Hi,
I successfully managed to use SSL on a local webserver for testing purposes, following the section "Using SSL" in the Chapter "Using Apache" of the "Definitive Guide to CentOS". Now I wonder: how can I use SSL with virtual hosts?
I have several virtual hosts defined. Let's say I want to use SSL with this one:
<VirtualHost *:80> ServerAdmin info@microlinux.fr DocumentRoot /var/www/html/microlinux ServerName buildbox.presbytere.local ServerAlias microlinux.buildbox.presbytere.local ServerAlias microlinux.buildbox ErrorLog logs/microlinux-error_log CustomLog logs/microlinux-access_log common </VirtualHost>
The key and certificate files are located in /etc/certs:
# ls -lh /etc/certs total 12K -rw-r--r-- 1 root root 981 sep 20 11:06 microlinux.crt -rw-r--r-- 1 root root 716 sep 20 11:04 microlinux.csr -rw-r--r-- 1 root root 887 sep 20 11:11 microlinux.key
I'm not sure about the correct syntax to use SSL on this one. Where do I configure SSLCertificateFile and SSLCertificateKeyFile? In the virtual host stanza? Before trying various haphazard configurations, I thought I'd better ask here.
Niki
Am Sonntag, den 20.09.2009, 11:36 +0200 schrieb Niki Kovacs:
Hi,
I successfully managed to use SSL on a local webserver for testing purposes, following the section "Using SSL" in the Chapter "Using Apache" of the "Definitive Guide to CentOS". Now I wonder: how can I use SSL with virtual hosts?
You can't. At least not with name based virtual hosts and classic SSL. See http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#vhosts.
financial.com AG
Munich head office/Hauptsitz München: Maria-Probst-Str. 19 | 80939 München | Germany Frankfurt branch office/Niederlassung Frankfurt: Messeturm | Friedrich-Ebert-Anlage 49 | 60327 Frankfurt | Germany Management board/Vorstand: Dr. Steffen Boehnert (CEO/Vorsitzender) | Dr. Alexis Eisenhofer | Dr. Yann Samson | Matthias Wiederwach Supervisory board/Aufsichtsrat: Dr. Dr. Ernst zur Linden (chairman/Vorsitzender) Register court/Handelsregister: Munich – HRB 128 972 | Sales tax ID number/St.Nr.: DE205 370 553
Christoph Maser wrote:
Am Sonntag, den 20.09.2009, 11:36 +0200 schrieb Niki Kovacs:
Hi,
I successfully managed to use SSL on a local webserver for testing purposes, following the section "Using SSL" in the Chapter "Using Apache" of the "Definitive Guide to CentOS". Now I wonder: how can I use SSL with virtual hosts?
You can't. At least not with name based virtual hosts and classic SSL. See http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#vhosts.
That is outdated information. There are at least two ways to use virtual hosts with SSL on Apache.
1) Use a wildcard cert. You can use *.somedomain certs to serve multiple SSL domains on a single IP so long as they fit in the *.somedomain pattern.
2) Use the SNI extension. http://hvera.wordpress.com/2009/09/02/apache-ssl-with-virtual-hosts-using-sn...
Note, however, that SNI does not work with older version of MSIE.
- Use a wildcard cert. You can use *.somedomain certs to serve multiple
SSL domains on a single IP so long as they fit in the *.somedomain pattern.
This is incorrect.
apache can't read the headers since the traffic is encrypted. If it can't read headers, it does not know which vhost to use and thus can not serve up the correct files
If you have more than one ssl vhost, you will have to use two IP's. You can use one SSL vhost with many non SSL vhosts on the same IP with no issues.
Tracy Phillips Linux Systems Administrator
Tracy Phillips wrote:
1) Use a wildcard cert. You can use *.somedomain certs to serve multiple SSL domains on a single IP so long as they fit in the *.somedomain pattern.This is incorrect.
apache can't read the headers since the traffic is encrypted. If it can't read headers, it does not know which vhost to use and thus can not serve up the correct files
If you have more than one ssl vhost, you will have to use two IP's. You can use one SSL vhost with many non SSL vhosts on the same IP with no issues.
Yes you can. I have SSL servers configured precisely like that. They work fine.
Hi,
On Mon, Sep 21, 2009 at 10:17, Niki Kovacs contact@kikinovak.net wrote:
Jerry Franz a écrit :
Tracy Phillips wrote:
Benjamin Franz wrote:
- Use a wildcard cert. You can use *.somedomain certs to serve multiple
SSL domains on a single IP so long as they fit in the *.somedomain pattern.
This is incorrect.
Yes you can. I have SSL servers configured precisely like that. They work fine.
I also have this configured in a couple of servers. as long as you have a wildcard certificate (*.example.com) and all names are direct subdomains of that domain (www.example.com, secure.example.com, intranet.example.com, wiki.example.com, bugs.example.com, etc.) it works just fine.
There are some warnings in Apache's error_log, like those: [warn] Init: You should not use name-based virtual hosts in conjunction with SSL!! [warn] RSA server certificate CommonName (CN) `*.example.com' does NOT match server name!?
