PDA

View Full Version : Apache2 and multiple SSL configs and name based virtual hosting


Creator1326
8th December 2005, 06:59
Apache/2.0.55 DAV/2 PHP/5.0.4 mod_ssl/2.0.55 OpenSSL/0.9.7i

I have two virtual hosts that need SSL certs and I have them configured but which ever one is listed is the one that sends out it's cert and overrides the other SSL config.

I have tried to place IfDefines around the two SSL virtual hosts but still a no go, I can't figure out how to separate them to keep the SSL certs from overlapping. Any Ideas?

above them are some related stuff and not necessarily in this order:
Listen 172.16.0.2:80
Listen 172.16.0.2:443
NameVirtualHost 172.16.0.2:80
NameVirtualHost 172.16.0.2:443

AcceptMutex flock
SSLProtocol all
SSLPassPhraseDialog builtin
SSLSessionCache dbm:/opt/apache2/logs/ssl_scache
SSLSessionCacheTimeout 300
SSLMutex flock:/opt/apache2/logs/ssl_mutex
SSLRandomSeed startup builtin

here's a one of the two SSL vhosts both are subdomains of two diffferent domains.

<VirtualHost host.domain.org:443>
# General setup for the virtual host
DocumentRoot /opt/apache2/htdocs/host
#ServerName has to match the server you entered into the CSR
ServerName host.domain.org
ServerAdmin webmaster@domain.org
ErrorLog logs/host-error_log
TransferLog logs/host-access_log
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
SSLProtocol all
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSL v2:+EXP:+eNULL
# Path to your certificates and private key
SSLCertificateFile /opt/apache2/conf/ssl.crt/host.crt
SSLCertificateKeyFile /opt/apache2/conf/ssl.key/host.key
SSLCACertificateFile /opt/apache2/conf/ssl.crt/ca.crt
<Files ~ "\.(cgi|shtml|phtml|php3?|php5?)$">
SSLOptions +StdEnvVars
</Files>
<Directory /opt/apache2/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
# correction for browsers that don't always handle SSL connections well
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
</VirtualHost>

till
8th December 2005, 12:06
Are the hosts on different IP addresses? Apache supports only one SSL vhost for each IP address.

Creator1326
8th December 2005, 17:52
Ahh that was it, that's pretty dumb that you can only have one SSL per IP.

themachine
10th December 2005, 17:35
hmmm... no, not really. There is a reason for this limitation... it's not as if that just decided "hey, lets piss everyone off and make them use a unique IP".... ;)

xinea
31st October 2006, 12:20
Are the hosts on different IP addresses? Apache supports only one SSL vhost for each IP address.

i'm working on apache2 and i have created 2 ssl vhost for one IP @.. it works!.. i don't know if it is applicable with apache1.3..

i know it has been a year since this question was asked.. maybe u knew it before now...

anyway,

till
31st October 2006, 12:32
i'm working on apache2 and i have created 2 ssl vhost for one IP @.. it works!.. i don't know if it is applicable with apache1.3..

i know it has been a year since this question was asked.. maybe u knew it before now...

Which exact apache version do you use?

xinea
31st October 2006, 12:49
Which exact apache version do you use?

Apache 2.0.54 (Debian GNU/Linux)

falko
1st November 2006, 17:56
i'm working on apache2 and i have created 2 ssl vhost for one IP @.. it works!
If you do it this way, you'll always see warnings in your browser.

xinea
2nd November 2006, 09:08
did u mean like these warnings on apache server console?

>>[Thu Nov 02 06:10:22 2006] [warn] NameVirtualHost 192.168.2.2:443 has no VirtualHosts
[Thu Nov 02 06:10:22 2006] [warn] NameVirtualHost 192.168.2.2:443 has no VirtualHosts<<

if so, may i ask: does this affect the situation? i meant the security level?

or the usual browser warning when moving from http to https? if so, u're absolutely right!

till
2nd November 2006, 10:26
These are no SSL warnings. I guess falko meaned that you get a SSL security warning in your browser thet the domain of your SSL certificate does not match the domain of the vhost.

xinea
2nd November 2006, 11:20
.. your SSL certificate does not match the domain of the vhost.

yes, sure.. for that my certificate is for one vhost.. all the other vhosts will produce a warning when viewing through a browser....
but you can proceed with it and get a secure site.

an okay.. now i understand why you said before that we can only create one ssl vhost for an IP @ :o (sorry it took me a couple of days to explore it!)

scheperw
5th October 2010, 20:28
This is an old thread but wondering if anyone has had success with multiple SSL virtual hosts using a blanket cert (*.yourdomain.com). This would eliminate the browser warning as long as both sites utilize the same domain.