Options for multiple SSL domains on 1 server

Options for multiple SSL domains on 1 server

am 01.10.2010 23:04:28 von grant

I need to set up SSL certificates for multiple domain names on a
single server. I've done some research and I think these are my
options:

1. use multiple IPs
drawbacks: requires separate apache2 config for each SSL domain, extra
IPs must be allocated by the hosting company

2. use multiple ports
drawbacks: requires separate apache2 & firewall config for each SSL
domain, port numbers look weird in the URL

3. Server Name Indication
drawbacks: browser support is not widespread enough yet

4. X.509 v3 with subjectAltName
drawbacks: ???

Are there other options? Are there drawbacks to relying on X.509 v3
with subjectAltName, or is that the way to go?

- Grant

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: Options for multiple SSL domains on 1 server

am 04.10.2010 07:54:39 von Krist van Besien

On Fri, Oct 1, 2010 at 11:04 PM, Grant wrote:
> I need to set up SSL certificates for multiple domain names on a
> single server. =A0I've done some research and I think these are my
> options:
>
> 1. use multiple IPs
> drawbacks: requires separate apache2 config for each SSL domain, extra
> IPs must be allocated by the hosting company
>
> 2. use multiple ports
> drawbacks: requires separate apache2 & firewall config for each SSL
> domain, port numbers look weird in the URL
>
> 3. Server Name Indication
> drawbacks: browser support is not widespread enough yet
>
> 4. X.509 v3 with subjectAltName
> drawbacks: ???
>
> Are there other options? =A0Are there drawbacks to relying on X.509 v3
> with subjectAltName, or is that the way to go?

Options 1) and 2) don't require seperate apache2 configs. You can have
apache listen to multiple IPs or Ports. Just add the necessary
"Listen" statements to your config, and than a virtualhost for each
SSL host.

Personally I think that until SNI adoption gets more widespread the
best option is 1) if you have the IPs to spare, as it doesn't have any
more config overhead than the other options and is going to work as
expected.


Krist

--=20
krist.vanbesien@gmail.com
krist@vanbesien.org
Bremgarten b. Bern, Switzerland
--
A: It reverses the normal flow of conversation.
Q: What's wrong with top-posting?
A: Top-posting.
Q: What's the biggest scourge on plain text email discussions?

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: Options for multiple SSL domains on 1 server

am 04.10.2010 17:50:44 von grant

>> I need to set up SSL certificates for multiple domain names on a
>> single server. =A0I've done some research and I think these are my
>> options:
>>
>> 1. use multiple IPs
>> drawbacks: requires separate apache2 config for each SSL domain, extra
>> IPs must be allocated by the hosting company
>>
>> 2. use multiple ports
>> drawbacks: requires separate apache2 & firewall config for each SSL
>> domain, port numbers look weird in the URL
>>
>> 3. Server Name Indication
>> drawbacks: browser support is not widespread enough yet
>>
>> 4. X.509 v3 with subjectAltName
>> drawbacks: ???
>>
>> Are there other options? =A0Are there drawbacks to relying on X.509 v3
>> with subjectAltName, or is that the way to go?
>
> Options 1) and 2) don't require seperate apache2 configs. You can have
> apache listen to multiple IPs or Ports. Just add the necessary
> "Listen" statements to your config, and than a virtualhost for each
> SSL host.
>
> Personally I think that until SNI adoption gets more widespread the
> best option is 1) if you have the IPs to spare, as it doesn't have any
> more config overhead than the other options and is going to work as
> expected.
>
>
> Krist

Thanks Krist.

The "virtualhost for each SSL host" is what I mean by separate apache2
configs. I'd like to be able to define different domain names on the
fly within my perl scripts without changing apache2 config. Maybe
we're just not there yet?

Why would you use multiple IPs instead of X.509 v3 with
subjectAltName? Does subjectAltName have any drawbacks?

