Enabling SSL on VirtualHosts Revisited

--000e0cd1100030c35f047b0261b7
Content-Type: text/plain; charset=ISO-8859-1

There's a problem with the 2 VirtualHost entries I had to add for SSL. Now
every request to httpd is being handled by these VirtualHosts, even requests
for with hostnames that don't match them.

Here's my current config:


ServerName blah.mysite.com
...


ServerName foo.mysite.com
...


ServerName foo.mysite.com
...
SSL stuff


ServerName bar.othersite.com
...

Since added the 2 for foo.mysite.com, EVERY request is handled by
foo.mysite.com, even those for blah.mysite.com and bar.mysite.com. Even
after changing the first one to , httpd
would still try to use foo.mysite.com for http://blah.mysite.com/test.html!
!!

Any ideas?

httpd 2.2

--000e0cd1100030c35f047b0261b7
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

There's a problem with the 2 VirtualHost entries I had to add for SSL.=
=A0 Now every request to httpd is being handled by these VirtualHosts, even=
requests for with hostnames that don't match them.

Here's m=
y current config:


<VirtualHost *>
  =A0 ServerName site.com">blah.mysite.com
  =A0 ...

<VirtualHost ef=3D"http://foo.mysite.com:80">foo.mysite.com:80>
  =A0 Serv=
erName

  =A0 ...

<VirtuaHost f=
oo.mysite.com:443>
  =A0 ServerName ite.com">foo.mysite.com
  =A0 ...
  =A0 SSL stuff

=
<VirtualHost *>

  =A0 ServerName bar.othersite.com=

  =A0 ...

Since added the 2 for site.com">foo.mysite.com, EVERY request is handled by /foo.mysite.com">foo.mysite.com, even those for mysite.com">blah.mysite.com and bar.m=
ysite.com.=A0 Even after changing the first one to <VirtualHost ref=3D"http://blah.mysite.com:80">blah.mysite.com:80>, httpd would s=
till try to use for href=3D"http://blah.mysite.com/test.html!">http://blah.mysit e.com/test.htm=
l!!!


Any ideas?

httpd 2.2


--000e0cd1100030c35f047b0261b7--

Re: Enabling SSL on VirtualHosts Revisited

Jonathan Mast wrote:
> There's a problem with the 2 VirtualHost entries I had to add for SSL. Now
> every request to httpd is being handled by these VirtualHosts, even requests
> for with hostnames that don't match them.
>
> Here's my current config:
>
>
> ServerName blah.mysite.com
> ...
>
>
> ServerName foo.mysite.com
> ...
>
>
> ServerName foo.mysite.com
> ...
> SSL stuff
>
>
> ServerName bar.othersite.com
> ...
>
> Since added the 2 for foo.mysite.com, EVERY request is handled by
> foo.mysite.com, even those for blah.mysite.com and bar.mysite.com. Even
> after changing the first one to , httpd
> would still try to use foo.mysite.com for http://blah.mysite.com/test.html!
> !!
>
> Any ideas?
>
> httpd 2.2
>
>
Hello Jonathan,

You should only use or when
setting up vhosts.

Also, you'll need a NameVirtualHost that matches that IP:PORT if you use
more than one virtual host on that port.

Finally, when doing name-based vhosts with SSL, note that the
certificate for the first listed virtual host will always be used,
unless you implement SNI.

Frank.

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: Enabling SSL on VirtualHosts Revisited

If one or more virtual host entries match the address:port for the
request, but no server names in those entries match, then the first
virtual host definition in the config file, not the global
configuration, will control handling for that request.

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: Re: Enabling SSL on VirtualHosts Revisited

Possibly the information you need is here:-

http://httpd.apache.org/docs/2.2/vhosts/name-based.html

When adding a name-based Virtual Host the...

"Main host goes away

If you are adding virtual hosts to an existing web server, you must
also create a block for the existing host. The
ServerName and DocumentRoot included in this virtual host should be
the same as the global ServerName and DocumentRoot. List this virtual
host first in the configuration file so that it will act as the
default host."

