You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by milktoast <jg...@angeluspress.org> on 2006/09/12 18:44:57 UTC
[users@httpd] multiple SSL certs on one server behind a NAT router
I have read up on using multiple SSL certs on one server but the thing that
no one addresses is how this works on a server behind a router that uses
NAT.
Example
Server 1 has two domains www.foo.com and www.bar.com
Both are functional using IP based virtual hosts using 192.168.1.50
The server is currently setup so www.foo.com has a functioning SSL cert and
all 443 traffic goes to it.
Now, www.bar.com wants to have a valid SSL cert.
The way I read that this is done is both foo and bar must have different IP
addresses. That is the easy part. I can set up my server to listen to two
IPs (192.168.1.50 and 192.168.1.51).
The hard part is the NAT....ALL traffic passes through my router and it has
ONE external IP. Do I need to setup the route with a second external IP and
pass that traffic to the second internal IP for this to work or can I use
one external IP and two internal IPs? How will Apache handle this?
--
View this message in context: http://www.nabble.com/multiple-SSL-certs-on-one-server-behind-a-NAT-router-tf2260024.html#a6269962
Sent from the Apache HTTP Server - Users forum at Nabble.com.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] multiple SSL certs on one server behind a NAT router
Posted by Serge Dubrouski <se...@gmail.com>.
In what format is your certificate file. Is it PEM? Something is
definitely wrong with it.
On 9/14/06, milktoast <jg...@angeluspress.org> wrote:
>
> Hi, me again.
>
> OK, I got my 2 external IPs and 2 internal IPs
>
> I also have 2 certs.
>
> Now when I edit httpd.conf and chnage the _default_:443 to 192.168.1.2:443
> and copy that secton and paste it and modify the IP, root path and cert path
> I get this and apach will not start with ssl
>
> [Thu Sep 14 21:00:18 2006] [error] mod_ssl: Init: Unable to read server
> certific
> ate from file /etc/ssl.https/www.angelusonline.org.crt (OpenSSL library
> error fo
> llows)
> [Thu Sep 14 21:00:18 2006] [error] OpenSSL: error:0D0680A8:asn1 encoding
> routine
> s:ASN1_CHECK_TLEN:wrong tag
> [Thu Sep 14 21:00:18 2006] [error] OpenSSL: error:0D07803A:asn1 encoding
> routine
> s:ASN1_ITEM_EX_D2I:nested asn1 error
>
>
> I want to my cert authority and comfirmed my csr file and it is correct.
>
> Any ideas what is happening?
>
>
>
>
> Serge Dubrouski wrote:
> >
> > That's possible. You have to have 2 VirtualHoosts in your httpd.conf
> > (or ssl.conf, or vhosts.conf whatever you prefer), one per each IP
> > (<VirtualHost IP:443>). Do not enable NameVirtualHosts for them. Place
> > SSLCertificateFile and SSLCertificateKeyFile directives inside your
> > VirtualHosts. Remove "default" section.
> > Then it should work.
> >
> > On 9/12/06, milktoast <jg...@angeluspress.org> wrote:
> >
> --
> View this message in context: http://www.nabble.com/multiple-SSL-certs-on-one-server-behind-a-NAT-router-tf2260024.html#a6318306
> Sent from the Apache HTTP Server - Users forum at Nabble.com.
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] multiple SSL certs on one server behind a NAT
router
Posted by milktoast <jg...@angeluspress.org>.
Hi, me again.
OK, I got my 2 external IPs and 2 internal IPs
I also have 2 certs.
Now when I edit httpd.conf and chnage the _default_:443 to 192.168.1.2:443
and copy that secton and paste it and modify the IP, root path and cert path
I get this and apach will not start with ssl
[Thu Sep 14 21:00:18 2006] [error] mod_ssl: Init: Unable to read server
certific
ate from file /etc/ssl.https/www.angelusonline.org.crt (OpenSSL library
error fo
llows)
[Thu Sep 14 21:00:18 2006] [error] OpenSSL: error:0D0680A8:asn1 encoding
routine
s:ASN1_CHECK_TLEN:wrong tag
[Thu Sep 14 21:00:18 2006] [error] OpenSSL: error:0D07803A:asn1 encoding
routine
s:ASN1_ITEM_EX_D2I:nested asn1 error
I want to my cert authority and comfirmed my csr file and it is correct.