- Grant

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: Options for multiple SSL domains on 1 server

am 04.10.2010 18:11:18 von i.galic

----- "Grant" wrote:

> >> I need to set up SSL certificates for multiple domain names on a
> >> single server.  I've done some research and I think these are my
> >> options:
> >>
> >> 1. use multiple IPs
> >> drawbacks: requires separate apache2 config for each SSL domain,
> extra
> >> IPs must be allocated by the hosting company
> >>
> >> 2. use multiple ports
> >> drawbacks: requires separate apache2 & firewall config for each
> SSL
> >> domain, port numbers look weird in the URL
> >>
> >> 3. Server Name Indication
> >> drawbacks: browser support is not widespread enough yet
> >>
> >> 4. X.509 v3 with subjectAltName
> >> drawbacks: ???
> >>
> >> Are there other options?  Are there drawbacks to relying on X.509
> v3
> >> with subjectAltName, or is that the way to go?
> >
> > Options 1) and 2) don't require seperate apache2 configs. You can
> have
> > apache listen to multiple IPs or Ports. Just add the necessary
> > "Listen" statements to your config, and than a virtualhost for each
> > SSL host.
> >
> > Personally I think that until SNI adoption gets more widespread the
> > best option is 1) if you have the IPs to spare, as it doesn't have
> any
> > more config overhead than the other options and is going to work as
> > expected.
> >
> >
> > Krist
>=20
> Thanks Krist.
>=20
> The "virtualhost for each SSL host" is what I mean by separate
> apache2
> configs. I'd like to be able to define different domain names on the
> fly within my perl scripts without changing apache2 config. Maybe
> we're just not there yet?

You can also use things like mod_macro to enable that kind of flexibility.


> Why would you use multiple IPs instead of X.509 v3 with
> subjectAltName? Does subjectAltName have any drawbacks?

Though more widely spread, it's the same as for SNI:
It's not supported by all Browsers/libraries

One example that comes to my mind is serf.

=20
> - Grant
>=20
> ------------------------------------------------------------ ---------
> The official User-To-User support forum of the Apache HTTP Server
> Project.
> See for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org

--=20
Igor Galić

Tel: +43 (0) 664 886 22 883
Mail: i.galic@brainsware.org
URL: http://brainsware.org/

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: Options for multiple SSL domains on 1 server

am 04.10.2010 19:41:02 von grant

>> The "virtualhost for each SSL host" is what I mean by separate
>> apache2
>> configs. =A0I'd like to be able to define different domain names on the
>> fly within my perl scripts without changing apache2 config. =A0Maybe
>> we're just not there yet?
>
> You can also use things like mod_macro to enable that kind of flexibility=
..

I looked at mod_macro but it seems to essentially be a framework for
setting and reading variable values within the apache2 config files.
What I'd like to do is allow new SSL domains to be defined from the
web in an automatic fashion without the need for SSH access. At this
point I'm thinking something that generates a new vhost config file
for each domain name would be perfect. It could use a template for
each file and just change the IP address and SSL certificate/key
references. Does something like this exist?

I've read references to "pre-processing apache2 config files with
perl". Is that the way to go here?

- Grant


>> Why would you use multiple IPs instead of X.509 v3 with
>> subjectAltName? =A0Does subjectAltName have any drawbacks?
>
> Though more widely spread, it's the same as for SNI:
> It's not supported by all Browsers/libraries
>
> One example that comes to my mind is serf.

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: Options for multiple SSL domains on 1 server

am 04.10.2010 21:00:24 von i.galic

----- "Grant" wrote:

> >> The "virtualhost for each SSL host" is what I mean by separate
> >> apache2
> >> configs.  I'd like to be able to define different domain names on
> the
> >> fly within my perl scripts without changing apache2 config.  Mayb=
e
> >> we're just not there yet?
> >
> > You can also use things like mod_macro to enable that kind of
> flexibility.
>=20
> I looked at mod_macro but it seems to essentially be a framework for
> setting and reading variable values within the apache2 config files.
> What I'd like to do is allow new SSL domains to be defined from the
> web in an automatic fashion without the need for SSH access. At this
> point I'm thinking something that generates a new vhost config file
> for each domain name would be perfect. It could use a template for
> each file and just change the IP address and SSL certificate/key
> references. Does something like this exist?

