Link to home
Start Free TrialLog in
Avatar of fmisa
fmisa

asked on

"Real-World" Apache Configuration -- many Virtual Domains with SLL

Hope someone here can help me out.....

1) I need to configure several websites on a single box  using Apache where each virtual domain may need have their own certificates and SSL connection.  Can this be done somehow ?
I know I can have multiple "virtual domains" configured -- but only ONE  will be able to use the SSL/port443 !
Is there any way/technique/best-practice to "multiplex" this SSL connection ;))

2) Can each virtual domain -- redirect JSP/servlet "application-server" requests to different application servers on the backend ? Maybe -- for example -- tomcat4:8080,   jboss:8383,   tomcat5:8888.   I think the mod_jk configurations can be specified/unique for each virtual domain level.  Should be OK I think....  but I've never dealt with these kind of more advanced Apache configurations and want to minimize/head-off any problems by doing some research first;  
** I don't want to waste days trying to find the best version of Apache and mod_jk.  Any suggestions ?

3) Do I need multiple machines,  multiple lines, multiple instances of apache, MOD_PROXY, MOD_REWRITE ??  What I'm asking for is fairly standard I think -- but most documentation just skims the surface of these topics or skirt the issues focusing on very "vanilla" examples.

I've looked at: Q_20873192  (among others posts) and the url's suggested by this solution don't provide any clear/concise recommendations or  best-practice and suggestions about how these type of "service provider" configurations/requirements are achieved in practice.

Hope to hear from someone soon.....

Thanks
Avatar of mjlodge
mjlodge

The problem is that SSL needs to negotiate authentication and encryption for the TCP connection before it can receive any data over that connection. And that requires that the server pick an SSL certificate. The URL being requested by the user's browser is part of the HTTP request message, and Apache won't see that request until SSL negotiation is complete. So the Apache server can't pick an SSL certificate to match the URL being requested, because it needs the certificate before it can see what the URL is.

If you pick one of the certificates to use all the time, users who are trying to reach one of the other virtual domains are going to see that "certificate does not match domain name" message pop up in their browser

So, the best solution is to set up multiple Apache SSL servers on different ports, and then have a (non SSL, regular http) redirect page that looks at the URL being requested by the user and redirects to the appropriate https:// URL (with the correct port number) on the server.
If this really is a "service provider" -- i.e. you are offering web hosting, then running multiple servers on different ports is not going to scale. You either need to dedicate an IP per SSL server, or give users a way to create files in a directory structure on a single SSL server (with a single cert) from your domain. (e.g. https://secure.webhostingco.com/username/whatever).

Avatar of fmisa

ASKER

Thanks for responding......

Some more background.......
Initially,  I need to offer a few internal "departmental" websites...... as well as a few (3-5) external websites;  my company is a parent company for several companies that maintain their own public indentity -- we, however, host all the websites off our own server...... as well as our own website.

We currently have our own "corporate" website -- with certificate and SSL....
The other websites (for our child companies) are just serving static content -- nothing sensitive, no SSL, no security/authentication.

This is changing, however, and I'll need to offer some of our child companies secure forms capabilities which I'd like to offer via SSL.

So we are an ISP -- in a sense -- but not anything like commerical ISP's that offer 100's or 1000's of accounts/websites.  At most -- I'd only need to worry about 6 or so public "identities"/domain-names.

What's the best way of providing secure/SSL to our child companies -- without having our "parent comapny" certificate popping up when users want to process/submit infomation via secure forms. ?

I.E. I'd like each child company to have their own certificate/SSL/identity.

You Suggest.....
----------------------------------
Option#1:
>>Multiple Apache SSL servers on different ports -- with a single server acting as broker/proxy between
>>them -- redirecting as necessary.
**  Can you provide some more detail on the redirection mechanism ?  good online-docs/examples.
Are you using MOD_REWRITE for redirect..... MOD_PROXY....... or just regular Apache httpd.conf redirect directives ?
----------------------------------
Option#2:
Not sure what you mean by:
>>give users a way to create files in a directory structure on a single SSL server (with a single cert) from
 >> your domain
But I suspect -- this is not my scenario anyways ??

Please comment....

Thanks
Avatar of fmisa

ASKER

Sorry....
One more thing.....

Related to my original question/points.....
* I think you've answered 1) for me..... I'll wait to see your further comments/thoughts.
Also....
* Can you please provide more info. on 2) -- the redirect mechanism you would recommend.
* and also 3) if you could just touch on the issue of different app.servers per each virtual domains and the Apache/mod_jk versions that you would recommend; for both the fronting/redirecting Apache instance and others running in the background...... Any thoughts....

Thanks very much....

ASKER CERTIFIED SOLUTION
Avatar of mjlodge
mjlodge

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of fmisa

ASKER

Fantastic....

I really appreciate the detail and clear answer.....
You've saved me much time/pain I'm sure.....

I think I'll  go the DNS & seperate Apache processes route you describe.

If you have some favorite/relevant links/URLS on this topic -- please include some if you can......


Thanks again....

Cheers




Avatar of fmisa

ASKER

================================================================
COPIED FROM:
http://www.sitepoint.com/forums/archive/index.php/t-175591.html
================================================================

A DNS entry can be configured so that an arbitrary number of subdomains can each point to different ips. So, for instance, I can have images.example.com and forum.example.com point to a different server than www.example.com, and I can add subdomains for different functional units as load increases.

My next question related to this would be, is it possible to have a single linux box running two different web servers, with one listening to port 80 on one ip and another listening to port 80 on another ip, or can a single machine only have one ip or not distinguish between the same port on different ips? I want to test my site on only one machine before it goes live and I migrate it to two, and I plan on using two different servers for different purposes.

Using Apache you could do either of the following;

a) 1 apache process tree bound on two IP's both port 80
b) 2 apache process tree's each bound independently on an ip on port 80.

The machine itself will know which one takes the connection because the client end would have resolved to an IP address and thus only one of the apache tree's would be aware of this.


================================================================
COPIED FROM:
http://mail.saigon.com/pipermail/vn-tech/2002-October/000016.html
================================================================

There is no need to recompile or install new Apache.  One set of
binary is all you need.

You can startup Apache with a specific configuration for each of the
different server you want.  This is exactly how I do it for a number
of my installations.

Let's say you install Apache 2.0.x (or 1.3.x, does not matter) on
the system and httpd is in /usr/sbin/httpd.  You can put production
config in /opt/production and devel config in /opt/development.
Each has exact same dir tree, e.g.

/opt/production
                        /cgi-bin
                        /conf
                        /error
                        /htdocs
                        /icons
                        /images
                        /include
                        /libexec (or /modules for 2.0.x)
                        /logs

Same for /opt/development.

The configs for each one goes in conf dir, contents in other places, etc.

Then write script to start up Apache using the config for the environment
you want.

Example, apache_production.sh contains:

/usr/sbin/httpd -d /opt/production -f /opt/production/conf/httpd.conf

Example, apache_development.sh contains:

/usr/sbin/httpd -d /opt/development -f /opt/development/conf/httpd.conf

And so on.... you get the idea.  You can also extend this for running
multiple versions of Apache on same box, and mix in the idea of different
versions, sharing same content (htdocs, images, icons), etc.

Doing things this way, it's much easier to manage.  You _KNOW_ that
you are using the exact same Apache binary for these environments, make
it easier to update and track down problems, bugs, etc.

Tin Le