Link to home
Create AccountLog in
Avatar of jmicorp
jmicorpFlag for United States of America

asked on

Help with VirtualHosts - Regular and SSL

We are converting from our old servers running apache 1.3 to new with apache 2.2. We have about 130 virtual hosts, almost all using standard http, and a handful running https. That said, the original way we had it set of "namevirtualhost *" no longer works.

HELP! I dont know how to configure the new apache to work the same way it did in 1.3 and get along with both types of traffic.
Avatar of phirana
phirana
Flag of United Kingdom of Great Britain and Northern Ireland image

Avatar of giltjr
What makes you think that namedvirtualhost * doesn't work?

According to:

    http://httpd.apache.org/docs/2.2/vhosts/name-based.html

It should.
Avatar of jmicorp

ASKER

Piranha - that method is for 1.3.

When doing NamedVirtualHost * - I get an overlapping error and only the first Vhost "works".
NamedVirtualHost *:80

Try that
Avatar of jmicorp

ASKER

Done that. Then added *:80 to each virt host listing as well. Only allows one per vhost.
jmicorp, try to run 'apachectl -S' and post results for a couple of IPs with NameVirtualHost (you may substitute domain names).

General rules:
1) Every 'virtual' IP should have 'Listen ' directive
2) Every 'virtual' IP should also have NameVirtualHost directive
3) Every <VirtualHost ...> should have the same '...' options as in NameVirtualHost
4) Every <VirtualHost ...> should have ServerName in it and optional ServerAlias
5) SSL could work only on real server, not on virtual host (that's why you need :80 for all non-SSL virtual hosts and separate SSL virtual host with *:443 and <VirtualHost _default_:443> section)

if not a problem please post your config.
httpd.conf should look like:

NameVirtualHost *:80
<VirtualHost *:80>
  ServerName vhost.company.tld
...
</VirtualHost>

if you have multiple <VirtualHost > directives, each need to contain a proper unique ServerName directive
for SSL you can have only *one* name-based virtual host
Are you using one IP address for all hosts?

SSL using named virtual hosts is a very sticky situation.  To expand on ahoffmann's comment, you can only have on named-based virtual host using SSL that works normally.

When using named based virtual-hosting Apache can only use one SSL certificate for all virtual hosts that share the same IP address.  Since a certificate is associated with a host name, one of your hosts will work "normally".  However, when a user goes to visit one of the other virtual hosts, the ones whose names don't match the certificate, they will be promoted with the "cert don't match host" message and asked if they want to continue or not.

Can you post a sample of one of your virtual host definitions?  They should have, at a minimum, the parameters that are in ahoffmann's first post.
Can you post the exact error message you are getting?

I have reviewed the 1.3 Named Virtual host doc from Apache and from what I can tell nothing has changed between 1.3 and 2.2 with support.  The examples for 2.2 show *:80 on the NamedVirtual host, but this is not a requirement, it is only a suggestion.  They suggest this because of the issues with Named based virtual hosting and SSL

I am confused on how you had this working under 1.3, Named based virtual hosting has always had issues with SSL, even in 1.3.  It not an issue with Apache, it due to how SSL works.
Avatar of jmicorp

ASKER

Wow, thats for the new responses! I'll be in the office tomorrow (monday) so I'll be able to trim the identity out of the httpd.conf. Note, we have all of our virtual hosts in include statements from A-Z. My guess is that it was set up incorrectly years ago and the newer version of apache is sensitive to the improper configurations.

The way it started:

NamedVirtualHost *

with over a hundred <Virtual Host *>Servername Serveralias documentroot</Virtualhost> in includes. There is only a single SSL host, "secure.yyyzzz.net" I guess I really just need to know this:

When using NUMEROUS virtualhosts and an additional single SSL vhost on httpd (its a cluster, but thats another story), what is ACTUALLY necessary in this configuration to be PROPER on apache 2.2.3.

FYI: 1 IP address, but if that needs to change, it can.

Thanks so much to all @ EE.
If you only have a single secured host, for proper setup that needs to be the first (a.k.a default) virtual host for that to work correctly.  That is assuming that the SSL certificate is for the host name "secure.yyyzzz.net"  If the certificate is for a host name that is different from the virtual host, you have a problem anyway.

Try running the command Nopius gave.

I am running Apache 2.2.8 and changed my config to use:

     NamedVirtualHost *
     <VirtualHost *>
     Servername A
      </VirtualHost>
     <VirtualHost *>
     Servername B
      </VirtualHost>

and received NO errors at all.  I only have two virtual hosts.  Doing some searching I found a couple of possible situations that could cause and overlap error:

Two Virtual hosts that are defined using the same specify IP address and port.
Using the BindAddress directive.  Apache 2.0 no longer needs this.  If you have it get rid of it.
Having another process that is binding to port 80.  Like running two instances of Apache, or Apache and other process that also listens on port 80.