Aaaha...

An (SSL) VHost is just a couple of lines.. depending on your setup
either the IP/Cert/ServerName (IP Based) or only the ServerName
(SubjectAltName)

One way or the other, you can define a pattern:




ServerName $servername
DocumentRoot /srv/web/$servername/htdocs
SSLEngine On
SSLCertificateChainFile /etc/pki/ssl/$servername.pem
ErrorLog /var/log/httpd/$servername/error_log




, and then

Use SSLVhost servername IP

In some or the other file. That's one line you have to add -- and then you =
do an
apachectl graceful.

> I've read references to "pre-processing apache2 config files with
> perl". Is that the way to go here?

Yes, sjorge toyed with this option and created some kind of monster..
http://wiki.apache.org/httpd/ApacheVirtualHostMysql

This might give you an idea..

> - Grant
>=20
>=20
> >> Why would you use multiple IPs instead of X.509 v3 with
> >> subjectAltName?  Does subjectAltName have any drawbacks?
> >
> > Though more widely spread, it's the same as for SNI:
> > It's not supported by all Browsers/libraries
> >
> > One example that comes to my mind is serf.
>=20
> ------------------------------------------------------------ ---------
> The official User-To-User support forum of the Apache HTTP Server
> Project.
> See for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org

--=20
Igor Galić

Tel: +43 (0) 664 886 22 883
Mail: i.galic@brainsware.org
URL: http://brainsware.org/

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: Options for multiple SSL domains on 1 server

am 04.10.2010 21:23:50 von grant

>> >> The "virtualhost for each SSL host" is what I mean by separate
>> >> apache2
>> >> configs. =A0I'd like to be able to define different domain names on
>> the
>> >> fly within my perl scripts without changing apache2 config. =A0Maybe
>> >> we're just not there yet?
>> >
>> > You can also use things like mod_macro to enable that kind of
>> flexibility.
>>
>> I looked at mod_macro but it seems to essentially be a framework for
>> setting and reading variable values within the apache2 config files.
>> What I'd like to do is allow new SSL domains to be defined from the
>> web in an automatic fashion without the need for SSH access. =A0At this
>> point I'm thinking something that generates a new vhost config file
>> for each domain name would be perfect. =A0It could use a template for
>> each file and just change the IP address and SSL certificate/key
>> references. =A0Does something like this exist?
>
> Aaaha...
>
> An (SSL) VHost is just a couple of lines.. depending on your setup
> either the IP/Cert/ServerName (IP Based) or only the ServerName
> (SubjectAltName)
>
> One way or the other, you can define a pattern:
>
>
>
> =A0 =A0
> =A0 =A0 =A0 =A0ServerName $servername
> =A0 =A0 =A0 =A0DocumentRoot /srv/web/$servername/htdocs
> =A0 =A0 =A0 =A0SSLEngine On
> =A0 =A0 =A0 =A0SSLCertificateChainFile /etc/pki/ssl/$servername.pem
> =A0 =A0 =A0 =A0ErrorLog /var/log/httpd/$servername/error_log
> =A0 =A0

>
>

>
> , and then
>
> Use SSLVhost servername IP
>
> In some or the other file. That's one line you have to add -- and then yo=
u do an
> apachectl graceful.

I see, that is very slick. What about doing it entirely from the web,
especially via some scriptable process? ApacheVirtualHostMysql would
be a bit much I think. I'd rather use the filesystem or a Use line.

- Grant


>> I've read references to "pre-processing apache2 config files with
>> perl". =A0Is that the way to go here?
>
> Yes, sjorge toyed with this option and created some kind of monster..
> http://wiki.apache.org/httpd/ApacheVirtualHostMysql
>
> This might give you an idea..

