nigel5
asked on
SSL certificates and virtual hosts alongside regular hosts
I have apache running on Red Hat 7.3
I have a few virtual hosts set up and they all seem to work but a strange thing happens when I activate SSL virtual hosts.
in the httpconf file, site1 is defined before site2.
both site 1 and site 2 have different certificates defined in the *:443 virtual host definition. However...
if I go to https://site1 I get the correct page with the correct certificate
if I go to https://site2 I get the correct page with the cetificate from site1 (but it appears valid despite the URL not matching)
if I go to http://host I get the correct default non SSL page.
if I go to http://site1 I get the default non SSL page, but without graphics.
if I go to http://site2 I get the default non SSL page, but without graphics.
If I disable the NameVirtualHost *:443 and the definitions of my 2 sites, going to the non-secure sites work, and going to any of the secure pages produces an error
How can I use SSL on a per site basis and not a per Apache instance or machine basis and still be able to run the non-secure sites?
I have a few virtual hosts set up and they all seem to work but a strange thing happens when I activate SSL virtual hosts.
in the httpconf file, site1 is defined before site2.
both site 1 and site 2 have different certificates defined in the *:443 virtual host definition. However...
if I go to https://site1 I get the correct page with the correct certificate
if I go to https://site2 I get the correct page with the cetificate from site1 (but it appears valid despite the URL not matching)
if I go to http://host I get the correct default non SSL page.
if I go to http://site1 I get the default non SSL page, but without graphics.
if I go to http://site2 I get the default non SSL page, but without graphics.
If I disable the NameVirtualHost *:443 and the definitions of my 2 sites, going to the non-secure sites work, and going to any of the secure pages produces an error
How can I use SSL on a per site basis and not a per Apache instance or machine basis and still be able to run the non-secure sites?
periwinkle
We need a little more to go on - this sounds like there may be multiple errors in your httpd.conf file. Can you post the file, or at least the virtual host sections from each file?
ASKER
I realised I get inconsistent results when doing an ssh port redirect, so on a PC directly connected on the BindAddress subnet, it appears that I can view all the sites correctly, its just the SSL certificate that I have issues with now.
I read that apache does not support certificates per site, but per machine. This seems rediculous if I want to run more than one SSL secure site out of one machine. Only one person gets to have secure checkout... but that wan apache.1.3.9 I am currently running apache-1.3.23-11 on the machine below, and apache-1.3.27-3 on my live server... the results are the same on both machines, and I will be upgrading my local server in the next couple days.
Ok, my http.conf (a lot removed like mime stuff, and logging stuff) and the 2 servers I am trying to get working...
ServerType standalone
ServerRoot "/etc/httpd"
BindAddress 192.168.1.2
Port 80
<IfDefine HAVE_SSL>
Listen 80
Listen 443
</IfDefine>
User apache
Group apache
ServerAdmin root@localhost
ServerName localhost
UseCanonicalName On
HostnameLookups Off
ServerSignature On
<IfModule mod_setenvif.c>
BrowserMatch "Mozilla/2" nokeepalive
BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0
BrowserMatch "RealPlayer 4\.0" force-response-1.0
BrowserMatch "Java/1\.0" force-response-1.0
BrowserMatch "JDK/1\.0" force-response-1.0
</IfModule>
# Use name-based virtual hosting.
#
NameVirtualHost *
NameVirtualHost *:443
## SSL Global Context
<IfDefine HAVE_SSL>
AddType application/x-x509-ca-cert
AddType application/x-pkcs7-crl .crl
</IfDefine>
<IfModule mod_ssl.c>
SSLPassPhraseDialog builtin
SSLSessionCache dbm:logs/ssl_scache
SSLSessionCacheTimeout 300 [08:28]
SSLMutex file:logs/ssl_mutex
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
SSLLog logs/ssl_engine_log
SSLLogLevel error
</IfModule>
<IfDefine HAVE_SSL>
# virtual host _default_:443 was commented out anyway
</IfDefine>
Include /etc/httpd/conf/sites.conf
##########################
the sites.conf file just includes the site releated files...
