Virtual Hosting Problem

am 27.07.2002 00:15:29 von Jay States

I have tried to configure a port-based virtual hosts with the following
ports:

443
444
445
446
447

Is there a better how-to than on the apache site? I'm using apache
2.0.39 and would like to see an example. I follow the text and keep
getting the same error message. Keep in mind that port is not used by
anything other than apache.

(48)Address already in use: make_sock: could not bind to address [::]:447
no listening sockets available, shutting down

Thanks in advance.

J
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Virtual Hosting Problem

am 28.07.2002 22:03:25 von Danalien

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

hi.

As I know, you can only bind one uniqe ip to one SSL virtual host.

and from what I have read, you can't use name-based SSL virtual host(s) either,
as a work around.

please correct me if I'm misstaking, anyone, I am only using 1.3.24.

>
>I have tried to configure a port-based virtual hosts with the following
>ports:
>
>443
>444
>445
>446
>447
>
>Is there a better how-to than on the apache site? I'm using apache
>2.0.39 and would like to see an example. I follow the text and keep
>getting the same error message. Keep in mind that port is not used by
>anything other than apache.
>
>(48)Address already in use: make_sock: could not bind to address [::]:447
>no listening sockets available, shutting down
>
>Thanks in advance.
>
>J
>___________________________________________________________ ___________
>Apache Interface to OpenSSL (mod_ssl) www.modssl.org
>User Support Mailing List modssl-users@modssl.org
>Automated List Manager majordomo@modssl.org

// with regards
// ID :: danalien ::

PGP Public Key Fingerprint: C891 D3A1 427A A5E7 449F B19E 1E85 A109

-----BEGIN PGP SIGNATURE-----
Version: PGPsdk version 1.7.1 (C) 1997-1999 Network Associates, Inc. and its affiliated companies.

iQA/AwUBPUQ//h6FoQlEaqKIEQK8ZACeMM07biD1FPAyCWWlqcnPeNb4E8cA oK6s
GOZZ9Zo6ZUvRDv9P4S0IV3sJ
=R1z6
-----END PGP SIGNATURE-----

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE: Virtual Hosting Problem

am 29.07.2002 09:03:22 von Boyle Owen

>From: Danalien [mailto:danalien@datormaffian.com]
>
>As I know, you can only bind one uniqe ip to one SSL virtual host.

not quite - see below..

>and from what I have read, you can't use name-based SSL
>virtual host(s) either,
>as a work around.

Mostly right, but with one privisio: You cannot do name-based VHs with SSL but you can have many SSL port-based VHs on ONE IP address..

To understand why - Because in SSL the contents of the TCP/IP packets are encrypted, you can only use external TCP/IP attributes (i.e. IP address and port number) to route the packets. For name-based VHing, you need access to the Host header which is an HTTP attribute (i.e. it is inside the TCP/IP packet). This is visible in plain HTTP but not visible in SSL.

>
>>(48)Address already in use: make_sock: could not bind to
>address [::]:447
>>no listening sockets available, shutting down

This usually means that some other process is already using port 447. Check /etc/services for a list of pre-defined ports, also verify that you have completely killed all other instances of apache which may have been blocking the port (ps -ef ¦ grep httpd).

Rgds,

Owen Boyle
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Port-based questions?

am 29.07.2002 20:53:15 von Jay States

I would like to clear up port-based hosting for mod-ssl:

1. https looks for port 443, but you can change that to any port with
modification to the apache configure file and also as long as you
specify the port in the url (https;//sample.com:445).

2. Mod-ssl does not work for name based hosting. Me must use ports in
order for it to work.

3. Can you specify more than one port to bind https? What if your only
have 1 ip address and 10 different domain names. What do you do then?
Place the domain names behind you firewall and use a class a,b or c ip
addresses?

4. If mod-ssl can be placed on more any one port what does the config
file look like, I keep getting errors. All the docs I've read said that
name-based virtual do not work. They do not say that multiple ports can
not be specified.

I have been looking for a solid answer for 3 weeks and thanks to all who
answer my questions.

J
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Port-based questions?

am 29.07.2002 20:53:15 von Jay States

RE: Port-based questions?

am 30.07.2002 09:03:45 von Boyle Owen

See below,

Rgds,

Owen Boyle

>From: Jay States [mailto:jstates@mac.com]
>
>I would like to clear up port-based hosting for mod-ssl:
>
>1. https looks for port 443, but you can change that to any port with
>modification to the apache configure file and also as long as you
>specify the port in the url (https;//sample.com:445).

Exactly correct. You need to say "Listen 445" in the config and define a VH like "". Then you have to use the port in the URL, as you show (to a browser, "https" means "establish an SSL session with the following server; unless the port is specified, use port 443").

>
>2. Mod-ssl does not work for name based hosting...

Kind of the other way around: NBVHing doesn't work with SSL. The reason is that SSL encrypts all the contents of the TCP/IP packet so the traffic has to be routed using only TCP/IP attributes, i.e. IP address and Port number. The "Host" header (which is needed for NBVHing) is an HTTP attribute, i.e. it is inside the packet and so is encrypted so you can't use it to route packets.

> We must use ports in order for it to work.

Yes-ish.. You must distinguish SSL VHs by TCP/IP attributes, i.e. each VH must have a unique IP address:Port pair.

>3. Can you specify more than one port to bind https? What if your only
>have 1 ip address and 10 different domain names. What do you
>do then?
>Place the domain names behind you firewall and use a class a,b or c ip
>addresses?

You'd have to use 10 different ports. But you would have to specify the ports in the public URLs. I'm not sure what you're getting at with the FW idea... You can't get away with address translation in the FW adding on the port numbers since the packets are already encrypted when they arrive at the FW.

Having said that, I was astonished some months ago when someone reported a hardware gadget which could route SSL traffic by hostname. It is a kind of SSL router which you put between your server and the internet. I don't know how it works - maybe you have to give it your private server keys so it can decrypt the incoming traffic. I've also forgotten what it was called! Search the archives on this list for SSL routers, hardware etc..

Maybe someone else can remember the link to this gadget?

>4. If mod-ssl can be placed on more any one port what does the config
>file look like, I keep getting errors. All the docs I've read
>said that name-based virtual do not work.

Because they don't.

>They do not say that multiple
>ports can not be specified.

Because they can:

Listen 192.168.1.1:445

SSLEngine on
SSLCertificateFile ...
SSLCertificateKeyFile ...
DocumentRoot ...
etc..

Listen 192.168.1.1:446

SSLEngine on
SSLCertificateFile ...
SSLCertificateKeyFile ...
DocumentRoot ...
etc..

Note: no need for "NameVirtualHost", no need for "ServerName".
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org