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: Options for multiple SSL domains on 1 server

am 04.10.2010 21:39:30 von Rainer Jung

On 04.10.2010 21:00, Igor Galić wrote:
>
> ----- "Grant" wrote:
>
>>>> The "virtualhost for each SSL host" is what I mean by separate
>>>> apache2
>>>> configs. I'd like to be able to define different domain names on
>> the
>>>> fly within my perl scripts without changing apache2 config. Maybe
>>>> we're just not there yet?
>>>
>>> You can also use things like mod_macro to enable that kind of
>> flexibility.
>>
>> I looked at mod_macro but it seems to essentially be a framework for
>> setting and reading variable values within the apache2 config files.
>> What I'd like to do is allow new SSL domains to be defined from the
>> web in an automatic fashion without the need for SSH access. At this
>> point I'm thinking something that generates a new vhost config file
>> for each domain name would be perfect. It could use a template for
>> each file and just change the IP address and SSL certificate/key
>> references. Does something like this exist?
>
> Aaaha...
>
> An (SSL) VHost is just a couple of lines.. depending on your setup
> either the IP/Cert/ServerName (IP Based) or only the ServerName
> (SubjectAltName)
>
> One way or the other, you can define a pattern:
>
>
>
>
> ServerName $servername
> DocumentRoot /srv/web/$servername/htdocs
> SSLEngine On
> SSLCertificateChainFile /etc/pki/ssl/$servername.pem
> ErrorLog /var/log/httpd/$servername/error_log
>

>
>

>
> , and then
>
> Use SSLVhost servername IP
>
> In some or the other file. That's one line you have to add -- and then you do an
> apachectl graceful.

I vaguely remember some kind of limitation concerning mod_macro and
VirtualHost. I think you can define the contents of the VirtualHost
container by a macro, but not the container itself, so e.g.


ServerName $servername
DocumentRoot /srv/web/$servername/htdocs
SSLEngine On
SSLCertificateChainFile /etc/pki/ssl/$servername.pem
ErrorLog /var/log/httpd/$servername/error_log


and then


SSLVHost name1



SSLVHost name2


....

I could be wrong though.

Regards,

Rainer


------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: Options for multiple SSL domains on 1 server

am 04.10.2010 22:02:24 von i.galic

------=_Part_4001_14386520.1286222544826
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable


----- "Rainer Jung" wrote:

> On 04.10.2010 21:00, Igor Galić wrote:
> >
> > ----- "Grant" wrote:
> >
> >>>> The "virtualhost for each SSL host" is what I mean by separate
> >>>> apache2
> >>>> configs. I'd like to be able to define different domain names
> on
> >> the
> >>>> fly within my perl scripts without changing apache2 config.=20
> Maybe
> >>>> we're just not there yet?
> >>>
> >>> You can also use things like mod_macro to enable that kind of
> >> flexibility.
> >>
> >> I looked at mod_macro but it seems to essentially be a framework
> for
> >> setting and reading variable values within the apache2 config
> files.
> >> What I'd like to do is allow new SSL domains to be defined from
> the
> >> web in an automatic fashion without the need for SSH access. At
> this
> >> point I'm thinking something that generates a new vhost config
> file
> >> for each domain name would be perfect. It could use a template
> for
> >> each file and just change the IP address and SSL certificate/key
> >> references. Does something like this exist?
> >
> > Aaaha...
> >
> > An (SSL) VHost is just a couple of lines.. depending on your setup
> > either the IP/Cert/ServerName (IP Based) or only the ServerName
> > (SubjectAltName)
> >
> > One way or the other, you can define a pattern:
> >
> >
> >
> >
> > ServerName $servername
> > DocumentRoot /srv/web/$servername/htdocs
> > SSLEngine On
> > SSLCertificateChainFile /etc/pki/ssl/$servername.pem
> > ErrorLog /var/log/httpd/$servername/error_log
> >

> >
> >

> >
> > , and then
> >
> > Use SSLVhost servername IP
> >
> > In some or the other file. That's one line you have to add -- and
> then you do an
> > apachectl graceful.
>=20
> I vaguely remember some kind of limitation concerning mod_macro and=20
> VirtualHost. I think you can define the contents of the VirtualHost=20
> container by a macro, but not the container itself, so e.g.
>=20
>
> ServerName $servername
> DocumentRoot /srv/web/$servername/htdocs
> SSLEngine On
> SSLCertificateChainFile /etc/pki/ssl/$servername.pem
> ErrorLog /var/log/httpd/$servername/error_log
>