Any ideas what is happening?
Serge Dubrouski wrote:
>
> That's possible. You have to have 2 VirtualHoosts in your httpd.conf
> (or ssl.conf, or vhosts.conf whatever you prefer), one per each IP
> (<VirtualHost IP:443>). Do not enable NameVirtualHosts for them. Place
> SSLCertificateFile and SSLCertificateKeyFile directives inside your
> VirtualHosts. Remove "default" section.
> Then it should work.
>
> On 9/12/06, milktoast <jg...@angeluspress.org> wrote:
>
--
View this message in context: http://www.nabble.com/multiple-SSL-certs-on-one-server-behind-a-NAT-router-tf2260024.html#a6318306
Sent from the Apache HTTP Server - Users forum at Nabble.com.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] multiple SSL certs on one server behind a NAT
router
Posted by milktoast <jg...@angeluspress.org>.
Right on! Thanks. I was hoping not to have to do that ... but I guess I
will.
Thanks again.
Serge Dubrouski wrote:
>
> That's possible. You have to have 2 VirtualHoosts in your httpd.conf
> (or ssl.conf, or vhosts.conf whatever you prefer), one per each IP
> (<VirtualHost IP:443>). Do not enable NameVirtualHosts for them. Place
> SSLCertificateFile and SSLCertificateKeyFile directives inside your
> VirtualHosts. Remove "default" section.
> Then it should work.
>
> On 9/12/06, milktoast <jg...@angeluspress.org> wrote:
>>
>> Right,
>>
>> Can I get a second IP address on the router and pass that traffic to a
>> second IP on the server and get it to work?
>>
>>
>>
>> Serge Dubrouski wrote:
>> >
>> > On 9/12/06, milktoast <jg...@angeluspress.org> wrote:
>> >>
>> >> I am aware of this... thus my question.... how should it look to get
>> two
>> >> certs on one server?
>> >>
>> >
>> > Look like we do not understand each other. Once more: THERE IS NO WAY
>> > TO HAVE 2 CERTIFICATES ON ONE SERVER WITH ONE IP ADDRESS.
>> > As I understand your case you have a router with one real IP address
>> > and want to server 2 different HTTPS sites on it having them on a
>> > server behind your router. There is no solution for this.
>> >
>> >>
>> >> If it looks like this then it will work perfect for www.foo.com but
>> >> won't work for bar com. User will receive an error saying that bar.com
>> >> uses certificate for foo.com.
>> >>
>> >> The rool is easy: one cert per one IP.
>> >>
>> >> See http://httpd.apache.org/docs/2.2/ssl/ssl_faq.html
>> >>
>> >>
>> >> --
>> >> View this message in context:
>> >>
>> http://www.nabble.com/multiple-SSL-certs-on-one-server-behind-a-NAT-router-tf2260024.html#a6270684
>> >> Sent from the Apache HTTP Server - Users forum at Nabble.com.
>> >>
>> >>
>> >> ---------------------------------------------------------------------
>> >> The official User-To-User support forum of the Apache HTTP Server
>> >> Project.
>> >> See <URL:http://httpd.apache.org/userslist.html> for more info.
>> >> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> >> " from the digest: users-digest-unsubscribe@httpd.apache.org
>> >> For additional commands, e-mail: users-help@httpd.apache.org
>> >>
>> >>
>> >
>> > ---------------------------------------------------------------------
>> > The official User-To-User support forum of the Apache HTTP Server
>> Project.
>> > See <URL:http://httpd.apache.org/userslist.html> for more info.
>> > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> > " from the digest: users-digest-unsubscribe@httpd.apache.org
>> > For additional commands, e-mail: users-help@httpd.apache.org
>> >
>> >
>> >
>>
>> --
>> View this message in context:
>> http://www.nabble.com/multiple-SSL-certs-on-one-server-behind-a-NAT-router-tf2260024.html#a6271130
>> Sent from the Apache HTTP Server - Users forum at Nabble.com.
>>
>>
>> ---------------------------------------------------------------------
>> The official User-To-User support forum of the Apache HTTP Server
>> Project.
>> See <URL:http://httpd.apache.org/userslist.html> for more info.