Cheers,
Phil.

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: Re: Enabling SSL on VirtualHosts Revisited

--000e0cd1b0c8410d38047b033a77
Content-Type: text/plain; charset=ISO-8859-1

OK, so I added NameVirtualHost foo.mysite.com:80 and NameVirtualHost
foo.mysite.com:443 above their respective sections and it seems to work
despite not being recommended as per the docs, but this was the only way to
do it because all my domains: mysite.com, othersite.com, etc point to a
single IP.

Any idea on why using hostnames in NameVirtualHost directives is not
recommended? Is this something that could come back and bite me?

Thanks for the help!

On Fri, Dec 18, 2009 at 10:34 AM, Philip Wigg wrote:

> Possibly the information you need is here:-
>
> http://httpd.apache.org/docs/2.2/vhosts/name-based.html
>
> When adding a name-based Virtual Host the...
>
> "Main host goes away
>
> If you are adding virtual hosts to an existing web server, you must
> also create a block for the existing host. The
> ServerName and DocumentRoot included in this virtual host should be
> the same as the global ServerName and DocumentRoot. List this virtual
> host first in the configuration file so that it will act as the
> default host."
>
> Cheers,
> Phil.
>
> ------------------------------------------------------------ ---------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>

--000e0cd1b0c8410d38047b033a77
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

OK, so I added NameVirtualHost foo.mys=
ite.com:80 and NameVirtualHost fo=
o.mysite.com:443 above their respective sections and it seems to work d=
espite not being recommended as per the docs, but this was the only way to =
do it because all my domains: ,=
, etc point to a single =
IP.


Any idea on why using hostnames in NameVirtualHost directives is not re=
commended?=A0 Is this something that could come back and bite me?

Th=
anks for the help!

Re: Re: Enabling SSL on VirtualHosts Revisited

Jonathan Mast wrote:
> OK, so I added NameVirtualHost foo.mysite.com:80 and NameVirtualHost
> foo.mysite.com:443 above their respective sections and it seems to work
> despite not being recommended as per the docs, but this was the only way to
> do it because all my domains: mysite.com, othersite.com, etc point to a
> single IP.
>
> Any idea on why using hostnames in NameVirtualHost directives is not
> recommended? Is this something that could come back and bite me?
>
> Thanks for the help!
>
> On Fri, Dec 18, 2009 at 10:34 AM, Philip Wigg wrote:
>
>
>> Possibly the information you need is here:-
>>
>> http://httpd.apache.org/docs/2.2/vhosts/name-based.html
>>
>> When adding a name-based Virtual Host the...
>>
>> "Main host goes away
>>
>> If you are adding virtual hosts to an existing web server, you must
>> also create a block for the existing host. The
>> ServerName and DocumentRoot included in this virtual host should be
>> the same as the global ServerName and DocumentRoot. List this virtual
>> host first in the configuration file so that it will act as the
>> default host."
>>
>> Cheers,
>> Phil.
>>
>> ------------------------------------------------------------ ---------
>> The official User-To-User support forum of the Apache HTTP Server Project.
>> See for more info.
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> " from the digest: users-digest-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>>
>>
>
>
Jonathan,

Using a hostname in the line will active DNS resolution
for EVERY HTTP request. Surely, you don't want that to happen.

Instead, use a ServerName in your virtual host.

Frank.

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: Re: Enabling SSL on VirtualHosts Revisited

--000e0cd10730281efb047b03c2b0
Content-Type: text/plain; charset=ISO-8859-1

Frank, I've always used the ServerName directive, here's what my configs
look like:
NameVirtualHost foo.mysite.com:80

ServerName foo.mysite.com



NameVirtualHost foo.mysite.com:443

ServerName foo.mysite.com

SSL Stuff...


My question was specifically why putting the hostname as opposed to the addr
in the NameVirtualHost was discouraged in the docs (they don't explain it
any further)?


