| View previous topic :: View next topic |
| Author |
Message |
pfm.smits
n00b
Joined: 03 Nov 2004
Posts: 4
|
 Posted: Sat Feb 25, 2006 9:53 am Post subject: apache and SSL |
 |
|
The issue is this:
I have several sites on my server (and only 1 ip from my provider).
For each site (on :80) I have a conf file in /etc/apache2/vhosts.d
eg:
site1.com.conf
site2.com.conf
For each above-mentioned site I created a ssl.<sitename>.com.conf, thus getting:
ssl.site1.com.conf
ssl.site2.com.conf
in every site there is a redirect to a directory which must go over ssl (or https)
eg in site1.com.conf:
redirect /admin https://site1.com/admin
My ssl.site1.com.conf contains:
<IfModule mod_ssl.c>
<VirtualHost *:443>
DocumentRoot /var/www/localhost/htdocs/site1
ServerName site1.com
#SSL Stuff
SSLEngine on
SSLCipherSuite HIGH:MEDIUM
SSLProtocol all -SSLv2
SSLCertificateFile /etc/apache2/ssl/site1.com.cert
SSLCertificateKeyFile /etc/apache2/ssl/site1.com.key
<Directory /var/www/localhost/htdocs>
Options All -Indexes
AllowOverride All
<IfModule mod_access.c>
Order allow,deny
Allow from all
</IfModule>
</Directory>
</VirtualHost>
</IfModule>
The same goes for ssl.site2.com.conf
<IfModule mod_ssl.c>
<VirtualHost *:443>
DocumentRoot /var/www/localhost/htdocs/site2
ServerName site2.com
#SSL Stuff
SSLEngine on
SSLCipherSuite HIGH:MEDIUM
SSLProtocol all -SSLv2
SSLCertificateFile /etc/apache2/ssl/site1.com.cert
SSLCertificateKeyFile /etc/apache2/ssl/site1.com.key
<Directory /var/www/localhost/htdocs>
Options All -Indexes
AllowOverride All
<IfModule mod_access.c>
Order allow,deny
Allow from all
</IfModule>
</Directory>
</VirtualHost>
</IfModule>
But when I restart apache I get:
[Thu Feb 23 12:05:52 2006] [warn] _default_ VirtualHost overlap on port 443, the first has precedence
[Thu Feb 23 12:05:52 2006] [warn] _default_ VirtualHost overlap on port 443, the first has precedence [ ok ]
Obviously I am doing something wrong setting up my ssl.<name>.com.conf files, but what??? |
|
| Back to top |
|
 |
gerdesj
l33t
Joined: 29 Sep 2005
Posts: 622
Location: Yeovil, Somerset, UK
|
| Posted: Sat Feb 25, 2006 4:28 pm Post subject: Re: apache and SSL |
|
|
You can only have one SSL enabled vhost per IP address/port combination. I'm afraid you can't use name based virtual hosts to get around this either.
SSL encryption encapsulates the entire packet payload including the server name it is destined for, so Apache would be unable to determine which of multiple vhosts to send the packet to. I suppose the idea is that if someone intercepted the packet they would be unable to determine anything from it apart from its IP address source and destination which have to be there for IP to function at all.
So, Apache stops you from even trying to do what you are doing.
One option would seem to be to get each of your SSL sites to listen on another port eg:
Site 1 - 443
Site 2 - 444
etc etc.
All this means is that you can't contact them directly by just specifying https:// as the start of the URL, which is the clue to your browser uses to to go to port 443. You will need https://<site address>:444 instead. You can control this through address rewriting.
The other option is to get more IP addresses so that each SSL vhost has its own port 443. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