Avatar of jmicorp

ASKER

When starting apache:

Starting httpd: [Mon Mar 10 08:35:06 2008] [warn] _default_ VirtualHost overlap on port 80, the first has precedence
[Mon Mar 10 08:35:06 2008] [warn] _default_ VirtualHost overlap on port 80, the first has precedence

and they go on for a full 130 some odd lines worth. only to end with:

[Mon Mar 10 08:35:06 2008] [warn] NameVirtualHost *:80 has no VirtualHosts

for the time being, i've cut the references to SSL out - i have the entire SSL include in a single document so it's easy to trim out.

If I use "namevirtualhost *" instead of "namevirtualhost *:80" i get:

[Mon Mar 10 08:37:18 2008] [error] VirtualHost *:80 -- mixing * ports and non-* ports with a NameVirtualHost address is not supported, proceeding with undefined results

130 times.. followed by

[Mon Mar 10 08:37:18 2008] [error] VirtualHost _default_:443 -- mixing * ports and non-* ports with a NameVirtualHost address is not supported, proceeding with undefined results

Which I don't even have defined -- theres no SSL page defined at all.

Some potentially helpful information, snippet:

VirtualHost configuration:
74.4.21.25:80          is a NameVirtualHost
         default server nuxxant.com (/etc/httpd/conf/vhosts/n.conf:45)
         port 80 namevhost nuxxnt.com (/etc/httpd/conf/vhosts/n.conf:45)
wildcard NameVirtualHosts and _default_ servers:
*:*                    is a NameVirtualHost
         default server jmweb.xxmedia.biz (/etc/httpd/conf.d/ssl.conf:81)
         port 443 namevhost jmweb.xxmedia.biz (/etc/httpd/conf.d/ssl.conf:81)
         port * namevhost xxxxec.com (/etc/httpd/conf/vhosts/a.conf:1)
         port * namevhost xxx.xxxn.net (/etc/httpd/conf/vhosts/a.conf:8)

Is ssl.conf causing me the 443 grief? also, whats up with the default servers?

Thanks for your help, i've raised the point value as this has gotten increasingly more complicated
O.K.  If I understand everything correctly:

--> 74.4.21.25:80          is a NameVirtualHost

Someplace you have a definition that has a specific IP address and not "*" or "*:80".  You can't specify a specific IP address one place and "*" another place when using named virtual hosts.

-->      port 443 namevhost jmweb.xxmedia.biz (/etc/httpd/conf.d/ssl.conf:81)

You have "*:443" coded for this virtual host.  You can not mix using "*" and *:443" for virtual hosts.

You either need to code "*:80" and "*:443" as needed EVERYPLACE or you need to just code "*".  Based on what you have said, you only have one site that you need 443 for, so it may be best to code *:80 and *:443 as needed.  Although it may be simpler and easier to just code "*".

--> wildcard NameVirtualHosts and _default_ servers:
*:*                    is a NameVirtualHost

It appears you have a virtual server named "_default_servers", which is fine, but if you want it to truly be the default server it must be the first virtual server defined.  It appears that you have nuxxnt.com as the first virtual host and the first virtual host definition encountered is the default.  So you need to either get rid of "default_servers" and let nuxxnt.com be the default or move "default_servers" to be the 1st virtual server defined.

I don't know how long you have been running like this, but if you change which virtual server is your default, some of your visitors may get a different web page than they have been in the past, I would personally just remove the "default_servers" as it seems to me that it is not being used at all today.
Avatar of jmicorp

ASKER

heres what i've accomplished today:

switched all vhosts back to just * rather than *:80 - great
changed the ssl.conf (?) virtual host to just * - great

I can now start apache without an error.

However, browsing to HTTP nets a

"Bad Request

Your browser sent a request that this server could not understand.
Reason: You're speaking plain HTTP to an SSL-enabled server port.
Instead use the HTTPS scheme to access this URL, please."

however, HTTPS to same page works. The nxxxxxt page isn't a deliberate default. In httpd.conf, i have testpage.mydomain.biz as the very first listed page. However, httpd.conf has an include for /conf/ssl.conf before the standard virtualhosts section, loading HTTPS before HTTP.

I'm so close! Thanks alot for your continued assistance, giltjr.
ASKER CERTIFIED SOLUTION
Avatar of giltjr
giltjr
Flag of United States of America image

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Avatar of jmicorp

ASKER

I just did that about 5 minutes before i got your post notification -- and it worked.

Now I've got DB problems to work through, but hey, we got apache!

Thanks, giltjr.
Avatar of jmicorp

ASKER

giltjr stuck through the trials of getting apache properly organized.
Glad to see its working and thanks for the grade .

If you get stuck with the DB stuff, just ask a question in the appropriate area. There are plenty of DB experts here.
hmm, didn't read all comments carefully after my one, but did yu realize that you have a typo in

  NamedVirtualHost *

it has to be

  NameVirtualHost *
Avatar of jmicorp

ASKER

Yeah, just a typo while writing the posting. Thanks for asking.