[ale] Multiple virt https hosts under Apache/mod_ssl

J.M. Taylor jtaylor at onlinea.com
Thu Jan 2 09:49:40 EST 2003


Jim,

It's not apache's problem, it's the protocol.  They do the best they can. :)

It sounds like you've already got 7 IP addresses for said vhosts, if
you're planning on running  7 instances of apache.  That makes it easy:

In your httpd.conf, find the line that says Listen 80.
Make sure you uncomment and add another line that says Listen 443.
(Note: the way I set up my vhosts, apache invariably complains that I
don't have these lines set up right, and I wind up doing
Listen 1.2.3.4:80
Listen 1.2.3.4:443
Listen 1.2.3.5:80
Listen 1.2.3.5:443
etc, two lines for each IP. YMMV)

Then in my vhost, I do this:
<VirtualHost 1.2.3.4:80>
 Stuff for nonsecure vhost 1
</VirtualHost>
<VirtualHost 1.2.3.4:443>
  Stuff for SECURE vhost 1 including
  SSLEngine on
SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /path/to/vhost1.cert
SSLCertificateKeyFile /path/to/vhost1.key
SetEnvIf User-Agent ".*MSIE.*" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0
</VirtualHost>


<VirtualHost 1.2.3.5:80>
 Stuff for nonsecure vhost 2
</VirtualHost>
<VirtualHost 1.2.3.5:443>
  Stuff for SECURE vhost 2 including
  SSLEngine on
SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /path/to/vhost2.cert
SSLCertificateKeyFile /path/to/vhost2.key
SetEnvIf User-Agent ".*MSIE.*" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0
</VirtualHost>


There's also an easy solution if you don't actually own separate IPs for
each install, but it causes problems with proxies and I wouldn't recommend
it unless you absolutely have no choice.

HTH
jenn


Jim Popovitch said:
> I think the problem/limit is within Apache and mod_ssl.  I don't think
> Apache can load more than one instance of mod_ssl, and mod_ssl only
> supports one set of certs at a time.  Someone please let me know if you
> know otherwise as I am looking to avoid having 7 separate Apache
> installations on one box.  ;)
>
> -Jim P.
>
>> -----Original Message-----
>> From: ale-admin at ale.org [mailto:ale-admin at ale.org]On Behalf Of cfowler
>> Sent: Thursday, January 02, 2003 8:30 AM
>> To: ale at ale.org
>> Subject: Re: [ale] Multiple virt https hosts under Apache/mod_ssl
>>
>>
>> Would using IP Aliasing work in this case?
>>
>>
>>
>>
>> On Thu, 2003-01-02 at 08:08, Jerry Swann wrote:
>> > ed, Jan 01, 2003 at 12:01:51PM -0500
>> >
>> > On Wed, Jan 01, 2003 at 12:01:51PM -0500, Chuck Huber wrote:
>> > > The objective is to setup multiple virtual hosts, each with its
>> own x503 certificate.
>> > >
>> > > The problem is that when more than one virtual host is configured,
>> the first certificate in the configuration is served regardless of
>> which virtual host is contacted.
>> > >
>> > > Here's a summary of what I have in a file included in httpd.conf:
>> > >
>> > >     ...
>> > >     NameVirtualHost 192.168.1.1:443
>> > >
>> > >     <VirtualHost 192.168.1.1:443>
>> > >         ServerName          dev.mydomain.com
>> > >     <VirtualHost 192.168.1.1:443>
>> > >         ServerName          www.mydomain.com
>> > >
>> >
>> > Since ssl is negotiated before any data transfers from host to host,
>> by the time the 'Hostname:' setting gets transferred to the web host
>> the ssl negotiation is already done and gone.
>> >
>> > SSL virtual hosts using the same ip address just don't work.  You
>> have to bind different ip addresses to different ssl certs.
>> >
>> > --
>> > There are only 10 types of people in the world:
>> >                             Those who understand binary, and
>> those who don't
>> >
>> > Jerry Swann       "Jerry dot Swann at oit dot gatech dot edu"
>> > Georgia Institute of Technology
>> > Office Phone: 404 894-1659
>> > Office Fax:   404 894-9548
>> > already done and gone.
>> >
>> > SSL virtual hosts using the same ip address just don't work.  You
>> have to bind different ip addresses to different ssl certs.
>> >
>> > --
>> > There are only 10 types of people in the world:
>> >                             Those who understand binary, and
>> those who don't
>> >
>> > Jerry Swann       "Jerry dot Swann at oit dot gatech dot edu"
>> > Georgia Institute of Technology
>> > Office Phone: 404 894-1659
>> > Office Fax:   404 894-9548
>> > _______________________________________________
>> > Ale mailing list
>> > Ale at ale.org
>> > http://www.ale.org/mailman/listinfo/ale
>>
>>
>> _______________________________________________
>> Ale mailing list
>> Ale at ale.org
>> http://www.ale.org/mailman/listinfo/ale
>>
>
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale



_______________________________________________
Ale mailing list
Ale at ale.org
http://www.ale.org/mailman/listinfo/ale






More information about the Ale mailing list