>=20
> and then
>=20
>
> SSLVHost name1
>

>=20
>
> SSLVHost name2
>

>=20
> ...
>=20
> I could be wrong though.


i.galic@pheme ~ % bw_apachectl.sh vhosts esotericsystems.at
/bin/sh: Illegal option -p
/bin/sh: Illegal option -p
[Mon Oct 04 20:00:18 2010] [warn] module dir_module is already loaded, skip=
ping
VirtualHost configuration:
127.0.0.1:8001 is a NameVirtualHost
default server www.esotericsystems.at (macro 'StaticWWWVHostAlias'=
(defined on line 49 of /etc/bw/apache/extra/macro.conf) used on line 17 of=
/etc/bw/apache/vhosts/esotericsystems.at/httpd.conf:1)
port 8001 namevhost www.esotericsystems.at (macro 'StaticWWWVHostA=
lias' (defined on line 49 of /etc/bw/apache/extra/macro.conf) used on line =
17 of /etc/bw/apache/vhosts/esotericsystems.at/httpd.conf:1)
port 8001 namevhost blag.esotericsystems.at (/etc/bw/apache/vhosts=
/esotericsystems.at/httpd.conf:19)
port 8001 namevhost pheme.esotericsystems.at (/etc/bw/apache/vhost=
s/esotericsystems.at/pheme.conf:2)
port 8001 namevhost customers.esotericsystems.at (/etc/bw/apache/v=
hosts/esotericsystems.at/customers.conf:2)
port 8001 namevhost bombground.esotericsystems.at (macro 'PHPVHost=
' (defined on line 65 of /etc/bw/apache/extra/macro.conf) used on line 46 o=
f /etc/bw/apache/vhosts/esotericsystems.at/httpd.conf:1)
port 8001 namevhost halas.esotericsystems.at (macro 'PHPVHost' (de=
fined on line 65 of /etc/bw/apache/extra/macro.conf) used on line 47 of /et=
c/bw/apache/vhosts/esotericsystems.at/httpd.conf:1)
Syntax OK
i.galic@pheme ~ %


With /etc/bw/apache/extra/macro.conf -- see attachment.



>=20
> Regards,
>=20
> Rainer

bye

--=20
Igor Galić

Tel: +43 (0) 664 886 22 883
Mail: i.galic@brainsware.org
URL: http://brainsware.org/

------=_Part_4001_14386520.1286222544826
Content-Type: application/octet-stream; name=macro.conf
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename=macro.conf

# vim: set ft=apache:
LoadModule macro_module /opt/bw/libexec/apache/mod_macro.so


# include base config
Include /etc/bw/apache/httpd.conf
ServerTokens Prod

LoadModule dir_module libexec/apache/mod_dir.so
DirectoryIndex index.html

LoadModule mime_magic_module libexec/apache/mod_mime_magic.so
MIMEMagicFile /etc/bw/apache/magic

Include /etc/bw/apache/extra/mpm-backend.conf
# listen to UID
Listen 127.0.0.1:$port
User $domain
Group $domain
ServerName $domain

# supply PID and lock file
PidFile "/var/bwlog/$domain/pid"
LockFile "/var/bwlog/$domain/lock"
ErrorLog "|/opt/bw/bin/rotatelogs /var/bwlog/$domain/error_log.%Y%m%d 86400"


Options +MultiViews
Allow from All
AllowOverride None


NameVirtualHost 127.0.0.1:$port




ServerName $parent_protocol://$sub.$domain:$parent_port
DocumentRoot /srv/web/$domain/$sub/htdocs




ServerName $parent_protocol://$domain:$parent_port
ServerAlias www.$domain
DocumentRoot /srv/web/$domain/www/htdocs




