Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > Linux Forums > Installation/Configuration

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 14th September 2007, 19:12
MisterVlad MisterVlad is offline
Member
 
Join Date: Jun 2007
Location: Windsor, Ontario, CANADA
Posts: 61
Thanks: 1
Thanked 1 Time in 1 Post
Send a message via MSN to MisterVlad Send a message via Skype™ to MisterVlad
Default Multiple IP on same NIC, and EV SSL Cert

Ok, i saw a post similar to this, but i need some clarification.

I was told that to get an EV SSL cert, that they are based on an IP address, and that it will only cover 1 url, on that IP.

SO, for my question, is it possible to set up multiple IP addresses on the single NIC, and then set up the EV SSL cert for that one URL / IP, for multiple IP's?

So in essence, i would have say, 10 EV certs on my server, and the server then would have 11 IP addresses? (this is just an example)

Is this possible? and if so, can you maybe point me in the right direction on how to go and configure this?

Thanks in advance!

MisterVlad.
Reply With Quote
Sponsored Links
  #2  
Old 14th September 2007, 22:13
chuckl chuckl is offline
Senior Member
 
Join Date: May 2007
Location: Uxbridge, Middlesex, UK
Posts: 166
Thanks: 1
Thanked 20 Times in 20 Posts
Default

As a general rule, if you are using SSL on a website you need an IP address per SSL cert/SSL site. It is not a limitation of the certificate per se, but is a limitation/feature of SSL.

The more serious problem is usually that home routers can only route ports to one IP or one DMZ host, so in order to implement your solution you would need a more upmarket router, or a carefully set up proxy in front of the web server, which brings in a whole new set of problems, not least of which is that the proxy needs ssl as well.

Setting up multiple IP's on a single NIC is not diffcult, but differs slightly from distro to distro, so you op sys would be useful to know
Reply With Quote
  #3  
Old 14th September 2007, 22:22
MisterVlad MisterVlad is offline
Member
 
Join Date: Jun 2007
Location: Windsor, Ontario, CANADA
Posts: 61
Thanks: 1
Thanked 1 Time in 1 Post
Send a message via MSN to MisterVlad Send a message via Skype™ to MisterVlad
Default

I have a dedicated server that i manage in a data center, so they have all that set up there. My server is unmanaged, so i use SSH to maintain it, and it is up and running fine.

The OS is Debian 4.0 Etch, based on the install that I d/l from here, with a few tweaks and such.

When i leased the server, for some reason i asked for 2 IP addresses, i dont know why i did that at the time, but anyway, i have the second IP that is not in use, so when the question came up to me about getting an SSL for a client, i looked into it, and found out that it was an IP based SSL, so then i remembered that i had that other IP address, and i was looking at how to implement it onto my existing server.

I hope that clarifies that a little more, being that it is not a home based server, it is in a data center at a remote location.

Mistervlad.
Reply With Quote
  #4  
Old 14th September 2007, 22:42
chuckl chuckl is offline
Senior Member
 
Join Date: May 2007
Location: Uxbridge, Middlesex, UK
Posts: 166
Thanks: 1
Thanked 20 Times in 20 Posts
Default

That certainly makes it a bit easier for you. On debian/ubuntu installs, you simply edit /etc/network/interfaces and add aliases, or use ifconfig to add them. The aliases are the network interface with a :0 or :1 etc added - etho:0, eth1:1

/usr/sbin/ifconfig eth0:0 192.168.0.10
/usr/sbin/ifconfig eth0:1 192.168.0.11

and so on. If you add one and examine /etc/network/interfaces, you should see the changes.

You will of course need to assign each website to an IP, change the listen address configuration for Apache, and set up the ssl on each one. DNS will have to point to the coorect IP for each website as well.
Reply With Quote
The Following User Says Thank You to chuckl For This Useful Post:
MisterVlad (14th September 2007)
  #5  
Old 14th September 2007, 23:00
MisterVlad MisterVlad is offline
Member
 
Join Date: Jun 2007
Location: Windsor, Ontario, CANADA
Posts: 61
Thanks: 1
Thanked 1 Time in 1 Post
Send a message via MSN to MisterVlad Send a message via Skype™ to MisterVlad
Default

Thanks! but i do have 1 more question, will apache listen on 2 ip's? i haven't looked at the conf file for a while, so i can't think off the top of my head, and to save my hair and a headache, i thought i would ask here

I use zoneedit to manage my DNS, so i can point any url to any IP pretty easy, even sub domains to differnet ip's. (not that you prolly dont already know that).

Will it be difficult to handle the SSL within the same apache server, even if like in my example i use 10 different ip addresses?