But it works regardless of those.
Any way you can copy/paste your Apache configuration?
There is nothing to it, you should only make sure that the SSLCertificateFile, SSLCertificateKeyFile and SSLCertificateChainFile point to the same files in all your virtual hosts, and that those files are the ones for the wildcard certificate.
If you have to provide SSL for different domains, you can do that using IP-based virtual hosts, there is some documentation on how to do that here: http://httpd.apache.org/docs/2.2/vhosts/ip-based.html
If you go that route and start having to assign a very large number of IPs to a single machine, you can assign a whole IP range to a machine by creating an interface alias to the loopback interface, that way you can assign 16, 32, 64, 128, 256 or even more IPs to a machine with one configuration only. Let me know if you would like more information on how to do that.
Cheers, Filipe
Niki Kovacs wrote:
Jerry Franz a écrit :
Yes you can. I have SSL servers configured precisely like that. They work fine.
Any way you can copy/paste your Apache configuration?
There is an example at http://wiki.apache.org/httpd/NameBasedSSLVHosts
Am Sonntag, den 20.09.2009, 16:27 +0200 schrieb Benjamin Franz:
Christoph Maser wrote:
Am Sonntag, den 20.09.2009, 11:36 +0200 schrieb Niki Kovacs:
Hi,
I successfully managed to use SSL on a local webserver for testing purposes, following the section "Using SSL" in the Chapter "Using Apache" of the "Definitive Guide to CentOS". Now I wonder: how can I use SSL with virtual hosts?
You can't. At least not with name based virtual hosts and classic SSL. See http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#vhosts.
That is outdated information. There are at least two ways to use virtual hosts with SSL on Apache.
- Use a wildcard cert. You can use *.somedomain certs to serve multiple
SSL domains on a single IP so long as they fit in the *.somedomain pattern.
- Use the SNI extension.
http://hvera.wordpress.com/2009/09/02/apache-ssl-with-virtual-hosts-using-sn...
Note, however, that SNI does not work with older version of MSIE.
I don't consider both options as usable as 1) will not work for different domains and 2) is not compatible with old clients. So in my opinion the information I gave is not outdated at all and actually will never be.
financial.com AG
Munich head office/Hauptsitz München: Maria-Probst-Str. 19 | 80939 München | Germany Frankfurt branch office/Niederlassung Frankfurt: Messeturm | Friedrich-Ebert-Anlage 49 | 60327 Frankfurt | Germany Management board/Vorstand: Dr. Steffen Boehnert (CEO/Vorsitzender) | Dr. Alexis Eisenhofer | Dr. Yann Samson | Matthias Wiederwach Supervisory board/Aufsichtsrat: Dr. Dr. Ernst zur Linden (chairman/Vorsitzender) Register court/Handelsregister: Munich – HRB 128 972 | Sales tax ID number/St.Nr.: DE205 370 553
This is how I do it. It is a vhost file configured for http (port 80) and https (port 443).
Hope it helps
<VirtualHost 208.83.1.1:80>
ServerAdmin webmaster@domain.com
ServerName my.domain.com
DocumentRoot /var/www/domain.com/my/public/
<Directory /var/www/domain.com/my/public/> Options Indexes FollowSymLinks MultiViews AllowOverride All Order allow,deny allow from all </Directory>
# Setup error documents directory outside docroot Alias /error/ /var/www/error/
# Setup our aliased /error directory for SSI <Directory /var/www/error/> AllowOverride None Options IncludesNoExec AddOutputFilter Includes html AddHandler type-map var Order allow,deny Allow from all LanguagePriority en es de fr ForceLanguagePriority Prefer Fallback </Directory>
ErrorDocument 400 /error/HTTP_BAD_REQUEST.html.var ErrorDocument 401 /error/HTTP_UNAUTHORIZED.html.var ErrorDocument 403 /error/HTTP_FORBIDDEN.html.var ErrorDocument 404 /error/HTTP_NOT_FOUND.html.var ErrorDocument 405 /error/HTTP_METHOD_NOT_ALLOWED.html.var ErrorDocument 408 /error/HTTP_REQUEST_TIME_OUT.html.var ErrorDocument 410 /error/HTTP_GONE.html.var ErrorDocument 411 /error/HTTP_LENGTH_REQUIRED.html.var ErrorDocument 412 /error/HTTP_PRECONDITION_FAILED.html.var ErrorDocument 413 /error/HTTP_REQUEST_ENTITY_TOO_LARGE.html.var ErrorDocument 414 /error/HTTP_REQUEST_URI_TOO_LARGE.html.var ErrorDocument 415 /error/HTTP_UNSUPPORTED_MEDIA_TYPE.html.var ErrorDocument 500 /error/HTTP_INTERNAL_SERVER_ERROR.html.var ErrorDocument 501 /error/HTTP_NOT_IMPLEMENTED.html.var ErrorDocument 502 /error/HTTP_BAD_GATEWAY.html.var ErrorDocument 503 /error/HTTP_SERVICE_UNAVAILABLE.html.var ErrorDocument 506 /error/HTTP_VARIANT_ALSO_VARIES.html.var
