grblades
asked on
multiple https virtualhost on same IP address
Our old server had multiple IP addresses bount to the network card and had a website setup on each IP address.
Our new server has two sites setup on a single IP address.
Virtualhost works fine for HTTP but when accessing via HTTPS I always get the .co.uk pages (with a certificate warning).
Here is the relevant section from our HTTPS configuration :-
<VirtualHost *:443>
ServerName online.linguaphone.co.uk
DocumentRoot /var/www/www.linguaphone.co.uk
ServerAdmin webmaster@linguaphone.com
ErrorLog logs/online.linguaphone.co .uk-ssl-er ror.log
TransferLog logs/online.linguaphone.co .uk-ssl-ac cess.log
CustomLog logs/vbis/online.linguapho ne.co.uk-s sl-access- vbis.log vbis
SSLEngine on
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+ME DIUM:+LOW: +SSLv2:+EX P:+eNULL
SSLCertificateFile conf/certificates/2004_onl ine.lingua phone.co.u k.crt
SSLCertificateKeyFile conf/certificates/2004_onl ine.lingua phone.co.u k.pem
SSLVerifyClient none
SSLVerifyDepth 10
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
</VirtualHost>
<VirtualHost *:443>
ServerName online.linguaphone.com
DocumentRoot /var/www/www.linguaphone.com
ServerAdmin webmaster@linguaphone.com
ErrorLog logs/online.linguaphone.co m-ssl-erro r.log
TransferLog logs/online.linguaphone.co m-ssl-acce ss.log
CustomLog logs/vbis/online.linguapho ne.com-ssl -vbis.log vbis
SSLEngine on
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+ME DIUM:+LOW: +SSLv2:+EX P:+eNULL
SSLCertificateFile conf/certificates/2004_onl ine.lingua phone.com. crt
SSLCertificateKeyFile conf/certificates/2004_onl ine.lingua phone.com. pem
SSLVerifyClient none
SSLVerifyDepth 10
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
</VirtualHost>
When I restart apache I get the following warning which I assume is the cause of the problem:-
[warn] _default_ VirtualHost overlap on port 443, the first has precedence
I have commented out the default virtualhost in /etc/httpd/conf.d/ssl.conf except for the following lines:-
LoadModule ssl_module modules/mod_ssl.so
Listen 0.0.0.0:443
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
SSLPassPhraseDialog builtin
SSLSessionCache shmcb:/var/cache/mod_ssl/s cache(5120 00)
SSLSessionCacheTimeout 300
SSLMutex file:logs/ssl_mutex
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
SSLCryptoDevice builtin
Our new server has two sites setup on a single IP address.
Virtualhost works fine for HTTP but when accessing via HTTPS I always get the .co.uk pages (with a certificate warning).
Here is the relevant section from our HTTPS configuration :-
<VirtualHost *:443>
ServerName online.linguaphone.co.uk
DocumentRoot /var/www/www.linguaphone.co.uk
ServerAdmin webmaster@linguaphone.com
ErrorLog logs/online.linguaphone.co
TransferLog logs/online.linguaphone.co
CustomLog logs/vbis/online.linguapho
SSLEngine on
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+ME
SSLCertificateFile conf/certificates/2004_onl
SSLCertificateKeyFile conf/certificates/2004_onl
SSLVerifyClient none
SSLVerifyDepth 10
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
</VirtualHost>
<VirtualHost *:443>
ServerName online.linguaphone.com
DocumentRoot /var/www/www.linguaphone.com
ServerAdmin webmaster@linguaphone.com
ErrorLog logs/online.linguaphone.co
TransferLog logs/online.linguaphone.co
CustomLog logs/vbis/online.linguapho
SSLEngine on
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+ME
SSLCertificateFile conf/certificates/2004_onl
SSLCertificateKeyFile conf/certificates/2004_onl
SSLVerifyClient none
SSLVerifyDepth 10
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
</VirtualHost>
When I restart apache I get the following warning which I assume is the cause of the problem:-
[warn] _default_ VirtualHost overlap on port 443, the first has precedence
I have commented out the default virtualhost in /etc/httpd/conf.d/ssl.conf
LoadModule ssl_module modules/mod_ssl.so
Listen 0.0.0.0:443
AddType application/x-x509-ca-cert
AddType application/x-pkcs7-crl .crl
SSLPassPhraseDialog builtin
SSLSessionCache shmcb:/var/cache/mod_ssl/s
SSLSessionCacheTimeout 300
SSLMutex file:logs/ssl_mutex
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
SSLCryptoDevice builtin
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks. That explains the problem I am having.