Just putting it out there, it is friday and i am tired

MIstervlad
Reply With Quote
  #6  
Old 14th September 2007, 23:10
MisterVlad MisterVlad is offline
Member
 
Join Date: Jun 2007
Location: Windsor, Ontario, CANADA
Posts: 61
Thanks: 1
Thanked 1 Time in 1 Post
Send a message via MSN to MisterVlad Send a message via Skype™ to MisterVlad
Default

so here is what i do right now with my self signed ssl cert. I have a separate ssl_enabled directory in teh apache2 directory, and i have these listed as the entry for the SSL
Code:
<VirtualHost *:443>
	ServerAdmin user@domainname.com
	
	ServerName subdomain.domainname.com
	SSLEngine on
	SSLCertificateFile /path/to/sslcert/certname.pem

	DocumentRoot /path/to/resold/domainname.com/subdomain/secure_html/
	<Directory "/path/to/resold/domainname.com/subdomain/secure_html">
		Options Indexes FollowSymLinks MultiViews
		AllowOverride None
		Order allow,deny
		allow from all
	</Directory>

	ErrorLog /path/to/logs/apache2/ssl.subdomain.domainname.com_error.log

	# Possible values include: debug, info, notice, warn, error, crit,
	# alert, emerg.
	LogLevel warn

	CustomLog /path/to/logs/ssl.subdomain.domainname.com_access.log combined
	ServerSignature On
</VirtualHost>
and in my apache.conf file (at the bottom) i do:
Code:
....

NameVirtualHost *:80
# Include the virtual host configurations:
Include /path/to/sites-enabled/

NameVirtualHost *:443
# Include the virtual host configurations for ssl:
Include /path/to/ssl-enabled/
I am sure that there is another more better way to do this, but that what i researched and came up with.

if there are multiple subdomains that the customer asks to have on ssl, I just copy and paste and change the subdomain info.

I hope that is accurate?

and would i just change the *:443 and the *:80 to reflect the actual IP address that I am setting it too?

Last edited by MisterVlad; 14th September 2007 at 23:17.
Reply With Quote
  #7  
Old 14th September 2007, 23:30
chuckl chuckl is offline
Senior Member
 
Join Date: May 2007
Location: Uxbridge, Middlesex, UK
Posts: 166
Thanks: 1
Thanked 20 Times in 20 Posts
Default

To be honest, I use ISpConfig to manage all that, much quicker and easier. And I'm not going near the whole IP based Virtual Hosts/Name Based VH thing.

Don't forget configs like this

<VirtualHost 192.168.0.143:80>
ServerName www.mydomain.com:80
etc

and

<VirtualHost 192.168.0.143:443>
ServerName www.mydomain.com:443
etc

Don't forget the ports.conf to listen on both ports, and make backup copies of the files before getting too inventive
Reply With Quote
  #8  
Old 14th September 2007, 23:38
chuckl chuckl is offline
Senior Member
 
Join Date: May 2007
Location: Uxbridge, Middlesex, UK
Posts: 166
Thanks: 1
Thanked 20 Times in 20 Posts
Default

And I always forget the obvious, don't forget to

a2enmod mod_ssl

to enable the mod_ssl module
Reply With Quote
  #9  
Old 15th September 2007, 07:40
MisterVlad MisterVlad is offline
Member
 
Join Date: Jun 2007
Location: Windsor, Ontario, CANADA
Posts: 61
Thanks: 1
Thanked 1 Time in 1 Post
Send a message via MSN to MisterVlad Send a message via Skype™ to MisterVlad
Default

Quote:
Originally Posted by chuckl
And I always forget the obvious, don't forget to

a2enmod mod_ssl

to enable the mod_ssl module
This should already be enabled since i already have a self signed 256bit SSL cert?
the issue i am running into, is that it is not a trusted SSL, and my clients need/want that.

now, if I can only figure out IPTables, and such, i would be all set, that way i can set up my FTP on a single IP, and only allow 2 ports (ftp and sftp), and then the http would be on their ips, and the mail on its... i dunno... too much work, not enough time
Reply With Quote
  #10  
Old 15th September 2007, 10:55
chuckl chuckl is offline
Senior Member
 
Join Date: May 2007
Location: Uxbridge, Middlesex, UK
Posts: 166
Thanks: 1
Thanked 20 Times in 20 Posts
 
Default

If the ssl cert does not have a root cert distributed with the browsers, then it's not worth paying money for it. You may as well sign up cacert.org and issue your own. Are you sure that it does not simply require a chain certificate installed on the browser as well? e.g. You have a cert for www.mydomain.com issued by cheapncheerfulssl.com. What you are missing is the chain cert linking cheapncheerfulssl.com back to the biggie who has a cert distributed with the browsers. Usually its a download linked somewhere on the issuers website.

On the iptables, ftp side, I'm pretty sure there are HowTo's floating round here on the site.
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT +2. The time now is 11:31.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.