On Fri, Dec 18, 2009 at 11:41 AM, Frank Gingras
wrote:

> Jonathan Mast wrote:
>
>> OK, so I added NameVirtualHost foo.mysite.com:80 and NameVirtualHost
>> foo.mysite.com:443 above their respective sections and it seems to work
>> despite not being recommended as per the docs, but this was the only way
>> to
>> do it because all my domains: mysite.com, othersite.com, etc point to a
>> single IP.
>>
>> Any idea on why using hostnames in NameVirtualHost directives is not
>> recommended? Is this something that could come back and bite me?
>>
>> Thanks for the help!
>>
>> On Fri, Dec 18, 2009 at 10:34 AM, Philip Wigg
>> wrote:
>>
>>
>>
>>> Possibly the information you need is here:-
>>>
>>> http://httpd.apache.org/docs/2.2/vhosts/name-based.html
>>>
>>> When adding a name-based Virtual Host the...
>>>
>>> "Main host goes away
>>>
>>> If you are adding virtual hosts to an existing web server, you must
>>> also create a block for the existing host. The
>>> ServerName and DocumentRoot included in this virtual host should be
>>> the same as the global ServerName and DocumentRoot. List this virtual
>>> host first in the configuration file so that it will act as the
>>> default host."
>>>
>>> Cheers,
>>> Phil.
>>>
>>> ------------------------------------------------------------ ---------
>>> The official User-To-User support forum of the Apache HTTP Server
>>> Project.
>>> See for more info.
>>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>> " from the digest: users-digest-unsubscribe@httpd.apache.org
>>> For additional commands, e-mail: users-help@httpd.apache.org
>>>
>>>
>>>
>>>
>>
>>
>>
> Jonathan,
>
> Using a hostname in the line will active DNS resolution for
> EVERY HTTP request. Surely, you don't want that to happen.
>
> Instead, use a ServerName in your virtual host.
>
> Frank.
>
>
> ------------------------------------------------------------ ---------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>

--000e0cd10730281efb047b03c2b0
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

Frank, I've always used the ServerName directive, here's what my co=
nfigs look like:
NameVirtualHost fo=
o.mysite.com:80
<VirtualHost >foo.mysite.com:80>

  =A0 ServerName   foo.mysite.com=

  =A0
</VirtualHost>

NameVirtualHost =3D"http://foo.mysite.com:443">foo.mysite.com:443
<VirtualHost href=3D"http://foo.mysite.com:443">foo.mysite.com:443>

  =A0 ServerName   foo.mysite.com=

  =A0
  =A0 SSL Stuff...
</VirtualHost>
>My question was specifically why putting the hostname as opposed to the ad=
dr in the NameVirtualHost was discouraged in the docs (they don't expla=
in it any further)?

Re: Re: Enabling SSL on VirtualHosts Revisited

Jonathan Mast wrote:
> OK, so I added NameVirtualHost foo.mysite.com:80
> and NameVirtualHost foo.mysite.com:443
> above their respective sections and it
> seems to work despite not being recommended as per the docs, but this
> was the only way to do it because all my domains: mysite.com
> , othersite.com , etc point
> to a single IP.
>
> Any idea on why using hostnames in NameVirtualHost directives is not
> recommended? Is this something that could come back and bite me?

Sounds like there may be some confusion on the best way to set this up.
Assuming your IP address is 1.2.3.4, you should set it up as follows:

------------------------------

NameVirtualHost 1.2.3.4:80


ServerName blah.mysite.com
...



ServerName foo.mysite.com
...



ServerName foo.mysite.com
...
SSL stuff



ServerName bar.othersite.com
...



------------------------------

If your IP address changes, you can substitute * from the IP address in
all locations for port 80. I've had trouble myself using *:443 for SSL,
so it may not be supported. As pointed out, using the hostname in the
NameVirtualHost and directives is not recommended (DNS
lookups).

