Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 2 > Installation/Configuration

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #11  
Old 14th June 2006, 00:06
Sheridan Sheridan is offline
Junior Member
 
Join Date: Jun 2006
Posts: 26
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Finally. I have created a file in /etc/apache2/conf.d/ with the content similiar to this ispconfig creates ssl VirtualHost entry of the main domain for this ip.
Now i'm able to use the same ssl certificate for the other domain managed by my apache.

I think that in that case it would be better to not save the ssl certificates in th webX directory of the main domain for the ip. It would be a much better idea to place it somewhere outside and handle it on a per ip base as they are bound to a ip address.

Maybe saving the cert's under a directory structur like the following one would be a good idea.

/var/www/certificates/<ip>/

At the end i would say that this is really a recommended feature for a future ispconfig version as this is an allday usecase.

Just my two cents. ;-)


greets
Sheridan

Last edited by Sheridan; 14th June 2006 at 00:08.
Reply With Quote
Sponsored Links
  #12  
Old 14th June 2006, 09:54
erk erk is offline
Member
 
Join Date: Oct 2005
Location: Göteborg, Sweden
Posts: 41
Thanks: 0
Thanked 4 Times in 3 Posts
Default

Quote:
Originally Posted by Sheridan
Ok. To get sure i've checked the configs of our plesk server at work. For each domain i've enabled ssl i have a <VirtualHost <ip>:443> with a different "Servername <domain>:443" param. The ip is always the same and so is the path to the ssl cert file.
Right adding multiple virtual hosts like:
Code:
<VirtualHost 192.168.1.10:443>
DocumentRoot "/home/www/securesite/"
ServerName www.mydomain.com:443
</VirtualHost>

<VirtualHost 192.168.1.10:443>
DocumentRoot "/home/www/securesite/"
ServerName www.yourdomain.com:443
</VirtualHost>
is quite possible. But if you try setting different document roots you will find that both https://www.mydomain.com and https://www.yourdomain.com will end up with the samt document root. So, the above, while possible, is quite pointless.

If you want a secure site for multiple domains to use for a webmail install or something similar I would simply create a new website in ISPC and enable SSL. Then I just add a DNS record for webmail.mydomain.com and webmail.yourdomain.com that points to the ip number of the secure site.

Quote:
So it seems that you should trust this board and not the apache docu.
I think I still trust the apache team since my own experience with SSL and apache conforms with their view and that tells me I'm right ;-)
Check your plesk config again to see if the different virtual hosts have different document roots. If not then they are not really different sites, are they? If they indeed have different document roots have you checked that apache really honor the different document roots for the same ip?

However, what is possible is to make a secure site and install something like Drupal which supports multiple domains.
The ServerName is not visible to apache but it is visible to a PHP script.

//Erk
Reply With Quote
  #13  
Old 14th June 2006, 23:42
Sheridan Sheridan is offline
Junior Member
 
Join Date: Jun 2006
Posts: 26
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Nope. I definitely do have different DocumentRoot settings. Otherwise my two different typo3 installations wouldn't work.

Trust me. ;-)

greets
Sheridan
Reply With Quote
  #14  
Old 16th June 2006, 10:48
erk erk is offline
Member
 
Join Date: Oct 2005
Location: Göteborg, Sweden
Posts: 41
Thanks: 0
Thanked 4 Times in 3 Posts
Default

Quote:
Originally Posted by Sheridan
Nope. I definitely do have different DocumentRoot settings. Otherwise my two different typo3 installations wouldn't work.

Trust me. ;-)

I wish I could

Typo3 support multiple domains using a single database and as I said previously it is possible with a CMS such as Drupal or Typo3 to host multiple domains in one document root and the CMS system will be able to distinguish between the domains since the hostname is visible to PHP but not to apache.
If the two Typo3 installations use the same database it is likely that you cannot tell which document root your request end up in since Typo3 will fix it.

