Howto: Apache2 ssl and vhosts

[revresxunil]

I've run into this, and i've seen others run into this. You want to setup vhosts, and you want ssl to work too, but once you allow vhosts.conf to be included in the apache configs, ssl stops working or you get errors about the port already being defined, or stuff like that.

The truth of this matter, is the ssl VHOST is already defined in /etc/apache/conf/modules.d/41_mod_ssl.default-vhost.conf. Thats why there is errors when you try to make your own vhost for ssl. Here's what you need to do:

1) move 41_mod_ssl.default-vhost.conf to 41_mod_ssl.default-vhost.conf.bak so that it is not loaded as a config.

2) create /etc/apache/conf/modules.d/ssl.conf and add the following:

[h0rntuckin]

hi.

thanks for this howto. it seems to make so much sense, yet i've followed it to the letter and apache2 still will not start.

[rizzo]

Is it still the case that you can only have ONE ssl host? That is you can NOT have multiple virtual ssl hosts using their own certificates? I can get multiple https hosts, but they all use the same certificate so I get a warning when the domains don't match.

I read in another post from splooge that this was, indeed, impossible, but there must be something that can be done.

[El_Presidente_Pufferfish]

[vdboor]

[Hideki]

About having multiple certificates, I have run into the same questions and did a search and I found it was not possible.

When https protocol is requested, client and server does some handshake authentication, at that time only IP is known to the server and no host name is passed from the client. http gives Host: header and is a must on HTTP/1.1 protocol, so the apache knows which directory to show, but when handshaking(giving out certificates) there is no way the server can know by which host name the client wants, and I heard it's some kind of security stuff not to include Host: header like http protocol in ssl handshaking.

That's all I know and I just use one default certificate for multiple ssl vhosts.

But it's funny even not recognizing the second certificate in ssl.conf, if the certificate configuration is missing the apache won't work, so you have to either put the default one or some fake configuration line.

Though it works if you make it access on different port. Like https://abc.somehost.org:443 and https://def.somehost.org:1443
can give out 2 different certificates. You have to get around it with your own tweak like redirecting etc to get multiple vhost certificates.

[tuxable]

I believe you can have multiple secure certificates, but you have to have an IP address associated with each one. You can have multiple IP addresses for one network connection.

[BoBoeBoe]

This sounds like what I want to do, could anyone post an example of a vhost.conf file with multiple vhosts with their own certificates? It seems a more tricky than I expected it to be.

And could anyone explain the different sections in the vhost.conf because I don't understand it completely

Thanks

[Wilhelm]

I was reading the Apache2.0 docs and if you want SSL you'll have to do IP-based virtual hosting and not Name-Based.

http://httpd.apache.org/docs-2.0/vhosts/

I'm planning on using my DNS to route a full 10.*.*.* subnet of domains.
Ok it will cost me some more time to configure and script but i'm not limited in any way. I can also do per site logging and bandwidth throttling if i wish according to apache.

[EDIT] Hrmm this is hard and unknown territory but i'll have to alias the whole C-Class onto my single interface and hope it goes well.

[starachna]

Yes, Apache "can" only have one ssl host on port 443, but you can tell apache to listen on port 1443 and 2443 and 3443, that way you can have multiple certs on one ip ...
_________________
http://www.3am.co.za - za psy trance

[ElForesto]

Great how-to! This was precise and very easy to follow.

As a side note, anyone needing a free certificate from a certificate authority (CA) should really take a look at http://www.cacert.org/ I got freebies for my server and all of my e-mail addresses.

[postop]

Just to make sure what I'm doing is right, I wanted to have http and https support for the two virtual hosts that I created.

I took your sample file (thanks by the way, I didn't move the modules file to a .bak, just commented out everything in it). I created two vhosts in the IfModule section, both listening on :443 and with the same configuration as the :80s.

I needed to at a NameVirtualHost *:443 also. This makes both sites come up fine with just the certificate warning. There's some mod_jk stuff in there too which also finally works. You'll need to duplicate the workers along with the docroot, servername, and serveralias.

[kezzla]

Would just like to say THANKS to POSTOP !!!

[Corona688]

Just wanted to say, Thanks! I've been wrestling with this all day, but this thread told me all I needed to know.
_________________
Petition for Better 64-bit ATI Drivers - Sign Here
http://www.petitiononline.com/atipet/petition.html

[biatch0]

Just thought this might help someone, since I got stuck for a couple of hours here.

You MUST add this to commonapache2.conf to match the vhosts... In my case, all vhosts are in /www/directoryname, which is why I use <Directory "/www/*">. If this entry is missing, you end up with 403's for all your vhosts...

[indynet]

[kevev]

It worked. I will post my config files for anyone having issues with the latest apache2 config file layout.
_________________
your only as smart as the Computer doing your thinking.

[seemant]

post them, kevev

[kevev]

Yikes forgot to. Now I am having trouble so I dont want to post them yet. I just upgraded to php4 and php5 using SUPHP. I will post if I get it working.......
_________________
your only as smart as the Computer doing your thinking.

[lyallp]

I note these posts are 15 years old.

I thought I would setup ssl for my local pages on my local apache server.

Any chance of an update, for example, the initial post has config files in the wrong place, which immediately made me suspicious of the rest of the article, excellent though it may be, at the time.

Or, if the article is still relevant, just posting a ping that it is still relevant
_________________
...Lyall

[szatox]

I use use this config for apache vhost. The document root is /var/www/<hostname>.
The stuff that's commented out is something I use (because reasons) but is not strictly required to make things work.

[alamahant]

The mod_ssl is already enabled in httpd.conf

[guitou]

Hi.

If having a local webserver is only for serving on your local network, setting up https is almost useless but for testing purpose, otherwise here (last example) is a minimal sample...

[lyallp]

Just to provide a little background on why I would like to setup ssl on my local machine.
I serve http://olde-distfiles.is.remotely-helpful.info from my home PC, 250G+ is a bit to much for my shared hosting plan.
I have domain is.remotely-helpful.info with SSL but olde-distfiles (host) redirects to my home IP address, which is fixed.
My modem re-routes requests for this redirection to my home PC which serves up the info via Gentoo/apache.
So, given the internet is heading towards ssl, by default, I figured I would setup my apache to serve up https://olde-distfiles.is.remotely-helpful.info
I have rate-limited this particular URL to 1024/512 with mod_ratelimit, so that my home internet is not consumed entirely by remote accesses, so the page may take a little time to load, as there are over 70k files in portage distfiles layout.
I also have fail2ban running on everything else my apache server serves up, with olde-distfiles being the only directory which does not require authentication.
It's quite interesting seeing the hack attempts that arrive.
olde-distfiles may be used as a portage source, if required, hence the existence of a self referring symlink to distfiles in the tree.
_________________
...Lyall