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> " from the digest: users-digest-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
>
--
View this message in context: http://www.nabble.com/multiple-SSL-certs-on-one-server-behind-a-NAT-router-tf2260024.html#a6271474
Sent from the Apache HTTP Server - Users forum at Nabble.com.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] multiple SSL certs on one server behind a NAT router
Posted by Serge Dubrouski <se...@gmail.com>.
That's possible. You have to have 2 VirtualHoosts in your httpd.conf
(or ssl.conf, or vhosts.conf whatever you prefer), one per each IP
(<VirtualHost IP:443>). Do not enable NameVirtualHosts for them. Place
SSLCertificateFile and SSLCertificateKeyFile directives inside your
VirtualHosts. Remove "default" section.
Then it should work.
On 9/12/06, milktoast <jg...@angeluspress.org> wrote:
>
> Right,
>
> Can I get a second IP address on the router and pass that traffic to a
> second IP on the server and get it to work?
>
>
>
> Serge Dubrouski wrote:
> >
> > On 9/12/06, milktoast <jg...@angeluspress.org> wrote:
> >>
> >> I am aware of this... thus my question.... how should it look to get two
> >> certs on one server?
> >>
> >
> > Look like we do not understand each other. Once more: THERE IS NO WAY
> > TO HAVE 2 CERTIFICATES ON ONE SERVER WITH ONE IP ADDRESS.
> > As I understand your case you have a router with one real IP address
> > and want to server 2 different HTTPS sites on it having them on a
> > server behind your router. There is no solution for this.
> >
> >>
> >> If it looks like this then it will work perfect for www.foo.com but
> >> won't work for bar com. User will receive an error saying that bar.com
> >> uses certificate for foo.com.
> >>
> >> The rool is easy: one cert per one IP.
> >>
> >> See http://httpd.apache.org/docs/2.2/ssl/ssl_faq.html
> >>
> >>
> >> --
> >> View this message in context:
> >> http://www.nabble.com/multiple-SSL-certs-on-one-server-behind-a-NAT-router-tf2260024.html#a6270684
> >> Sent from the Apache HTTP Server - Users forum at Nabble.com.
> >>
> >>
> >> ---------------------------------------------------------------------
> >> The official User-To-User support forum of the Apache HTTP Server
> >> Project.
> >> See <URL:http://httpd.apache.org/userslist.html> for more info.
> >> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> >> " from the digest: users-digest-unsubscribe@httpd.apache.org
> >> For additional commands, e-mail: users-help@httpd.apache.org
> >>
> >>
> >
> > ---------------------------------------------------------------------
> > The official User-To-User support forum of the Apache HTTP Server Project.
> > See <URL:http://httpd.apache.org/userslist.html> for more info.
> > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > " from the digest: users-digest-unsubscribe@httpd.apache.org
> > For additional commands, e-mail: users-help@httpd.apache.org
> >
> >
> >
>
> --
> View this message in context: http://www.nabble.com/multiple-SSL-certs-on-one-server-behind-a-NAT-router-tf2260024.html#a6271130
> Sent from the Apache HTTP Server - Users forum at Nabble.com.
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] multiple SSL certs on one server behind a NAT
router
Posted by milktoast <jg...@angeluspress.org>.
Right,
Can I get a second IP address on the router and pass that traffic to a
second IP on the server and get it to work?
Serge Dubrouski wrote:
>
> On 9/12/06, milktoast <jg...@angeluspress.org> wrote:
>>
>> I am aware of this... thus my question.... how should it look to get two
>> certs on one server?
>>
>
> Look like we do not understand each other. Once more: THERE IS NO WAY
> TO HAVE 2 CERTIFICATES ON ONE SERVER WITH ONE IP ADDRESS.
> As I understand your case you have a router with one real IP address
> and want to server 2 different HTTPS sites on it having them on a
> server behind your router. There is no solution for this.
>
>>
>> If it looks like this then it will work perfect for www.foo.com but
>> won't work for bar com. User will receive an error saying that bar.com
>> uses certificate for foo.com.
>>
>> The rool is easy: one cert per one IP.
>>
>> See http://httpd.apache.org/docs/2.2/ssl/ssl_faq.html
>>
>>
>> --
>> View this message in context:
>> http://www.nabble.com/multiple-SSL-certs-on-one-server-behind-a-NAT-router-tf2260024.html#a6270684
>> Sent from the Apache HTTP Server - Users forum at Nabble.com.
>>
>>
>> ---------------------------------------------------------------------
>> The official User-To-User support forum of the Apache HTTP Server
>> Project.
