how to get multiple SSL with name based vhost ?

Dear list,

I have multiple name based vhost at my remote server. If I followed the
same configuration for SSL and it does not work. Even not found any
code through google which acn do the job. I have found it is possible
to define only one name based vhost with SSL support. Is there any
tricks to configure multiple vhosts with SSL ? Kindly show me the way.

Thanks

--
জয়দীপ বক্সী


------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: how to get multiple SSL with name based vhost ?

J. Bakshi wrote:
> Dear list,
>
> I have multiple name based vhost at my remote server. If I followed the
> same configuration for SSL and it does not work. Even not found any
> code through google which acn do the job. I have found it is possible
> to define only one name based vhost with SSL support. Is there any
> tricks to configure multiple vhosts with SSL ? Kindly show me the way.
>
>
>

Obviously this can be achieved by defining separate port for each
individual port. but I am trying to make it work on 443 port for all the
ssl vhosts.


--
জয়দীপ বক্সী


------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: how to get multiple SSL with name based vhost ?

On Tue, Dec 1, 2009 at 5:11 AM, J. Bakshi wrote:
> Dear list,
>
> I have multiple name based vhost at my remote server. =A0If I followed th=
e
> same configuration for SSL and =A0it does not work. Even not found any
> code through google which acn do the job. =A0 I have found it is possible
> to define only one name based vhost with SSL support. =A0Is there any
> tricks to configure multiple vhosts with SSL ? Kindly show me the way.

This is probably one of the most asked question on this list...
For a long time the answer to the problem was "you can't". The problem
is that in order to know from which virtual host to serve content a
webserver must inspect the "host" header. This is part of the http
request. However the SSL handshake takes place before any http request
is initiated. In order to complete the handshake the webserver needs
to know which SSL certificate to use. Since the websever can't yet
know which virtual host content is being requested from it uses the
certificate of the first host.
It's really a limit of the protocol, not the server.

However the latest version of the HTTPS protocol includes SNI, which
permits a client to transmit to the host the name of the virtualhost
it wants to contact during the SSL handshake. So what you need to do
is make sure you have the very latest apache, compiled with the latest
openssl libraries, and use a recent webbrowser. Than you will be able
to do this.

Krist


--=20
krist.vanbesien@gmail.com
krist@vanbesien.org
Bremgarten b. Bern, Switzerland
--
A: It reverses the normal flow of conversation.
Q: What's wrong with top-posting?
A: Top-posting.
Q: What's the biggest scourge on plain text email discussions?

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: how to get multiple SSL with name based vhost ?

Krist van Besien wrote:
> On Tue, Dec 1, 2009 at 5:11 AM, J. Bakshi wrote:
>
>> Dear list,
>>
>> I have multiple name based vhost at my remote server. If I followed the
>> same configuration for SSL and it does not work. Even not found any
>> code through google which acn do the job. I have found it is possible
>> to define only one name based vhost with SSL support. Is there any
>> tricks to configure multiple vhosts with SSL ? Kindly show me the way.
>>
>
> This is probably one of the most asked question on this list...
> For a long time the answer to the problem was "you can't". The problem
> is that in order to know from which virtual host to serve content a
> webserver must inspect the "host" header. This is part of the http
> request. However the SSL handshake takes place before any http request
> is initiated. In order to complete the handshake the webserver needs
> to know which SSL certificate to use. Since the websever can't yet
> know which virtual host content is being requested from it uses the
> certificate of the first host.
> It's really a limit of the protocol, not the server.
>
> However the latest version of the HTTPS protocol includes SNI, which
> permits a client to transmit to the host the name of the virtualhost
> it wants to contact during the SSL handshake. So what you need to do
> is make sure you have the very latest apache, compiled with the latest
> openssl libraries, and use a recent webbrowser. Than you will be able
> to do this.
>
> Krist
>
>
>
Hello Krist,

Thanks for your nice explanatory response. The server where my apache
is running is based on opensuse 11.0 . Hence I don't think this box can
support SNI. As this is a production server I can't simply upgrade the
box. So I need some other alternative. Thanks to make me familiar with SNI

--
জয়দীপ বক্সী


------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

RE: how to get multiple SSL with name based vhost ?