--
Justin Pasher


------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: Re: Enabling SSL on VirtualHosts Revisited

On Fri, Dec 18, 2009 at 12:06 PM, Jonathan Mast
wrote:
> Frank, I've always used the ServerName directive, here's what my configs
> look like:
> NameVirtualHost foo.mysite.com:80
>
>   =A0 ServerName   foo.mysite.com
>
>
>
> NameVirtualHost foo.mysite.com:443
>
>   =A0 ServerName   foo.mysite.com
>
>   =A0 SSL Stuff...
>
>
> My question was specifically why putting the hostname as opposed to the a=
ddr
> in the NameVirtualHost was discouraged in the docs (they don't explain it
> any further)?

It's just unnecessarily confusing, because anyone looking at yout
config needs to know what set of addresses that resolved to when you
started your webserver. It's also going to mysteriously send
requests to the base server config, or other vhosts, when you get a
request for that hostname that arrive on a different interface.

Most people who a) have vhost trouble and b) put hostnames as the
first parm in VirtualHost are misunderstanding name-based virtualhosts
configuration. Most of them don't even need to discriminate between
IP addresses at all, and should just have *:port.

--=20
Eric Covener
covener@gmail.com

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: Re: Enabling SSL on VirtualHosts Revisited

Jonathan Mast wrote:
> Frank, I've always used the ServerName directive, here's what my configs
> look like:
> NameVirtualHost foo.mysite.com:80
>
> ServerName foo.mysite.com
>
>
>
> NameVirtualHost foo.mysite.com:443
>
> ServerName foo.mysite.com
>
> SSL Stuff...
>
>
> My question was specifically why putting the hostname as opposed to the addr
> in the NameVirtualHost was discouraged in the docs (they don't explain it
> any further)?
>
>
> On Fri, Dec 18, 2009 at 11:41 AM, Frank Gingras
> wrote:
>
>
>> Jonathan Mast wrote:
>>
>>
>>> OK, so I added NameVirtualHost foo.mysite.com:80 and NameVirtualHost
>>> foo.mysite.com:443 above their respective sections and it seems to work
>>> despite not being recommended as per the docs, but this was the only way
>>> to
>>> do it because all my domains: mysite.com, othersite.com, etc point to a
>>> single IP.
>>>
>>> Any idea on why using hostnames in NameVirtualHost directives is not
>>> recommended? Is this something that could come back and bite me?
>>>
>>> Thanks for the help!
>>>
>>> On Fri, Dec 18, 2009 at 10:34 AM, Philip Wigg
>>> wrote:
>>>
>>>
>>>
>>>
>>>> Possibly the information you need is here:-
>>>>
>>>> http://httpd.apache.org/docs/2.2/vhosts/name-based.html
>>>>
>>>> When adding a name-based Virtual Host the...
>>>>
>>>> "Main host goes away
>>>>
>>>> If you are adding virtual hosts to an existing web server, you must
>>>> also create a block for the existing host. The
>>>> ServerName and DocumentRoot included in this virtual host should be
>>>> the same as the global ServerName and DocumentRoot. List this virtual
>>>> host first in the configuration file so that it will act as the
>>>> default host."
>>>>
>>>> Cheers,
>>>> Phil.
>>>>
>>>> ------------------------------------------------------------ ---------
>>>> The official User-To-User support forum of the Apache HTTP Server
>>>> Project.
>>>> See for more info.
>>>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>>> " from the digest: users-digest-unsubscribe@httpd.apache.org
>>>> For additional commands, e-mail: users-help@httpd.apache.org
>>>>
>>>>
>>>>
>>>>
>>>>
>>>
>>>
>> Jonathan,
>>
>> Using a hostname in the line will active DNS resolution for
>> EVERY HTTP request. Surely, you don't want that to happen.
>>
>> Instead, use a ServerName in your virtual host.
>>
>> Frank.
>>
>>
>> ------------------------------------------------------------ ---------
>> The official User-To-User support forum of the Apache HTTP Server Project.
>> See for more info.
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> " from the digest: users-digest-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>>
>>
>
>
I believe the fact I just gave you was compelling enough; a DNS lookup
for every HTTP request is *extremely* expensive. You don't want that to
happen.

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org