>> See <URL:http://httpd.apache.org/userslist.html> for more info.
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> " from the digest: users-digest-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
>
--
View this message in context: http://www.nabble.com/multiple-SSL-certs-on-one-server-behind-a-NAT-router-tf2260024.html#a6271130
Sent from the Apache HTTP Server - Users forum at Nabble.com.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] multiple SSL certs on one server behind a NAT router
Posted by Serge Dubrouski <se...@gmail.com>.
On 9/12/06, milktoast <jg...@angeluspress.org> wrote:
>
> I am aware of this... thus my question.... how should it look to get two
> certs on one server?
>
Look like we do not understand each other. Once more: THERE IS NO WAY
TO HAVE 2 CERTIFICATES ON ONE SERVER WITH ONE IP ADDRESS.
As I understand your case you have a router with one real IP address
and want to server 2 different HTTPS sites on it having them on a
server behind your router. There is no solution for this.
>
> If it looks like this then it will work perfect for www.foo.com but
> won't work for bar com. User will receive an error saying that bar.com
> uses certificate for foo.com.
>
> The rool is easy: one cert per one IP.
>
> See http://httpd.apache.org/docs/2.2/ssl/ssl_faq.html
>
>
> --
> View this message in context: http://www.nabble.com/multiple-SSL-certs-on-one-server-behind-a-NAT-router-tf2260024.html#a6270684
> Sent from the Apache HTTP Server - Users forum at Nabble.com.
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] multiple SSL certs on one server behind a NAT
router
Posted by milktoast <jg...@angeluspress.org>.
I am aware of this... thus my question.... how should it look to get two
certs on one server?
If it looks like this then it will work perfect for www.foo.com but
won't work for bar com. User will receive an error saying that bar.com
uses certificate for foo.com.
The rool is easy: one cert per one IP.
See http://httpd.apache.org/docs/2.2/ssl/ssl_faq.html
--
View this message in context: http://www.nabble.com/multiple-SSL-certs-on-one-server-behind-a-NAT-router-tf2260024.html#a6270684
Sent from the Apache HTTP Server - Users forum at Nabble.com.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] multiple SSL certs on one server behind a NAT router
Posted by Ricardo Stella <st...@rider.edu>.
Serge Dubrouski wrote:
> If it looks like this then it will work perfect for www.foo.com but
> won't work for bar com. User will receive an error saying that bar.com
> uses certificate for foo.com.
>
> The rool is easy: one cert per one IP.
That, or multiple names per certificate, ie multiple names entries in
subjectAltName, if you are generating your own certs...
--
°(((=((===°°°(((===========================================
Re: [users@httpd] multiple SSL certs on one server behind a NAT router
Posted by Serge Dubrouski <se...@gmail.com>.
If it looks like this then it will work perfect for www.foo.com but
won't work for bar com. User will receive an error saying that bar.com
uses certificate for foo.com.
The rool is easy: one cert per one IP.
See http://httpd.apache.org/docs/2.2/ssl/ssl_faq.html
On 9/12/06, milktoast <jg...@angeluspress.org> wrote:
>
> How should this look?
>
> Here the virtual part of my httpd.conf
>
>
> <VirtualHost _default_:443>
>
> DocumentRoot /home/htdocs/foo
> ServerName www.foo.com
> ServerAdmin webmaster@foo.com
> ErrorLog /usr/local/apache/logs/error_log
> TransferLog /usr/local/apache/logs/access_log
> # Block TRACE/TRACK XSS vector
> RewriteEngine On
> RewriteCond %{REQUEST_METHOD} ^TRACE
> RewriteRule .* - [F]
>
> <LocationMatch "^/">
> </LocationMatch>
>
> SSLEngine on
> SSLCipherSuite
> ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
> SSLCertificateFile /etc/ssl.https/www.foo.com.crt
> SSLCertificateKeyFile /etc/ssl.https/www.foo.com.key
>
> <Files ~ "\.(cgi|shtml|phtml|php3?)$">
> SSLOptions +StdEnvVars
> </Files>
> <Directory "/usr/local/apache/cgi-bin">
> SSLOptions +StdEnvVars
> </Directory>
>
> SetEnvIf User-Agent ".*MSIE.*" \
> nokeepalive ssl-unclean-shutdown \
> downgrade-1.0 force-response-1.0
>
> CustomLog /usr/local/apache/logs/ssl_request_log \
> "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
>
>
> NameVirtualHost 192.168.2.10
>
> </VirtualHost>
> <VirtualHost 192.168.2.10>
> ServerName www.foo.com
> ServerAlias foo.com www.foo.com
> DocumentRoot /home/htdocs/foo
> ErrorLog /usr/local/apache/logs/error_log
> </VirtualHost>
>
> <VirtualHost 192.168.2.10>
> ServerName www.bar.com
> ServerAlias bar.com www.bar.com
> DocumentRoot /home/htdocs/bar
> ErrorLog /usr/local/apache/logs/error_log
> </VirtualHost>
>
>
>
>
>
> Serge Dubrouski wrote:
> >
> > If both server share one IP using NameVirtualHost feature then there
> > is no way to have different certificates for them.