> -----Original Message-----
> From: J. Bakshi [mailto:joydeep@infoservices.in]=20
> Sent: Tuesday, December 01, 2009 8:20 AM
> To: users@httpd.apache.org
> Subject: Re: [users@httpd] how to get multiple SSL with name=20
> based vhost ?
>=20
> ...
>
> Thanks for your nice explanatory response. The server where=20
> my apache
> is running is based on opensuse 11.0 . Hence I don't think=20
> this box can
> support SNI. As this is a production server I can't simply upgrade the
> box. So I need some other alternative.

Krist explained it very nicely... But maybe you still didn't get it: =
Without SNI, there is NO WAY TO DO THIS. It is a fundamental limitation =
of the HTTPS protocol with no production-grade work-around. SNI =
(server-name indication) was specifically added to address this =
limitation. There is simply NO ALTERNATIVE.=20

Having said that, if you have a research or academic environment and =
don't care about browser warnings, you can just use the same cert for =
all sites. You will get the encryption aspect of HTTPS but not the =
authentication aspect.

Alternatively, if all sites have the same domain-name (eg, =
sales.wibble.com, shop.wibble.com etc), you can get a wildcard cert that =
certifies *.wibble.com.

Aside from these special cases, there is NO WAY to have name-based SSL =
VHs.

Rgds,
Owen Boyle
Disclaimer: Any disclaimer attached to this message may be ignored.=20

> Thanks to make me=20
> familiar with SNI
>=20
> --=20
> জয়দীà¦=AA =
বক্সà§=80
>=20
>=20
> ------------------------------------------------------------ ---------
> The official User-To-User support forum of the Apache HTTP=20
> Server Project.
> See for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>=20
>=20
=20
This message is for the named person's use only. It may contain =
confidential, proprietary or legally privileged information. If you =
receive this message in error, please notify the sender urgently and =
then immediately delete the message and any copies of it from your =
system. Please also immediately destroy any hardcopies of the message.=20
The sender's company reserves the right to monitor all e-mail =
communications through their networks.

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: how to get multiple SSL with name based vhost ?

Boyle Owen wrote:
>> -----Original Message-----
>> From: J. Bakshi [mailto:joydeep@infoservices.in]
>> Sent: Tuesday, December 01, 2009 8:20 AM
>> To: users@httpd.apache.org
>> Subject: Re: [users@httpd] how to get multiple SSL with name
>> based vhost ?
>>
>> ...
>>
>> Thanks for your nice explanatory response. The server where
>> my apache
>> is running is based on opensuse 11.0 . Hence I don't think
>> this box can
>> support SNI. As this is a production server I can't simply upgrade the
>> box. So I need some other alternative.
>>
>
> Krist explained it very nicely... But maybe you still didn't get it: Without SNI, there is NO WAY TO DO THIS. It is a fundamental limitation of the HTTPS protocol with no production-grade work-around. SNI (server-name indication) was specifically added to address this limitation. There is simply NO ALTERNATIVE.
>
> Having said that, if you have a research or academic environment and don't care about browser warnings, you can just use the same cert for all sites. You will get the encryption aspect of HTTPS but not the authentication aspect.
>
> Alternatively, if all sites have the same domain-name (eg, sales.wibble.com, shop.wibble.com etc), you can get a wildcard cert that certifies *.wibble.com.
>
> Aside from these special cases, there is NO WAY to have name-based SSL VHs.
>
> Rgds,
> Owen Boyle
> Disclaimer: Any disclaimer attached to this message may be ignored.

