You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by "Diego M. Vadell" <dv...@lantech.com.ar> on 2005/03/16 15:09:07 UTC
[users@httpd] Multiple SSL enabled Virtual Servers and mod_rewrite
Hi,
Im a bit confused with multiple virtual hosts with SSL. Clearly you cannot
use multiple <VirtualHost> with SSL, but I dont undestand *why*. I googled
for it, but I still dont understand.
I know that, by protocol design, https can deal with one certificate per
IP/port . Client and server will exchange certificates before the client
sends the request (I apologize for my lack of knowledge and vocabulary), so
there is no way to avoid having a popup warning about the domain name
mismatch if I want to make two SSL-enabled virtual hosts. But I noticed that
even working with https, the HTTP_HOST variable is set independent from the
servername in the SSL VirtualHost.
So I wrote a couple of mod_rewrite rules , put them into the SSL
Virtualhost, and now I can browse https://domain1.com/ and
https://domain2.com/ and it will serve different pages, the same as with
VirtualHost (in fact, the mod_rewrite rules are not others than the
"VirtualHosts without VirtualHosts" example in mod_rewrite's documentation).
My questions: Is there any other better way of doing this? What are the
drawbacks? Any comments? Im a bit lost in not finding an answer to a useful
thing like SSL-enabled virtual host (or alike).
BTW, I know I will have the warning about the certificate name mismatch, I
just find useful to have the HTTP traffic encrypted.
Looking forward to your answers, and sorry for my English,
-- Diego.
--
-----
:( >> $$
Hi! I'm a .signature virus! Copy me into your ~/.signature to help me
spread!
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Multiple SSL enabled Virtual Servers and mod_rewrite
Posted by "Diego M. Vadell" <dv...@lantech.com.ar>.
On Wednesday 16 March 2005 11:44, Sylvain COUTANT wrote:
> > But given you have only one IP, isnt it
> > useful to have the traffic encrypted?
>
> It can. But you will have warnings on client's side when the server's name
> mismatch. No other obvious problem I know about.
>
> Also, some SSL certificate vendors sell wildcards "*.domain.com" that can
> help is this situation. I have one, it works well under IE, have little
> feedback for other browsers.
>
> Having multiple named Virtual Hosts works under SSL :
>
> <VirtualHost *:443>
> ServerName www.domain1.com
> ...
> </VirtualHost>
> <VirtualHost *:443>
> ServerName www.domain2.com
> ...
> </VirtualHost>
>
> In fact, only the first VHost's certificate is used if I remember well.
>
> Regards,
> Sylvain.
>
Hi Sylvain,
do you have this working? I have just done this same test, and it
doesn't work. It warns me:
[Wed Mar 16 12:44:37 2005] [warn] _default_ VirtualHost overlap on port 443,
the first has precedence
/usr/local/apache/bin/apachectl start: httpd started
But I can browse the first VHost's site using the second's URL (e.g.:
https://domain1.com/file.html and https://domain2.com/file.html points to the
same file, although they have different DocumentRoots.
Thanks,
-- Diego
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
--
-----
:( >> $$
Hi! I'm a .signature virus! Copy me into your ~/.signature to help me
spread!
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] Multiple SSL enabled Virtual Servers and mod_rewrite
Posted by Sylvain COUTANT <sy...@illicom.com>.
> But given you have only one IP, isnt it
> useful to have the traffic encrypted?
It can. But you will have warnings on client's side when the server's name
mismatch. No other obvious problem I know about.
Also, some SSL certificate vendors sell wildcards "*.domain.com" that can
help is this situation. I have one, it works well under IE, have little
feedback for other browsers.
Having multiple named Virtual Hosts works under SSL :
<VirtualHost *:443>
ServerName www.domain1.com
...
</VirtualHost>
<VirtualHost *:443>
ServerName www.domain2.com
...
</VirtualHost>
In fact, only the first VHost's certificate is used if I remember well.
Regards,
Sylvain.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Multiple SSL enabled Virtual Servers and mod_rewrite
Posted by "Diego M. Vadell" <dv...@lantech.com.ar>.
Hello Sylvain,
Thank you, its clear enought. But given you have only one IP, isnt it
useful to have the traffic encrypted? I know its only half of what SSL brings
to HTTP.
But, also: is there any scenario where, using mod_rewrite to serve the
correct page based on the HTTP_HOST env variable, something wont work?
For example, when I applied the "VirtualHost without Virtualhosts"
mod_rewrite example, pointing to directories without a final slash would
redirect me to the "real" SSL host.
-------------------------------8<--------------------8<-----------------------
<VirtualHost *:443>
ServerName www.domain1.com
[...]
RewriteEngine on
RewriteCond %{HTTP_HOST} ^www.domain2.com$
RewriteRule ^/(.*)$ /var/www/www.domain2.com/$1 [E=VHOST:%{HTTP_HOST},E=SCRI
PT_URI:https://%{HTTP_HOST}/$1]
</VirtualHost>
-------------------------------8<--------------------8<-----------------------
https://www.domain2.com/wiki will redirect to https://www.domain1.com/wiki/
So I added, also from mod_rewrite's documentation:
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^/var/www/www.domain2.com/(.+[^/])$
https://%{HTTP_HOST}/$1/ [R]
And it worked. I have Mediawiki working now in www.domain2.com/wiki.
I would like to know if anybody knows any other case where I will get the
wrong domain, or that it wont work... or just a thought :)
Thank you Sylvain,
-- Diego.
On Wednesday 16 March 2005 11:12, Sylvain COUTANT wrote:
> > Clearly you cannot
> > use multiple <VirtualHost> with SSL, but I dont undestand *why*.
>
> Because the SSL Layer is set up *before* any data (HTTP request content) is
> sent to the server. That means, it must be setup before the virtual host
> name is known by the server.
>
> This way the server have to choose a certificate to setup the SSL
> connection without having received any information from the client. So you
> can only virtual host SSL using different server IPs and/or ports.
>
> Hopefully, it is clear enough.
> Regards,
> Sylvain.
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
--
-----
:( >> $$
Hi! I'm a .signature virus! Copy me into your ~/.signature to help me
spread!
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] Multiple SSL enabled Virtual Servers and mod_rewrite
Posted by Sylvain COUTANT <sy...@illicom.com>.
> Clearly you cannot
> use multiple <VirtualHost> with SSL, but I dont undestand *why*.
Because the SSL Layer is set up *before* any data (HTTP request content) is
sent to the server. That means, it must be setup before the virtual host
name is known by the server.
This way the server have to choose a certificate to setup the SSL connection
without having received any information from the client. So you can only
virtual host SSL using different server IPs and/or ports.
Hopefully, it is clear enough.
Regards,
Sylvain.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org