I am requesting additional IP addresses from our ISP and will configure one site per IP address.
I am requesting additional IP addresses from our ISP and will configure one site per IP address.
It works from my side :) ( https://online.linguaphone.com remains in the address bar and Linguaphone site is displayed (About us, Linguaphone international...)
If you are using Mozilla or IE press Shift and click on Refresh.
You can restart the browser to be sure.
If you are using Mozilla or IE press Shift and click on Refresh.
You can restart the browser to be sure.
You don't need a second IP !!
It works !
It works !
The site works fine, however, the first time you visited, you should have had a certificate warning popup because the name on the cert did not match the host name of the site (I know I did). This is what you can't avoid (believe me, I've been trying myself).
But you are on IIS - here we are talking about a server which can do that, Apache.
The only remaining problem is the certificate.
As in a VirtualHost you can specify the certificatefile, there is probably a problem in your certificate, it should work.
The only remaining problem is the certificate.
As in a VirtualHost you can specify the certificatefile, there is probably a problem in your certificate, it should work.
ASKER
I have checked and the certificate configured for that virtualhost is correct. I have also searched on this topic and all the replies have been the same as frederichenrys reply. There may be some browsers that it works with or some situations where it works but I would rather be 100% that it works for everyone and using different IP's also means it works for people still using HTTP/1.0.
According to newsgroup this seems to be correct (one certificate only per IP or Port).
The good reason is here http://lists.freebsd.org/pipermail/freebsd-questions/2004-April/045327.html
So, frederichenrys is correct.
The good reason is here http://lists.freebsd.org/pipermail/freebsd-questions/2004-April/045327.html
So, frederichenrys is correct.
You may be interested as well in the comments of majorwoo (our dear page editor) here https://www.experts-exchange.com/questions/20843422/SSL-certificates-and-virtual-hosts-alongside-regular-hosts.html where some tips about multiple IPs on one NIC can be performed.
Multiple IP's should work if the NIC is capable of doing it, his initial question was about a single address.
I agree with :frederichenry. It works great for me on one ip address.
I *suspect* (I may be wrong) that
"I am now getting the correct https website but I am still being sent the .co.uk certificate when viewing https://online.linguaphone.com."
refers to the second virtual site not using a separate certificate.
I *suspect* (I may be wrong) that
"I am now getting the correct https website but I am still being sent the .co.uk certificate when viewing https://online.linguaphone.com."
refers to the second virtual site not using a separate certificate.
You should not need multiple IP addresses.
Apache, IIS, Tomcat and almost all HTTP servers out there are perfectly able to redirect or host websites and webapplications based on "Hostheaders"
In some cases the hosted webapplication might need an dedicated IP adress. This isnt a limitation of the webserver in most cases.
Rgrds,
Apache, IIS, Tomcat and almost all HTTP servers out there are perfectly able to redirect or host websites and webapplications based on "Hostheaders"
In some cases the hosted webapplication might need an dedicated IP adress. This isnt a limitation of the webserver in most cases.
Rgrds,
ASKER
NameVirtualHost *:80
I have added
NameVirtualHost *:443
I am now getting the correct https website but I am still being sent the .co.uk certificate when viewing https://online.linguaphone.com.
It is possible that it may be stale data in our cache causing this now.
Can you please check and see if it works for you?