Hello Owen,

Thank for your response. your assumption is correct. I am working in an
environment where the domain name is same. Hence I am using the same
certificate. But the problem is with port. apache complaining if it see
more name based vhost with port 443. I was using the config as below

` ` ` `
Listen 443
NameVirtualHost example1.de:443


SSLEngine on
SSLCipherSuite HIGH:MEDIUM
SSLProtocol all -SSLv2
SSLCertificateFile /etc/apache2/myca/mars-server.crt
SSLCertificateKeyFile /etc/apache2/myca/mars-server.key
SSLCertificateChainFile /etc/apache2/myca/my-ca.crt
ServerName https://example1.de
ServerAlias https://example1.de

DocumentRoot /srv/www/htdocs/blevti.opendingo.de
DirectoryIndex index.php



NameVirtualHost example2.de:443

SSLEngine on
SSLCipherSuite HIGH:MEDIUM
SSLProtocol all -SSLv2
SSLCertificateFile /etc/apache2/myca/mars-server.crt
SSLCertificateKeyFile /etc/apache2/myca/mars-server.key
SSLCertificateChainFile /etc/apache2/myca/my-ca.crt
ServerName https://example2.de
ServerAlias https://example2.de

DocumentRoot /srv/www/htdocs/example2.de
DirectoryIndex index.php

` ` ` `

but no luck

--
জয়দীপ বক্সী


------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

RE: how to get multiple SSL with name based vhost ?

> -----Original Message-----
> From: J. Bakshi [mailto:joydeep@infoservices.in]=20
> Sent: Tuesday, December 01, 2009 10:53 AM
> To: users@httpd.apache.org
> Subject: Re: [users@httpd] how to get multiple SSL with name=20
> based vhost ?
>
> ...=20
>=20
> Thank for your response. your assumption is correct. I am=20
> working in an
> environment where the domain name is same. Hence I am using the same
> certificate. But the problem is with port. apache=20
> complaining if it see
> more name based vhost with port 443. I was using the config as below

I think you are just getting a *warning* - if you test the sites it =
should "work"...

That is to say, you will get an SSL session with the cert from VH1 then =
if you request site1 all will be OK (no browser warnings sice site1 =
matches cert1). If you request site2, you will get a browser warning =
since site2 doesn't match cert1, but otherwise the request should =
succeed (since the SSL session is up by this time, apache can decrypt =
the request, get the Host header and so go to the appropriate VH).

If this is not happening, post back with a description of what *is* =
happening...

Rgds,
Owen Boyle
Disclaimer: Any disclaimer attached to this message may be ignored.=20

>=20
> ` ` ` `
> Listen 443
> NameVirtualHost example1.de:443
>=20
>
> SSLEngine on
> SSLCipherSuite HIGH:MEDIUM
> SSLProtocol all -SSLv2
> SSLCertificateFile /etc/apache2/myca/mars-server.crt
> SSLCertificateKeyFile /etc/apache2/myca/mars-server.key
> SSLCertificateChainFile /etc/apache2/myca/my-ca.crt
> ServerName https://example1.de
> ServerAlias https://example1.de
>=20
> DocumentRoot /srv/www/htdocs/blevti.opendingo.de
> DirectoryIndex index.php
>
>=20
>=20
> NameVirtualHost example2.de:443
>
> SSLEngine on
> SSLCipherSuite HIGH:MEDIUM
> SSLProtocol all -SSLv2
> SSLCertificateFile /etc/apache2/myca/mars-server.crt
> SSLCertificateKeyFile /etc/apache2/myca/mars-server.key
> SSLCertificateChainFile /etc/apache2/myca/my-ca.crt
> ServerName https://example2.de
> ServerAlias https://example2.de
>=20
> DocumentRoot /srv/www/htdocs/example2.de
> DirectoryIndex index.php
>
> ` ` ` `
>=20
> but no luck
>=20
> --=20
> জয়দীà¦=AA =
বক্সà§=80
>=20
>=20
> ------------------------------------------------------------ ---------
> The official User-To-User support forum of the Apache HTTP=20
> Server Project.
> See for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>=20
>=20
=20
This message is for the named person's use only. It may contain =
confidential, proprietary or legally privileged information. If you =
receive this message in error, please notify the sender urgently and =
then immediately delete the message and any copies of it from your =
system. Please also immediately destroy any hardcopies of the message.=20
The sender's company reserves the right to monitor all e-mail =
communications through their networks.