ServerName $parent_protocol://www.$domain:$parent_port
ServerAlias www.$domain
ServerAlias $server_alias
DocumentRoot /srv/web/$domain/www/htdocs




ServerName $parent_protocol://$sub.$domain:$parent_port
ServerAlias $server_alias
DocumentRoot /srv/web/$domain/$sub/htdocs





ServerName $parent_protocol://$sub.$domain:$parent_port
DocumentRoot /srv/web/$domain/$sub/htdocs
php_admin_value open_basedir /srv/web/$domain/$sub/:/opt/bw/share/pear/:/srv/web/esoteric systems.at/footer.php
php_admin_value session.save_path /srv/web/$domain/$sub/session
php_admin_value upload_tmp_dir /srv/web/$domain/$sub/tmp/




ServerName $parent_protocol://$domain:$parent_port
ServerAlias www.$domain
DocumentRoot /srv/web/$domain/www/htdocs
php_admin_value open_basedir /srv/web/$domain/www/:/opt/bw/share/pear/
php_admin_value session.save_path /srv/web/$domain/www/session
php_admin_value upload_tmp_dir /srv/web/$domain/www/tmp/




ServerName $parent_protocol://$sub.$domain:$parent_port
ServerAlias $server_alias
DocumentRoot /srv/web/$domain/$sub/htdocs
php_admin_value open_basedir /srv/web/$domain/$sub/:/opt/bw/share/pear/
php_admin_value session.save_path /srv/web/$domain/$sub/session
php_admin_value upload_tmp_dir /srv/web/$domain/$sub/tmp/




ServerName $parent_protocol://www.$domain:$parent_port
ServerAlias www.$domain
ServerAlias $server_alias
DocumentRoot /srv/web/$domain/www/htdocs
php_admin_value open_basedir /srv/web/$domain/www/:/opt/bw/share/pear/
php_admin_value session.save_path /srv/web/$domain/www/session
php_admin_value upload_tmp_dir /srv/web/$domain/www/tmp/




ServerName $hostname:80
ProxyPassMatch ^/(?!error/)(.*) http://127.0.0.1:$port/$1 disablereuse=on
ProxyPassReverse / http://127.0.0.1:$port/




ServerName $hostname:443
GnuTLSEnable On
GnuTLSCertificateFile "/etc/bw/certs/server.$hostname.cert"
GnuTLSKeyFile "/etc/bw/certs/private.$hostname.key"
GnuTLSPriorities SECURE:!ANON-DH:!MD5
ProxyPassMatch ^/(?!error/)(.*) http://127.0.0.1:$port/$1 disablereuse=on
ProxyPassReverse / http://127.0.0.1:$port/




ServerName $hostname:443
SSLEngine On
SSLCertificateFile "/etc/bw/certs/server.$hostname.cert"
SSLCertificateKeyFile "/etc/bw/certs/private.$hostname.key"
ProxyPassMatch ^/(?!error/)(.*) http://127.0.0.1:$port/$1 disablereuse=on
ProxyPassReverse / http://127.0.0.1:$port/




ServerName $hostname:80
ServerAlias $server_alias
ProxyPassMatch ^/(?!error/)(.*) http://127.0.0.1:$port/$1 disablereuse=on
ProxyPassReverse / http://127.0.0.1:$port/




ServerName $hostname:80
RedirectPermanent $sourcepath $protocol://$targethost$targetpath




ServerName $hostname:80
ServerAlias $server_alias
RedirectPermanent $sourcepath $protocol://$targethost$targetpath




------=_Part_4001_14386520.1286222544826
Content-Type: text/plain; charset=us-ascii


------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
------=_Part_4001_14386520.1286222544826--