# Set .htaccess to different name and explicitly deny access to it. AccessFileName .htaccess
<Files ~ "^.ht"> Order allow,deny Deny from all Satisfy All </Files>
# Possible values include: debug, info, notice, warn, error, crit, alert, emerg. LogLevel warn
ErrorLog /var/www/domain.com/my/log/error.log CustomLog /var/www/domain.com/my/log/access.log combined
ServerSignature Off
</VirtualHost>
<VirtualHost 208.83.1.1:443>
ServerAdmin webmaster@domain.com
ServerName my.domain.com
DocumentRoot /var/www/domain.com/my/public/
<Directory /var/www/domain.com/my/public/> Options Indexes FollowSymLinks MultiViews AllowOverride All Order allow,deny allow from all </Directory>
SSLEngine on SSLCertificateFile /var/www/domain.com/my/ssl/domain.com.my.crt SSLCertificateKeyFile /var/www/domain.com/my/ssl/domain.com.my.key SSLCACertificateFile /var/www/domain.com/my/ssl/domain.com.my.ca-bundle SSLProtocol -ALL +SSLv3 +TLSv1 # SSLProtocol -ALL +TLSv1 SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
# Setup error documents Alias /error/ "/usr/share/apache2/error/"
<Directory "/usr/share/apache2/error"> AllowOverride None Options IncludesNoExec AddOutputFilter Includes html AddHandler type-map var Order allow,deny Allow from all LanguagePriority en cs de es fr it nl sv pt-br ro ForceLanguagePriority Prefer Fallback </Directory>
ErrorDocument 400 /error/HTTP_BAD_REQUEST.html.var ErrorDocument 401 /error/HTTP_UNAUTHORIZED.html.var ErrorDocument 403 /error/HTTP_FORBIDDEN.html.var ErrorDocument 404 /error/HTTP_NOT_FOUND.html.var ErrorDocument 405 /error/HTTP_METHOD_NOT_ALLOWED.html.var ErrorDocument 408 /error/HTTP_REQUEST_TIME_OUT.html.var ErrorDocument 410 /error/HTTP_GONE.html.var ErrorDocument 411 /error/HTTP_LENGTH_REQUIRED.html.var ErrorDocument 412 /error/HTTP_PRECONDITION_FAILED.html.var ErrorDocument 413 /error/HTTP_REQUEST_ENTITY_TOO_LARGE.html.var ErrorDocument 414 /error/HTTP_REQUEST_URI_TOO_LARGE.html.var ErrorDocument 415 /error/HTTP_UNSUPPORTED_MEDIA_TYPE.html.var ErrorDocument 500 /error/HTTP_INTERNAL_SERVER_ERROR.html.var ErrorDocument 501 /error/HTTP_NOT_IMPLEMENTED.html.var ErrorDocument 502 /error/HTTP_BAD_GATEWAY.html.var ErrorDocument 503 /error/HTTP_SERVICE_UNAVAILABLE.html.var ErrorDocument 506 /error/HTTP_VARIANT_ALSO_VARIES.html.var
# Set .htaccess to different name and explicitly deny access to it. AccessFileName .htaccess
<Files ~ "^.ht"> Order allow,deny Deny from all Satisfy All </Files>
# Possible values include: debug, info, notice, warn, error, crit, alert, emerg. LogLevel warn
ErrorLog /var/www/domain.com/my/log/ssl_error.log CustomLog /var/www/domain.com/my/log/ssl_access.log combined
ServerSignature Off
</VirtualHost>
Tracy Phillips
On Sun, Sep 20, 2009 at 2:36 AM, Niki Kovacs contact@kikinovak.net wrote:
Hi,
I successfully managed to use SSL on a local webserver for testing purposes, following the section "Using SSL" in the Chapter "Using Apache" of the "Definitive Guide to CentOS". Now I wonder: how can I use SSL with virtual hosts?
I have several virtual hosts defined. Let's say I want to use SSL with this one:
<VirtualHost *:80> ServerAdmin info@microlinux.fr DocumentRoot /var/www/html/microlinux ServerName buildbox.presbytere.local ServerAlias microlinux.buildbox.presbytere.local ServerAlias microlinux.buildbox ErrorLog logs/microlinux-error_log CustomLog logs/microlinux-access_log common
</VirtualHost>
The key and certificate files are located in /etc/certs:
# ls -lh /etc/certs total 12K -rw-r--r-- 1 root root 981 sep 20 11:06 microlinux.crt -rw-r--r-- 1 root root 716 sep 20 11:04 microlinux.csr -rw-r--r-- 1 root root 887 sep 20 11:11 microlinux.key
I'm not sure about the correct syntax to use SSL on this one. Where do I configure SSLCertificateFile and SSLCertificateKeyFile? In the virtual host stanza? Before trying various haphazard configurations, I thought I'd better ask here.
Niki _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
-
Benjamin Franz -
Christoph Maser -
Filipe Brandenburger -
Jerry Franz
-
Niki Kovacs -
Tracy Phillips