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: how to get multiple SSL with name based vhost ?

Boyle Owen wrote:
>> -----Original Message-----
>> From: J. Bakshi [mailto:joydeep@infoservices.in]
>> Sent: Tuesday, December 01, 2009 10:53 AM
>> To: users@httpd.apache.org
>> Subject: Re: [users@httpd] how to get multiple SSL with name
>> based vhost ?
>>
>> ...
>>
>> Thank for your response. your assumption is correct. I am
>> working in an
>> environment where the domain name is same. Hence I am using the same
>> certificate. But the problem is with port. apache
>> complaining if it see
>> more name based vhost with port 443. I was using the config as below
>>
>
> I think you are just getting a *warning* - if you test the sites it should "work"...
>
> That is to say, you will get an SSL session with the cert from VH1 then if you request site1 all will be OK (no browser warnings sice site1 matches cert1). If you request site2, you will get a browser warning since site2 doesn't match cert1, but otherwise the request should succeed (since the SSL session is up by this time, apache can decrypt the request, get the Host header and so go to the appropriate VH).
>
> If this is not happening, post back with a description of what *is* happening...
>

Hello Boyle,

Thanks for your kind response. I have just activated my second SSL
connection to generate the logs. Here it is

` ` `
[Tue Dec 01 11:38:31 2009] [warn] Init: SSL server IP/port conflict:
www.example1.de:443 (/etc/apache2/vhosts.d/blevti.opendingo.de.conf:34)
vs. example2.in:443 (/etc/apache2/vhosts.d/phpmyadmin.conf:5)

[Tue Dec 01 11:38:31 2009] [warn] Init: You should not use name-based
virtual hosts in conjunction with SSL!!
` ` `

What happen now, the second vhost SSL does not complain but it goes to
the first vhost SSL and " apache2ctl -S" displays the first one as the
default one.

` ` `

> Rgds,
> Owen Boyle
> Disclaimer: Any disclaimer attached to this message may be ignored.
>
>
>> ` ` ` `
>> Listen 443
>> NameVirtualHost example1.de:443
>>
>>
>> SSLEngine on
>> SSLCipherSuite HIGH:MEDIUM
>> SSLProtocol all -SSLv2
>> SSLCertificateFile /etc/apache2/myca/mars-server.crt
>> SSLCertificateKeyFile /etc/apache2/myca/mars-server.key
>> SSLCertificateChainFile /etc/apache2/myca/my-ca.crt
>> ServerName https://example1.de
>> ServerAlias https://example1.de
>>
>> DocumentRoot /srv/www/htdocs/blevti.opendingo.de
>> DirectoryIndex index.php
>>
>>
>>
>> NameVirtualHost example2.de:443
>>
>> SSLEngine on
>> SSLCipherSuite HIGH:MEDIUM
>> SSLProtocol all -SSLv2
>> SSLCertificateFile /etc/apache2/myca/mars-server.crt
>> SSLCertificateKeyFile /etc/apache2/myca/mars-server.key
>> SSLCertificateChainFile /etc/apache2/myca/my-ca.crt
>> ServerName https://example2.de
>> ServerAlias https://example2.de
>>
>> DocumentRoot /srv/www/htdocs/example2.de
>> DirectoryIndex index.php
>>
>> ` ` ` `
>>
>> but no luck
>>
>> --
>> জয়দীপ বক্সী
>>
>>
>> ------------------------------------------------------------ ---------
>> The official User-To-User support forum of the Apache HTTP
>> Server Project.
>> See for more info.
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> " from the digest: users-digest-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>>
>>
>
> This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message.
> The sender's company reserves the right to monitor all e-mail communications through their networks.
>
> ------------------------------------------------------------ ---------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
>


--
জয়দীপ বক্সী


------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: how to get multiple SSL with name based vhost ?