##########################
##
## deviant.conf
##
<Directory "/var/www/deviant">
DirectoryIndex index.php login.php index.html index.htm
Options Includes FollowSymLinks
AllowOverride AuthConfig
Order allow,deny
Allow from all
</Directory>
<VirtualHost *>
ServerAdmin root@rdserver.rd
DocumentRoot /var/www/deviant
ServerName deviant.rdspace.rd
</VirtualHost>
<VirtualHost *:443>
ServerAdmin root@rdserver.rd
DocumentRoot /var/www/deviant/secure
ServerName deviant.rdspace.rd
SSLEngine on
SSLCertificateFile /etc/httpd/conf/ssl.crt/de
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/de
# SetEnvIf User-Agent ".*MSIE.*" \
# nokeepalive ssl-unclean-shutdown \
# downgrade-1.0 force-response-1.0
#
</VirtualHost>
##########################
##
## pawprint.conf
##
<Directory "/var/www/pawprint">
DirectoryIndex index.php login.php index.html index.htm
Options Includes FollowSymLinks
AllowOverride AuthConfig
Order allow,deny
Allow from all
</Directory>
<VirtualHost *>
ServerAdmin root@rdserver.rd
DocumentRoot /var/www/pawprint
ServerName pawprint.rdspace.rd
</VirtualHost>
<VirtualHost *:443>
ServerAdmin root@rdserver.rd
DocumentRoot /var/www/pawprint/secure
ServerName pawprint.rdspace.rd
SSLEngine on
SSLCertificateFile /etc/httpd/conf/ssl.crt/pa
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/pa
# SetEnvIf User-Agent ".*MSIE.*" \
# nokeepalive ssl-unclean-shutdown \
# downgrade-1.0 force-response-1.0
#
</VirtualHost>
I read that apache does not support certificates per site, but per machine. This seems rediculous if I want to run more than one SSL secure site out of one machine. Only one person gets to have secure checkout... but that wan apache.1.3.9 I am currently running apache-1.3.23-11 on the machine below, and apache-1.3.27-3 on my live server... the results are the same on both machines, and I will be upgrading my local server in the next couple days.
Ok, my http.conf (a lot removed like mime stuff, and logging stuff) and the 2 servers I am trying to get working...
ServerType standalone
ServerRoot "/etc/httpd"
BindAddress 192.168.1.2
Port 80
<IfDefine HAVE_SSL>
Listen 80
Listen 443
</IfDefine>
User apache
Group apache
ServerAdmin root@localhost
ServerName localhost
UseCanonicalName On
HostnameLookups Off
ServerSignature On
<IfModule mod_setenvif.c>
BrowserMatch "Mozilla/2" nokeepalive
BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0
BrowserMatch "RealPlayer 4\.0" force-response-1.0
BrowserMatch "Java/1\.0" force-response-1.0
BrowserMatch "JDK/1\.0" force-response-1.0
</IfModule>
# Use name-based virtual hosting.
#
NameVirtualHost *
NameVirtualHost *:443
## SSL Global Context
<IfDefine HAVE_SSL>
AddType application/x-x509-ca-cert
AddType application/x-pkcs7-crl .crl
</IfDefine>
<IfModule mod_ssl.c>
SSLPassPhraseDialog builtin
SSLSessionCache dbm:logs/ssl_scache
SSLSessionCacheTimeout 300 [08:28]
SSLMutex file:logs/ssl_mutex
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
SSLLog logs/ssl_engine_log
SSLLogLevel error
</IfModule>
<IfDefine HAVE_SSL>
# virtual host _default_:443 was commented out anyway
</IfDefine>
Include /etc/httpd/conf/sites.conf
##########################
the sites.conf file just includes the site releated files...
##########################
##
## deviant.conf
##
<Directory "/var/www/deviant">
DirectoryIndex index.php login.php index.html index.htm
Options Includes FollowSymLinks
AllowOverride AuthConfig
Order allow,deny
Allow from all
</Directory>
<VirtualHost *>
ServerAdmin root@rdserver.rd
DocumentRoot /var/www/deviant
ServerName deviant.rdspace.rd
</VirtualHost>
<VirtualHost *:443>
ServerAdmin root@rdserver.rd
DocumentRoot /var/www/deviant/secure
ServerName deviant.rdspace.rd
SSLEngine on
SSLCertificateFile /etc/httpd/conf/ssl.crt/de
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/de
# SetEnvIf User-Agent ".*MSIE.*" \
# nokeepalive ssl-unclean-shutdown \
# downgrade-1.0 force-response-1.0
#
</VirtualHost>
##########################
##
## pawprint.conf
##
<Directory "/var/www/pawprint">
DirectoryIndex index.php login.php index.html index.htm
Options Includes FollowSymLinks
AllowOverride AuthConfig
Order allow,deny
Allow from all
</Directory>
<VirtualHost *>
ServerAdmin root@rdserver.rd
DocumentRoot /var/www/pawprint
ServerName pawprint.rdspace.rd
</VirtualHost>
<VirtualHost *:443>
ServerAdmin root@rdserver.rd
DocumentRoot /var/www/pawprint/secure
ServerName pawprint.rdspace.rd
SSLEngine on
SSLCertificateFile /etc/httpd/conf/ssl.crt/pa
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/pa
# SetEnvIf User-Agent ".*MSIE.*" \
# nokeepalive ssl-unclean-shutdown \
# downgrade-1.0 force-response-1.0
#
</VirtualHost>
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Majorwoo - FWIW, per the options at:
https://www.experts-exchange.com/help.jsp#hi89
I feel that I should be awarded the points as my answer should have lead to a solution, and the asker abandoned the question entirely.
https://www.experts-exchange.com/help.jsp#hi89
I feel that I should be awarded the points as my answer should have lead to a solution, and the asker abandoned the question entirely.