The apache developers says it can't be done. I've tested to make sure and cannot make it work. I have seen this issue debated and never seen anyone else claim they can get apache to do namebased virtual hosting with SSL and different document roots. The Plesk documentation even states that:
Quote:
SSL certificates that participate in the encryption process are usually applied to a single domain name on a single IP address, therefore, each site that needs SSL protection must be hosted on a dedicated IP address.
If you are able to create two domains on the same ip with SSL in Plesk and access two differnt plain html files from the two document roots I will be impressed and very curious as to how Plesk does that. It is not possible with a plain apache server serving html.
So far you keep telling me "it can be done", but with little hard evidence. I would really like to know how to do it if it can be done but so far the only thing I get is your word against the world so to speak


//Erk
Reply With Quote
  #15  
Old 22nd June 2006, 00:27
russellsantos russellsantos is offline
Junior Member
 
Join Date: Jun 2006
Posts: 1
Thanks: 0
Thanked 0 Times in 0 Posts
Default Interesting article

An interesting article about this topic:

http://www.onlamp.com/pub/a/apache/2...pacheckbk.html

One workaround it suggests is to use a different port for the SSL connections. Apparently, SSL binds to IP adresses AND ports. Of course, you would need a link on your site that points to that particular port for it to work, and it would look a little silly for the users of your site. But then, that is better than the warning the user gets when the SSL certificate does not match the host name.
Reply With Quote
  #16  
Old 3rd February 2008, 00:30
swan swan is offline
Junior Member
 
Join Date: Nov 2007
Posts: 2
Thanks: 0
Thanked 0 Times in 0 Posts
Default

anyone got the ServerNameIndication TLS to work on ubuntu (gutsy)?

http://www.how2forge.org/enable-mult...on-debian-etch

i tried pbuilding from apt-get source on ubuntu, stable and unstable etch, and any version of apache i could find a diff for the httpd sni patch, i tried keeping to the version and other versions in the same batch of 2.2.x

but i think the problem (guessing by apache logs warn, init) that openssl was the cause - just doesnt load even tho i _might_ have actually compiled it in both (ie. a-patched apache, but unable to hook onto the version of openssl - that either had tlsext or not). it prolly needed svn version or something that had properly setup in Configure (as i dont think enable-tlsext was enough, or ./config enable-tlsext or even editing Configure manually adding -DOPENSSL_TLSEXT and removing -DOPENSSL_NO_TLSEXT) well all in my case anyway 0.9.8e-g etch-stable/unstable,ubuntu.

i guess everyone will still have to wait for it to become seamlessly stock standard and keep holding off using mod_gnutls, imho, wtf not yet i wonder. i know this isnt really an ISPC issue, but it relates to the thread above and its something to watch out for. ie. wait for seamlessness, or support mod_gnutls in ISPC? *shrug* im for waiting personally..

also for above, its upto you how you look at using the iport ratio, you can smear it all around, but for any n00b reading, yeh trust the docs, and imho you can trust the ISPCrew

question tho, ive removed the ssl 1 per host limit in ISPC (as in the link above), waiting for tlsext but also because you can abuse ratio if you want. so seeing the 1 host make sense (until apache+openssl+tlsext becomes stock) i could see the main profile being sub.domain.xxx, but sadly u cant have domain.xxx, yeh you can have blank/wildcards in other domains under the same profile, but the main profile cant? i know its no problem in the big picture, but its annoying for SSL even if you only kept to the 1 ip limit and wanted to be conventional using https://domain.xxx instead of https://sub.domain.xxx

theres a place holder in the gui for other fields in the ssl cert gen, any chance of adding an option to override the auto default for ssl CN? otherwise i guess ill have to keep manually doing it for now?
Reply With Quote
  #17  
Old 9th May 2012, 19:51
keen keen is offline
Junior Member
 
Join Date: May 2012
Posts: 18
Thanks: 3
Thanked 0 Times in 0 Posts
 
Default

Quote:
Originally Posted by Sheridan View Post
Ok. To get sure i've checked the configs of our plesk server at work. For each domain i've enabled ssl i have a <VirtualHost <ip>:443> with a different "Servername <domain>:443" param. The ip is always the same and so is the path to the ssl cert file.

So it seems that you should trust this board and not the apache docu.

I would like to see support for this in ispconfig anyway. ;-)


greets
Sheridan
Yup. It worked for me. Thanks
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Custom directives automatically added to ftpd virtual hosts whitty Feature Requests 2 16th May 2006 23:15
apache and virtual hosts stored in postgresql variable Server Operation 3 28th December 2005 11:48
Duplicate virtual hosts bosei General 13 22nd December 2005 17:48
Max Virtual Hosts on a server badben Server Operation 2 21st November 2005 12:35
postfix config jmroth Installation/Configuration 6 18th September 2005 15:58


All times are GMT +2. The time now is 03:59.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.