* Boyle Owen [2009-12-01 10:08]:
> Krist explained it very nicely... But maybe you still didn't get it:
> Without SNI, there is NO WAY TO DO THIS. It is a fundamental
> limitation of the HTTPS protocol with no production-grade
> work-around. SNI (server-name indication) was specifically added to
> address this limitation. There is simply NO ALTERNATIVE.

Nonsense, and shouting does not make it correct either.
Use X.509v3 SubjectAltName extensions in the certs, as I (and probably
others) said several times on this very list last month alone.
(And of course SNI is preferable, once ubiquitious support for it is
available in servers and user agents alike).
-peter

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

RE: how to get multiple SSL with name based vhost ?

> -----Original Message-----
> From: Peter Schober [mailto:peter.schober@univie.ac.at]=20
> Sent: Tuesday, December 01, 2009 12:40 PM
> To: users@httpd.apache.org
> Subject: Re: [users@httpd] how to get multiple SSL with name=20
> based vhost ?
>=20
> * Boyle Owen [2009-12-01 10:08]:
> > Krist explained it very nicely... But maybe you still didn't get it:
> > Without SNI, there is NO WAY TO DO THIS. It is a fundamental
> > limitation of the HTTPS protocol with no production-grade
> > work-around. SNI (server-name indication) was specifically added to
> > address this limitation. There is simply NO ALTERNATIVE.
>=20
> Nonsense, and shouting does not make it correct either.
> Use X.509v3 SubjectAltName extensions in the certs, as I (and probably
> others) said several times on this very list last month alone.


Thanks for the reminder, peter. Oddly enough, I had a nagging suspicion
I had heard of some rather obscure alternative to SNI and now I know
where I heard it :-) But couldn't remember enough about it to find it on
Google :-( Anyway, I stand corrected.=20

Sorry for afflicting your hearing - but it seemed the op wasn't getting
the point. However, at least he now has an alternative... Would you mind
helping him out with it?

Rgds,
Owen Boyle
Disclaimer: Any disclaimer attached to this message may be ignored.=20






> (And of course SNI is preferable, once ubiquitious support for it is
> available in servers and user agents alike).
> -peter
>=20
> ------------------------------------------------------------ ---------
> The official User-To-User support forum of the Apache HTTP=20
> Server Project.
> See for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>=20
>=20
=20
This message is for the named person's use only. It may contain =
confidential, proprietary or legally privileged information. If you =
receive this message in error, please notify the sender urgently and =
then immediately delete the message and any copies of it from your =
system. Please also immediately destroy any hardcopies of the message.=20
The sender's company reserves the right to monitor all e-mail =
communications through their networks.

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: how to get multiple SSL with name based vhost ?

* Boyle Owen [2009-12-01 14:51]:
> However, at least he now has an alternative... Would you mind
> helping him out with it?

http://markmail.org/message/yr52ptnpgbocgvad

cheers,
-peter

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: how to get multiple SSL with name based vhost ?

You seem to be a bit confused about how to configure name based virtual hos=
ts..


On Tue, Dec 1, 2009 at 10:53 AM, J. Bakshi wrote:


> ` ` ` `
> Listen 443
> NameVirtualHost =A0example1.de:443
>
>
> SSLEngine on
> SSLCipherSuite HIGH:MEDIUM
> SSLProtocol all -SSLv2
> SSLCertificateFile /etc/apache2/myca/mars-server.crt
> SSLCertificateKeyFile /etc/apache2/myca/mars-server.key
> SSLCertificateChainFile /etc/apache2/myca/my-ca.crt
> ServerName https://example1.de
> ServerAlias https://example1.de
>
> DocumentRoot /srv/www/htdocs/blevti.opendingo.de
> DirectoryIndex index.php
>
>
>
> NameVirtualHost =A0example2.de:443
>
> SSLEngine on
> SSLCipherSuite HIGH:MEDIUM
> SSLProtocol all -SSLv2
> SSLCertificateFile /etc/apache2/myca/mars-server.crt
> SSLCertificateKeyFile /etc/apache2/myca/mars-server.key
> SSLCertificateChainFile /etc/apache2/myca/my-ca.crt
> ServerName https://example2.de
> ServerAlias https://example2.de
>
> DocumentRoot /srv/www/htdocs/example2.de
> DirectoryIndex index.php
>