Re: Options for multiple SSL domains on 1 server

am 06.10.2010 05:55:13 von grant

>> I need to set up SSL certificates for multiple domain names on a
>> single server. =A0I've done some research and I think these are my
>> options:
>>
>> 1. use multiple IPs
>> drawbacks: requires separate apache2 config for each SSL domain, extra
>> IPs must be allocated by the hosting company
>>
>> 2. use multiple ports
>> drawbacks: requires separate apache2 & firewall config for each SSL
>> domain, port numbers look weird in the URL
>>
>> 3. Server Name Indication
>> drawbacks: browser support is not widespread enough yet
>>
>> 4. X.509 v3 with subjectAltName
>> drawbacks: ???
>>
>> Are there other options? =A0Are there drawbacks to relying on X.509 v3
>> with subjectAltName, or is that the way to go?
>
> Options 1) and 2) don't require seperate apache2 configs. You can have
> apache listen to multiple IPs or Ports. Just add the necessary
> "Listen" statements to your config, and than a virtualhost for each
> SSL host.
>
> Personally I think that until SNI adoption gets more widespread the
> best option is 1) if you have the IPs to spare, as it doesn't have any
> more config overhead than the other options and is going to work as
> expected.

I have a total of 5 usable IP addresses available from my host. I've
changed the DNS for my domain name, changed my system's network
configuration, and added a VirtualHost block in my apache2 config
like:


....
SSLCertificateFile /etc/apache2/ssl/www.example2.com.crt
SSLCertificateKeyFile /etc/apache2/ssl/www.example2.com.key
....


which is in addition to my previously existing:


....
SSLCertificateFile /etc/apache2/ssl/www.example1.com.crt
SSLCertificateKeyFile /etc/apache2/ssl/www.example1.com.key
....


I can see that pings to www.example2.com are resolved as 12.34.56.2
and http://www.example2.com works fine, but https://www.example2.com
still receives the www.example1.com SSL cert in firefox and opera.

Can anyone tell me what else I need to do to serve the correct SSL
cert for each domain?

- Grant

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: Options for multiple SSL domains on 1 server

am 06.10.2010 06:35:07 von Craig Huffstetler

Grant,

You should use separate IPs as a best practice. As for your last
threaded discussion concerning how you serve the correct SSL cert for
each domain please see this article about mod_gnutls:

http://www.g-loaded.eu/2007/08/10/ssl-enabled-name-based-apa che-virtual-hosts-with-mod_gnutls/

Craig

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: Options for multiple SSL domains on 1 server

am 06.10.2010 06:53:56 von grant

> You should use separate IPs as a best practice. As for your last
> threaded discussion concerning how you serve the correct SSL cert for
> each domain please see this article about mod_gnutls:
>
> http://www.g-loaded.eu/2007/08/10/ssl-enabled-name-based-apa che-virtual-hosts-with-mod_gnutls/
>
> Craig

Thanks but I'm a bit confused. My intention is to use separate IPs.
I don't want to use SNI because of its lacking browser support.
Aren't I using separate IPs in my configuration? "12.34.56.1" and
"12.34.56.2" are example IPs meant to represent my separate IPs.


....
SSLCertificateFile /etc/apache2/ssl/www.example1.com.crt
SSLCertificateKeyFile /etc/apache2/ssl/www.example1.com.key
....



....
SSLCertificateFile /etc/apache2/ssl/www.example2.com.crt
SSLCertificateKeyFile /etc/apache2/ssl/www.example2.com.key
....


- Grant

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: Options for multiple SSL domains on 1 server

am 06.10.2010 09:38:37 von lists

Grant wrote:

>
> ...
> SSLCertificateFile /etc/apache2/ssl/www.example1.com.crt
> SSLCertificateKeyFile /etc/apache2/ssl/www.example1.com.key
> ...
>

>
>
> ...
> SSLCertificateFile /etc/apache2/ssl/www.example2.com.crt
> SSLCertificateKeyFile /etc/apache2/ssl/www.example2.com.key
> ...
>


no listen directive for each ip address?
or is apache using listen 0.0.0.0:443?

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: Options for multiple SSL domains on 1 server

am 06.10.2010 12:25:50 von Jonas Eckerman

On 2010-10-04 21:39, Rainer Jung wrote:

> I think you can define the contents of the VirtualHost
> container by a macro, but not the container itself, so e.g.