> >
> > On 9/12/06, milktoast <jg...@angeluspress.org> wrote:
> >
> >
>
> --
> View this message in context: http://www.nabble.com/multiple-SSL-certs-on-one-server-behind-a-NAT-router-tf2260024.html#a6270424
> Sent from the Apache HTTP Server - Users forum at Nabble.com.
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] multiple SSL certs on one server behind a NAT
router
Posted by milktoast <jg...@angeluspress.org>.
How should this look?
Here the virtual part of my httpd.conf
<VirtualHost _default_:443>
DocumentRoot /home/htdocs/foo
ServerName www.foo.com
ServerAdmin webmaster@foo.com
ErrorLog /usr/local/apache/logs/error_log
TransferLog /usr/local/apache/logs/access_log
# Block TRACE/TRACK XSS vector
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]
<LocationMatch "^/">
</LocationMatch>
SSLEngine on
SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /etc/ssl.https/www.foo.com.crt
SSLCertificateKeyFile /etc/ssl.https/www.foo.com.key
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
<Directory "/usr/local/apache/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog /usr/local/apache/logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
NameVirtualHost 192.168.2.10
</VirtualHost>
<VirtualHost 192.168.2.10>
ServerName www.foo.com
ServerAlias foo.com www.foo.com
DocumentRoot /home/htdocs/foo
ErrorLog /usr/local/apache/logs/error_log
</VirtualHost>
<VirtualHost 192.168.2.10>
ServerName www.bar.com
ServerAlias bar.com www.bar.com
DocumentRoot /home/htdocs/bar
ErrorLog /usr/local/apache/logs/error_log
</VirtualHost>
Serge Dubrouski wrote:
>
> If both server share one IP using NameVirtualHost feature then there
> is no way to have different certificates for them.
>
> On 9/12/06, milktoast <jg...@angeluspress.org> wrote:
>
>
--
View this message in context: http://www.nabble.com/multiple-SSL-certs-on-one-server-behind-a-NAT-router-tf2260024.html#a6270424
Sent from the Apache HTTP Server - Users forum at Nabble.com.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] multiple SSL certs on one server behind a NAT router
Posted by Serge Dubrouski <se...@gmail.com>.
If both server share one IP using NameVirtualHost feature then there
is no way to have different certificates for them.
On 9/12/06, milktoast <jg...@angeluspress.org> wrote:
>
> I have read up on using multiple SSL certs on one server but the thing that
> no one addresses is how this works on a server behind a router that uses
> NAT.
>
> Example
>
> Server 1 has two domains www.foo.com and www.bar.com
>
> Both are functional using IP based virtual hosts using 192.168.1.50
>
> The server is currently setup so www.foo.com has a functioning SSL cert and
> all 443 traffic goes to it.
>
> Now, www.bar.com wants to have a valid SSL cert.
>
> The way I read that this is done is both foo and bar must have different IP
> addresses. That is the easy part. I can set up my server to listen to two
> IPs (192.168.1.50 and 192.168.1.51).
>
> The hard part is the NAT....ALL traffic passes through my router and it has
> ONE external IP. Do I need to setup the route with a second external IP and
> pass that traffic to the second internal IP for this to work or can I use
> one external IP and two internal IPs? How will Apache handle this?
> --
> View this message in context: http://www.nabble.com/multiple-SSL-certs-on-one-server-behind-a-NAT-router-tf2260024.html#a6269962
> Sent from the Apache HTTP Server - Users forum at Nabble.com.
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org