You should have only one "NameVirtualHost" statement, per IP/Port
combination, so unless you have a multi homed host this should be:

NameVirtualHost *:433

And your VirtuaHost blocks should all be like this:


ServerName example1.de
.... your directives here




ServerName example2.de
.... your directives here




etc...

It is the "ServerName" directive that tells Apache which virtualhost is whi=
ch.


Krist


--=20
krist.vanbesien@gmail.com
krist@vanbesien.org
Bremgarten b. Bern, Switzerland
--
A: It reverses the normal flow of conversation.
Q: What's wrong with top-posting?
A: Top-posting.
Q: What's the biggest scourge on plain text email discussions?

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

RE: how to get multiple SSL with name based vhost ?

> Krist explained it very nicely... But maybe you still didn't get it:
> Without SNI, there is NO WAY TO DO THIS. It is a fundamental limitation of
> the HTTPS protocol with no production-grade work-around. SNI (server-name
> indication) was specifically added to address this limitation. There is
> simply NO ALTERNATIVE.

To back up a moment, though -- another way to do this is to define
multiple IPs on the network card and run multiple instances of apache,
each with different config files. We run 20 or more on some of our
production servers.

> Having said that, if you have a research or academic environment and don't
> care about browser warnings, you can just use the same cert for all sites.
> You will get the encryption aspect of HTTPS but not the authentication
> aspect.

Some people get awfully upset when they see browser warnings, though.

> Alternatively, if all sites have the same domain-name (eg,
> sales.wibble.com, shop.wibble.com etc), you can get a wildcard cert that
> certifies *.wibble.com.
>
> Aside from these special cases, there is NO WAY to have name-based SSL
> VHs.

But I wonder if name-based SSL VHs really are a necessity. The OP has a
Linux box. If he has additional IPs the problem can be taken care of
without virtual hosts. And, having done it both way in a group that
supports multiple departments, it saves a lot of headaches trying to
schedule upgrades, configuration changes, or even just restarts to clear a
problem. But it all depends on the environment.

Sheryl


------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: how to get multiple SSL with name based vhost ?

On Tue, Dec 1, 2009 at 3:48 PM, Sheryl wrote:
>
>> Krist explained it very nicely... But maybe you still didn't get it:
>> Without SNI, there is NO WAY TO DO THIS. It is a fundamental limitation of
>> the HTTPS protocol with no production-grade work-around. SNI (server-name
>> indication) was specifically added to address this limitation. There is
>> simply NO ALTERNATIVE.
>
> To back up a moment, though -- another way to do this is to define
> multiple IPs on the network card and run multiple instances of apache,
> each with different config files.
[snip]

That's only if he has multiple IP addresses available on the network,
right? If we assume this is a public sever, that means he needs
multiple public IP addresses from his ISP that route to this server.
That's certainly a possibility, in general, but I want to make sure
I'm not missing something awesome.

-Brian

--
Feel free to contact me using PGP Encryption:
Key Id: 0x3AA70848
Available from: http://keys.gnupg.net

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: how to get multiple SSL with name based vhost ?

On Tue, Dec 1, 2009 at 3:48 PM, Sheryl wrote:

> To back up a moment, though -- another way to do this is to define
> multiple IPs on the network card and run multiple instances of apache,
> each with different config files. =A0We run 20 or more on some of our
> production servers.

You could run one instance of apache and configure each VH to listen
in a different IP. At least that how I had it understood.