ASKER
Although I have not been here for a while, I have not abandoned the question, I was waiting for an answer I could actually implement. I only have 2 ethernet cards... so can theoretically only run 2 SSL sites.
periwinkle: if you can think of a way to get multiple IP addresses into an ethernet card, I will gladly award the points.
majorwoo: if you feel this question will not get answered, then please feel free to award the points to periwinkle as he did help out.
periwinkle: if you can think of a way to get multiple IP addresses into an ethernet card, I will gladly award the points.
majorwoo: if you feel this question will not get answered, then please feel free to award the points to periwinkle as he did help out.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
by "multiple IP addresses into an ethernet card" are you trying to figure out how to get multiple IP addresses to point to your server? I believe that this is actually done by router tables at your upstream, not by you - but this isn't my area of expertise....
If you have bought each of those IP's and set your machine up for them the router's will indeed route traffic to your machine (no special upstream config is needed as as far as the router is concerned you are a seperate machine)
ASKER
Getting the traffic to the machine is one problem, getting the machine to repond to that traffic is my main problem, since my SSL issue is IP based.
I could set up traffic mappings that would re-write traffic t the correct host, but would apache recognise the fact that although I meant for traffic to go to IP a.b.c.d it ended up on this host which has a different IP.
That confuses me.
If I could get an IP that was on the same subnet, then the existing rouer mappings would hold on the subnet, and trafic would be routed past my machine.
??
I could set up traffic mappings that would re-write traffic t the correct host, but would apache recognise the fact that although I meant for traffic to go to IP a.b.c.d it ended up on this host which has a different IP.
That confuses me.
If I could get an IP that was on the same subnet, then the existing rouer mappings would hold on the subnet, and trafic would be routed past my machine.
??
ASKER
Ah, like majorwoo said while I was typeing
:)
:)
;-) Happens to me all the time ;-)
I was fairly surprised at how easy it was to setup multiple IP's on the same NIC - I wish I had known a few year earlier then I did ;-)
I was fairly surprised at how easy it was to setup multiple IP's on the same NIC - I wish I had known a few year earlier then I did ;-)
Thanks Majorwoo - glad to learn something today, too!
ASKER
Wow, that just blew a few years of problems out the water...
Thanks to you both, I'll split the points.
Cheers
Nigel
Thanks to you both, I'll split the points.
Cheers
Nigel
Majorwoo - lol... I have no problem with any of you<G>...
glad to see someone attacking the Apache topic from the more recent articles end - I had helped with the cleanup from the other side at one point, until I ran out of free time.
Nigel, glad to have assisted - and sorry to have thought that you abandoned the question.
glad to see someone attacking the Apache topic from the more recent articles end - I had helped with the cleanup from the other side at one point, until I ran out of free time.
Nigel, glad to have assisted - and sorry to have thought that you abandoned the question.
Yep, it was AnnieMod that I was working with - I'll see what I can do - I can't take on long lists at a time, but I may be able to help out some in about a week's time.
Hi,
Surprised to see the accepted answer. You hv seen how to add multiple ips to one ethernet card.
ifconfig eth0:2 <neweIP> netmask <netmask> up
will do that work more easily. But its not permanent solution. Put this in rc.local or something..
And SSL is not domainname based. One IP should dedicate for one SSL enabled site. We are running a live server with 25s and 5 SSL enabled sites. There is only one ethernet card at that server..
But I lost the points .. :(..
Anyway thanks...
Bimal
Surprised to see the accepted answer. You hv seen how to add multiple ips to one ethernet card.
ifconfig eth0:2 <neweIP> netmask <netmask> up
will do that work more easily. But its not permanent solution. Put this in rc.local or something..
And SSL is not domainname based. One IP should dedicate for one SSL enabled site. We are running a live server with 25s and 5 SSL enabled sites. There is only one ethernet card at that server..
But I lost the points .. :(..
Anyway thanks...
Bimal
bimal_linux,
the second 1/2 of the answer show's how to make those change permanent in /etc/sysconfig/network-scr
You hadn't posted above anyway so you were not in the running for the points, unless you have a second account?
majorwoo
the second 1/2 of the answer show's how to make those change permanent in /etc/sysconfig/network-scr
You hadn't posted above anyway so you were not in the running for the points, unless you have a second account?
majorwoo
Majorwoo,
I already mentioned that its a temporary solution. Any your way is the correct one. Yes I am running out of points..;) . But dont have another account.
Regards,
Bimal
I already mentioned that its a temporary solution. Any your way is the correct one. Yes I am running out of points..;) . But dont have another account.
Regards,
Bimal
Bimal -
I'm as confused as Majorwoo - you didn't post on this question until after it was already closed -- you didn't 'lose' the points as the points were already distributed? I'm confused.
I'm as confused as Majorwoo - you didn't post on this question until after it was already closed -- you didn't 'lose' the points as the points were already distributed? I'm confused.
Hi folks,
I am new to AE. I didnt notice that.
I am new to AE. I didnt notice that.
Hi Bimal -
Sorry for the confusion - Welcome to ExpertsExchange - look forward to seeing your answers!
Sorry for the confusion - Welcome to ExpertsExchange - look forward to seeing your answers!
Thank you..:)