?
Solved

Securing virtual hosts with SSL?

Posted on 2003-02-19
8
Medium Priority
?
250 Views
Last Modified: 2013-11-18
I have several virtual hosts currently configured in my Apache set up. I've switched one of them to IP based virtual hosting to prepare it for SSL. My question is how do you secure only specific subdirectories, rather than the entire domain?

To get it to even work I had to specify the virtual host to listen on port 443, so anything on port 80 now doesnt work (obviously). Is there a way to specify only particular directories to be secured rather than the entire domain, or would I set up two separate virtual hosts for the same domain and have one listen to port 443 (for https) routing traffic to it's own document root, while configuring the second to listen to port 80 (for http) and route all those requests to a different document root? (Somehow, this seems like a rig) Does anyone know how to do this?

Here's what the virtual host part of my httpd.conf file looks like for the virtual host in question: (I changed my domain name to "domain_to_secure" for security reasons)

<VirtualHost 192.168.1.214:443>
DocumentRoot /home/www/domain_to_secure.com/htdocs
ServerName www.domain_to_secure.com
ServerAdmin webmaster@domain_to_secure.com
ServerAlias domain_to_secure.com
ScriptAlias /cgi-bin/ /home/www1/domain_to_secure.com/cgi-bin/
CustomLog /home/www/domain_to_secure.com/logs/access_log "combined"
Options ExecCGI FollowSymLinks Includes Indexes
SSLEngine on
SSLCertificateFile /etc/httpd/conf/ssl.crt/www.domain_to_secure.com.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/www.domain_to_secure.com.key
</VirtualHost>
0
Comment
Question by:misteraven
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 

Expert Comment

by:phothy
ID: 7985508
Exactly as you said. Set up a second virtual host for port 80 and leave out the SSL statements. For apache a different port is as distinct as a different IP. You probably won't need a NameVirtualHost 192.168.1.214 but you could try it if it doesn't work.

<VirtualHost 192.168.1.214:80>
0
 
LVL 4

Expert Comment

by:marko020397
ID: 7985818
In addition you add Redirect directives in virtual host on port 80 to redirect some directories to 443. For instance

Redirect /secured https://domaintosecure.com/secured

That way no one can get the secured directory via port 80.
0
 

Author Comment

by:misteraven
ID: 7987060
Surely there's a more elegant way to do this than adding a second virtual host for the same domain listening on a different port.

The context that I need this for is I'm attempting to set up an online store. Most of it should operate with http, however, the checkout process and admin section should use https. If I were to use separate virtual hosts for each section, than I'd assume I'd have to mirror much of the content, particularly the image assets. Considering all product shots are uploaded in the admin, but display on product pages, then every product added would need  to have it's associated images uploaded twice. This doesnt seem like a logical solution and I'd be surprised if thats how every other online store with an admin section operated.

Any other options now that you see the dillema?
0
 

Accepted Solution

by:
phothy earned 400 total points
ID: 7990115
Yes. That's the only way as far as I know. They are different ports. You could theoretically possibly serve SSL just to one directory, but how will the browser ever know. It will just fail because the only port it expects to receive SSL back from is 443.

But if you want to duplicate config info have a look at the Include directive.
http://httpd.apache.org/docs/mod/core.html#include

I've never used it personally, but it might help you out.

Why would images need to be uploaded twice? Upload them using SSL. Serve them using plain HTTP and/or SSL. You don't need to have different DocumentRoots for each VirtualHost. In fact, that's probably unusual. Even if the DocumentRoots are different you can always use links or aliases to share content between the two.

If you go to my old site, https://www.xlon6.com/ you'll see that this entire site can be served in SSL. But it's only required for a tiny part of the site. Everything can be viewed by both, but one section enforces it's use. Just put a <Directory ???>Deny from all</Directory> in the plain HTTP VirtualHost for the admin directory. So it will only be accessible through SSL.
0
 
LVL 1

Expert Comment

by:JOligario
ID: 7996650
here is an example, i thought i had posted it earlier, however operator error, pushed the wrong button..

John
joligario@recoverdata.com

#############################################################
# example config for SSL and Non-SSL hosts in the same config
# main server is an SSL one...
#

ServerName ssl.fictional.co      
ServerType standalone
ServerAdmin www@ssl.fictional.co
User www    
Group www    
Port 443
Listen 443
Listen 80
SSLVerifyClient 0
SSLVerifyDepth 10
SSLCertificateKeyFile /www/certs/ssl.fictional.co.key
SSLCertificateFile /www/certs/ssl.fictional.co.cert              
SSLCACertificateFile /www/certs/CA.cert              

#############################################################
# Note: The following directives are only required if session
# cacheing is enabled (the default from 1.17). To disable
# cacheing, make sure the following is set in apache_ssl.c
#
#define CACHE_SESSIONS          FALSE

SSLCacheServerPath /www/bin/gcache
SSLCacheServerPort /www/cache/ssl.fictional.co.cache.socket
SSLSessionCacheTimeout 300

# end conditional section

DocumentRoot /www/hosts/ssl.fictional.co/docs  
TransferLog /www/hosts/ssl.fictional.co/logs/access.log                
SSLLogFile /www/hosts/ssl.fictional.co/logs/ssl.log                  
ErrorLog /www/hosts/ssl.fictional.co/logs/error.log                
PidFile /www/logs/httpsd.pid      


# and a non-SSL one...

<VirtualHost www.fictional.co:80>     
SSLDisable
Port 80
DocumentRoot /www/hosts/www.fictional.co/docs  
TransferLog /www/hosts/www.fictional.co/logs/access.log
ErrorLog /www/hosts/www.fictional.co/logs/error.log
</VirtualHost>


# and another SSL one... (this one does client-cert
# authentication)

<VirtualHost another-ssl.fictional.co:443>
Port 443
SSLVerifyClient 2
SSLVerifyDepth 10
SSLCertificateKeyFile /www/certs/another-ssl.fictional.co.key
SSLCertificateFile /www/certs/another-ssl.fictional.co.cert  
SSLCACertificateFile /www/certs/another-CA.cert
DocumentRoot /www/hosts/another-ssl.fictional.co/docs  
TransferLog /www/hosts/another-ssl.fictional.co/logs/access.log
SSLLogFile /www/hosts/another-ssl.fictional.co/logs/ssl.log
ErrorLog /www/hosts/another-ssl.fictional.co/logs/error.log
</VirtualHost>

0

Featured Post

7 Extremely Useful Linux Commands for Beginners

Just getting started with Linux? Here's a quick start guide that has 7 commands that we believe will come in handy.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Preface This is the third article about the EE Collaborative Login Project. A Better Website Login System (http://www.experts-exchange.com/A_2902.html) introduces the Login System and shows how to implement a login page. The EE Collaborative Logi…
Microservice architecture adoption brings many advantages, but can add intricacy. Selecting the right orchestration tool is most important for business specific needs.
This tutorial will walk an individual through the process of configuring basic necessities in order to use the 2010 version of Data Protection Manager. These include storage, agents, and protection jobs. Launch Data Protection Manager from the deskt…
The viewer will learn how to dynamically set the form action using jQuery.
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question