-r

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: how to get multiple SSL with name based vhost ?

On Tue, Dec 1, 2009 at 4:05 PM, Roger wrote:
> On Tue, Dec 1, 2009 at 3:48 PM, Sheryl wrote:
>
>> To back up a moment, though -- another way to do this is to define
>> multiple IPs on the network card and run multiple instances of apache,
>> each with different config files. =A0We run 20 or more on some of our
>> production servers.
>
> You could run one instance of apache and configure each VH to listen
> in a different IP. At least that how I had it understood.


That's right, no problem differentiating between SSL environments when
you've got multiple IP:port combinations.

--=20
Eric Covener
covener@gmail.com

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: how to get multiple SSL with name based vhost ?

Krist van Besien wrote:
> You seem to be a bit confused about how to configure name based virtual hosts..
>
>
> On Tue, Dec 1, 2009 at 10:53 AM, J. Bakshi wrote:
>
>
>
>> ` ` ` `
>> Listen 443
>> NameVirtualHost example1.de:443
>>
>>
>> SSLEngine on
>> SSLCipherSuite HIGH:MEDIUM
>> SSLProtocol all -SSLv2
>> SSLCertificateFile /etc/apache2/myca/mars-server.crt
>> SSLCertificateKeyFile /etc/apache2/myca/mars-server.key
>> SSLCertificateChainFile /etc/apache2/myca/my-ca.crt
>> ServerName https://example1.de
>> ServerAlias https://example1.de
>>
>> DocumentRoot /srv/www/htdocs/blevti.opendingo.de
>> DirectoryIndex index.php
>>
>>
>>
>> NameVirtualHost example2.de:443
>>
>> SSLEngine on
>> SSLCipherSuite HIGH:MEDIUM
>> SSLProtocol all -SSLv2
>> SSLCertificateFile /etc/apache2/myca/mars-server.crt
>> SSLCertificateKeyFile /etc/apache2/myca/mars-server.key
>> SSLCertificateChainFile /etc/apache2/myca/my-ca.crt
>> ServerName https://example2.de
>> ServerAlias https://example2.de
>>
>> DocumentRoot /srv/www/htdocs/example2.de
>> DirectoryIndex index.php
>>
>>
>
> You should have only one "NameVirtualHost" statement, per IP/Port
> combination, so unless you have a multi homed host this should be:
>
> NameVirtualHost *:433
>
> And your VirtuaHost blocks should all be like this:
>
>
> ServerName example1.de
> ... your directives here
>
>
>
>
> ServerName example2.de
> ... your directives here
>
>
>
>
> etc...
>
> It is the "ServerName" directive that tells Apache which virtualhost is which.
>
>
> Krist
>
>
>

Hello Krist,

Thanks for your example. I have tried to implement it but as I mentioned
before whatever be the server name it always opens the site which apache
has detected as default. Here is the output from " apache2ctl -S"

` ` `
wildcard NameVirtualHosts and _default_ servers:
*:443 is a NameVirtualHost
default server example1.de (/etc/apache2/vhosts.d/ssl.conf:5)
port 443 namevhost example1.de (/etc/apache2/vhosts.d/ssl.conf:5)
port 443 namevhost example2.de (/etc/apache2/vhosts.d/ssl.conf:51)
Syntax OK
` ` `

The configuration is exactly same which you have suggested above. Any
thing which I am overlooking here ?

Thanks

--
জয়দীপ বক্সী


------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: how to get multiple SSL with name based vhost ?

