More SSL hosts in one ssl.conf

HI,

I have a VPS listening to 2 different public IP-adresses.
For ALL http and a https virtual host requests it currently listens to only 1 IP

The ssl.conf therefore has

Listen xxx.xxx.xxx.xx1:443
Listen xxx.xxx.xxx.xx1:81



in it. And httpd.conf therefore has

Listen xxx.xxx.xxx.xx1:80

NameVirtualHost *:80



I'd like to run another SSL host, on the other IP-address, mainly
because I want to use a different name and document root for it.
This host has a name not existing for the other IP-hosts, and
the new/extra host needs only SSL, and will not need a port 80 one,
although auto-rewrite to the https would be nice for it.
(I have this for the existing hosts and aliases, so I know how to do that.)

How does one best accomplish this?

I've looked really hard, but could not find info on this,
my guess is not many servers *can* listen to 2 different IPs.

I've been considering to construct something where a different
document root would be used with a certain name request, through rewrite,
and then the other hostname would be an alias of the main ones,
but that seemed overly complex since I do have the other IP I can use.

Thanks in advance for any advice on this.


Julius
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: More SSL hosts in one ssl.conf

On Sun, 2007-02-25 at 15:31 +0100, Julius Thyssen wrote:
> HI,
>
> I have a VPS listening to 2 different public IP-adresses.
> For ALL http and a https virtual host requests it currently listens to only 1 IP
>
> The ssl.conf therefore has
>
> Listen xxx.xxx.xxx.xx1:443
> Listen xxx.xxx.xxx.xx1:81
>
>
>
> in it. And httpd.conf therefore has
>
> Listen xxx.xxx.xxx.xx1:80
>
> NameVirtualHost *:80
>
>
>
> I'd like to run another SSL host, on the other IP-address, mainly
> because I want to use a different name and document root for it.
> This host has a name not existing for the other IP-hosts, and
> the new/extra host needs only SSL, and will not need a port 80 one,
> although auto-rewrite to the https would be nice for it.
> (I have this for the existing hosts and aliases, so I know how to do that.)
>
> How does one best accomplish this?
>

By configuring the new IP address to the machine, adding a Listen
directive for the new IP address and port (443), and adding a new
virtual host for that IP address and port. A rewrite or redirect from
http to https must be handled within a non-SSL virtual host so you would
need to create another virtual host for the new IP address on port 80
and have the appropriate directives within that.

> I've looked really hard, but could not find info on this,
> my guess is not many servers *can* listen to 2 different IPs.

Apache can and it is very common.

> I've been considering to construct something where a different
> document root would be used with a certain name request, through rewrite,
> and then the other hostname would be an alias of the main ones,
> but that seemed overly complex since I do have the other IP I can use.

Don't really understand what you're getting at here... if you mean using
name based virtual hosting with SSL, you can't do that because Apache
selects the appropriate NBVH by looking at the Host header, but it can't
see the Host header until it's decrypted the SSL traffic, and it can't
decrypt the SSL traffic until it knows what SSL key to use, and it only
knows that once it knows which virtual host to use because that's where
it's configured. And it can't tell which virtual host to use until it
reads the Host header. This is in the FAQ.

> Thanks in advance for any advice on this.
>
>
> Julius
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
>





____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: More SSL hosts in one ssl.conf

On 2/25/07, Michael Pacey wrote:
> By configuring the new IP address to the machine,

That is already the case. I only have to open a port in iptables.

> adding a Listen directive for the new IP address and port (443), and adding
> a new virtual host for that IP address and port.

Yes, I found out about that, but in executing this there are
no real-life examples I could see, so how does that actually look
in ssl.conf and httpd.conf ?
Since httpd.conf has the "*:80" host entries, and ssl.conf has a
"_default_:443" entry,
what changes to them? Nothing? Can I just add those and not worry
about the rest?
So that I add

Listen xxx.xxx.xxx.xx2:80



to httpd.conf and

Listen xxx.xxx.xxx.xx2:443


to ssl.conf?

The other hosts it listens to are "_default_" and "*", so
how does the server know it's on the right IP-address
for the existing hosts ?

> A rewrite or redirect from
> http to https must be handled within a non-SSL virtual host so you would
> need to create another virtual host for the new IP address on port 80
> and have the appropriate directives within that.

Yes, I have that down. I'm very good with rewrite.

> > my guess is not many servers *can* listen to 2 different IPs.
>
> Apache can and it is very common.

Yes, I made a mistake in wording it there, sorry.

> Don't really understand what you're getting at here... if you mean using
> name based virtual hosting with SSL,

Well, I could use Server aliases for the virtual SSL host
(in fact, I already have), and then make folder aliases
the user goes to with certain requests.
But like I wrote, that's overly complex.

--
Adios

Julius
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: More SSL hosts in one ssl.conf

On Sun, 2007-02-25 at 18:39 +0100, Julius Thyssen wrote:
> On 2/25/07, Michael Pacey wrote:
> > By configuring the new IP address to the machine,
>
> That is already the case. I only have to open a port in iptables.
>
> > adding a Listen directive for the new IP address and port (443), and adding
> > a new virtual host for that IP address and port.
>
> Yes, I found out about that, but in executing this there are
> no real-life examples I could see, so how does that actually look
> in ssl.conf and httpd.conf ?
> Since httpd.conf has the "*:80" host entries, and ssl.conf has a
> "_default_:443" entry,
> what changes to them? Nothing? Can I just add those and not worry
> about the rest?
> So that I add
>
> Listen xxx.xxx.xxx.xx2:80
>
>
>
> to httpd.conf and
>
> Listen xxx.xxx.xxx.xx2:443
>
>
> to ssl.conf?

yes.

> The other hosts it listens to are "_default_" and "*", so
> how does the server know it's on the right IP-address
> for the existing hosts ?


Right, why do you have *:80 when you said it is only using one IP
address just now? You should just change this to the first ip address:

NameVirtualHost xxx.xxx.xxx.xx1:80

and then you won't have an issue. From the Apache documentation:

"The special name _default_ can be specified in which case this virtual
host will match any IP address that is not explicitly listed in another
virtual host."

So if you specify the new IP address in your new SSL virtual host, it
won't conflict.
--
Michael

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org