blunt object?
>
> Well you asked for it :)
>
> This is perfectly correct behaviour as NameVirtualHosts
> will not work with SSL. The necessary "Host" header is
> not available to apache via an https URL so it cannot
> figure out what vhost you are trying to go to, so defaults
> to the first configured vhost on the same IP.
>
> You can only get what you are after by supplying different
> IPs for each vhost. I know, it's a bummer.
>
> --markc
>
you can have 1 SSL host (the default) and any number of non-ssl vhosts can you
not ?
--
- bill -
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: VHosts and SSL
Posted by Herb Stein <he...@herbstein.com>.
----- Original Message -----
From: "Mark Constable" <ma...@renta.net>
To: <us...@httpd.apache.org>
Sent: Monday, January 14, 2002 11:40 PM
Subject: Re: VHosts and SSL
> On Tue, 15 Jan 2002 08:11, Robert L. Harris wrote:
>
> > page. I don't get the page that is displayed on the http port. I
tried
> > putting the "SSLEngine on" directive in the VirtualHost block and
the
> > only change is it asks for my password on the cert.
> >
> > It's got to be something stupid I know. Care to beat me upside
the
> > head with a blunt object?
>
> Well you asked for it :)
>
> This is perfectly correct behaviour as NameVirtualHosts
> will not work with SSL. The necessary "Host" header is
> not available to apache via an https URL so it cannot
> figure out what vhost you are trying to go to, so defaults
> to the first configured vhost on the same IP.
>
> You can only get what you are after by supplying different
> IPs for each vhost. I know, it's a bummer.
>
> --markc
The few SSL client sites I host get there on one of my servers which
has a static IP address. If they don't like that, they have to pay for
a
certificate and I'll give them a unique IP. No one has asked for that
yet. I charge nothing extra if they do it my way. It's just part of
the
service. I eat the $125 or so for the certificate.
> --------------------------------------------------------------------
-
> The official User-To-User support forum of the Apache HTTP Server
Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
--
Herb Stein
The Herb Stein Group
www.herbstein.com
herb@herbstein.com
314 952-4601
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org