On Wed, Dec 2, 2009 at 3:11 AM, J. Bakshi wrote:
> Hello Krist,
>
> Thanks for your example. I have tried to implement it but as I mentioned
> before whatever be the server name it always opens the site which apache
> has detected as default.  Here is the output from  " apache2ctl=
-S"
>
> ` ` `
> wildcard NameVirtualHosts and _default_ servers:
> *:443                  is a =
NameVirtualHost
>         default server example1.de (/etc/apache2/vhos=
ts.d/ssl.conf:5)
>         port 443 namevhost example1.de (/etc/apache2/=
vhosts.d/ssl.conf:5)
>         port 443 namevhost example2.de (/etc/apache2/=
vhosts.d/ssl.conf:51)
> Syntax OK
> ` ` `
>
> The configuration is exactly same which you have suggested above. Any
> thing which I am overlooking here ?
>
> Thanks
>

'Anything you are overlooking' - maybe the 10 posts before this saying
"You cannot do this"? Heres #11:

You cannot have vhosts like this without either having SNI or having
all of the vhosts on one NameVirtualHost share the same certificate,
either using a wildcard certificate or using SubjectAltName as
described by Peter Schober.

If you do not have either of those two things, then apache will serve
the default vhost as you describe. This is the expected behaviour.

Cheers

Tom

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: how to get multiple SSL with name based vhost ?

> On Tue, Dec 1, 2009 at 3:48 PM, Sheryl wrote:
>
>> To back up a moment, though -- another way to do this is to define
>> multiple IPs on the network card and run multiple instances of apache,
>> each with different config files.  We run 20 or more on some of our
>> production servers.
>
> You could run one instance of apache and configure each VH to listen
> in a different IP. At least that how I had it understood.

Certainly. But whether or not that is desirable depends upon the
environment. When I first started my current job we had a number of sites
(in some cases 20 or more) running from one instance of apache. As I
think I said elsewhere in the post you quoted, the problem with doing it
that way is that you have to upgrade all sites at the same time, take down
or restart all sites at one time when you have a configuration change for
one site. If you're trying to run one instance of apache to serve several
different organizations that can be a problem. One might resist change
while another wants to be "bleeding edge".

In the past couple of years we have separated each of our web sites into a
separate "stack" with its own apache, mysql, tomcat, etc. Now if one
customer organization wants a change we don't have to try and get 20 web
site managers in 4 organizations to coordinate down time and acceptance
testing. Having separate stacks also helps us prepare for making every
site a VM eventually.

Running everything from one instance uses a smaller footprint than running
one instance per site, but "hardware is cheap" these days.

Sheryl


------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: how to get multiple SSL with name based vhost ?

Brian wrote:

>> To back up a moment, though -- another way to do this is to define
>> multiple IPs on the network card and run multiple instances of apache,
>> each with different config files.
> [snip]
>
> That's only if he has multiple IP addresses available on the network,
> right? If we assume this is a public sever, that means he needs
> multiple public IP addresses from his ISP that route to this server.
> That's certainly a possibility, in general, but I want to make sure
> I'm not missing something awesome.

Yes, it certainly depends upon his environment. If he's doing this on the
job, it's likely that multiple IPs are available. If he's on an economy
hosting service he probably only has one IP and no way to get another.
There are some hosting services that will give you more than one IP for a
fee. Probably could work up something slick with NAT'd VMware instances
on a linux box that would only use one IP but that assumes he's using a
box in his home or at a colocated site where he has admin access (and if
it's a co-lo, probably would be able to get additional IPs I would think).
From the posting, it wasn't clear what kind of environment he was dealing
with.

There are drawbacks to any potential solution that I know of. Some places
won't allow wild card DNS for security reasons (both my current job and my
previous job are such places). SNI is cool but it isn't really released
yet, is it? I thought that was coming in version 2.4. it's going to
prevent people using old browsers from seeing the site judging by the
discussion here. If he's trying to use the sites for e-commerce he may
not want to alienate potential customers or use a release that hasn't
"burned in" yet. And of course the multiple-IPs-on-linux approach won't
work if he only has one IP available to him.

I don't consider myself an apache expert, but I've been using it for a
while (started as a web admin back in the NCSA days). I don't see a
"one-size-fits-all" solution here, it seems just to be a case of which
tradeoff will work best for a given environment -- at least until some
time has passed and SNI support is ubiquitous.

Sheryl


------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org