Nah. I'm defining a whole bunch of virtual hosts by macros. It works
just fine. Must be some other limitation you were thinking about.

Regards
/Jonas
--
Jonas Eckerman
Fruktträdet & Förbundet Sveriges Dövblinda
http://www.fsdb.org/
http://www.frukt.org/
http://whatever.frukt.org/

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: Options for multiple SSL domains on 1 server

am 07.10.2010 00:26:07 von grant

>>
>> ...
>> SSLCertificateFile /etc/apache2/ssl/www.example1.com.crt
>> SSLCertificateKeyFile /etc/apache2/ssl/www.example1.com.key
>> ...
>>

>>
>>
>> ...
>> SSLCertificateFile /etc/apache2/ssl/www.example2.com.crt
>> SSLCertificateKeyFile /etc/apache2/ssl/www.example2.com.key
>> ...
>>

>
> no listen directive for each ip address?
> or is apache using listen 0.0.0.0:443?

I'm sorry that this message is not as detailed as it could be. This
is my third attempt at sending it. It keeps tripping the spam filter,
probably because of all the IP and domain references.

I had 'Listen 443' but I also tried specifying the exact IP addresses
along with the port number on 2 Listen lines with the same results.

I'm baffled because even if I enter the IP after https in a browser,
I'm presented with the wrong SSL cert. I used openssl on the command
line to be sure I had named the certificates correctly. Any ideas?

# ifconfig
eth0 Link encap:Ethernet HWaddr [removed]
inet addr:12.34.56.1 Bcast:[removed] Mask:255.255.255.248
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:46047 errors:0 dropped:0 overruns:0 frame:0
TX packets:65703 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:6131194 (5.8 MiB) TX bytes:82568335 (78.7 MiB)
Interrupt:40

eth0:1 Link encap:Ethernet HWaddr [removed]
inet addr:12.34.56.2 Bcast:[removed] Mask:255.255.255.248
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:40

- Grant

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: Options for multiple SSL domains on 1 server

am 07.10.2010 01:41:37 von lists

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Grant wrote:
>>>
>>> ...
>>> SSLCertificateFile /etc/apache2/ssl/www.example1.com.crt
>>> SSLCertificateKeyFile /etc/apache2/ssl/www.example1.com.key
>>> ...
>>>

>>>
>>>
>>> ...
>>> SSLCertificateFile /etc/apache2/ssl/www.example2.com.crt
>>> SSLCertificateKeyFile /etc/apache2/ssl/www.example2.com.key
>>> ...
>>>

>> no listen directive for each ip address?
>> or is apache using listen 0.0.0.0:443?
>
> I'm sorry that this message is not as detailed as it could be. This
> is my third attempt at sending it. It keeps tripping the spam filter,
> probably because of all the IP and domain references.
odd, the list isn't configured to trip on ip or domain references. must
be a glitch somewhere between then, unless your own mail system is
scanning outbound and it's triggering the spam there.

> I had 'Listen 443' but I also tried specifying the exact IP addresses
> along with the port number on 2 Listen lines with the same results.

>
> I'm baffled because even if I enter the IP after https in a browser,
> I'm presented with the wrong SSL cert. I used openssl on the command
> line to be sure I had named the certificates correctly. Any ideas?

we really will need to see the conf file for the listen and the vhost
sections, someone may see the issue faster then.


> # ifconfig
> eth0 Link encap:Ethernet HWaddr [removed]
> inet addr:12.34.56.1 Bcast:[removed] Mask:255.255.255.248
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:46047 errors:0 dropped:0 overruns:0 frame:0
> TX packets:65703 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:1000
> RX bytes:6131194 (5.8 MiB) TX bytes:82568335 (78.7 MiB)
> Interrupt:40
>
> eth0:1 Link encap:Ethernet HWaddr [removed]
> inet addr:12.34.56.2 Bcast:[removed] Mask:255.255.255.248
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> Interrupt:40
>
> - Grant
>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkytCSoACgkQ3Z/m3C3esu0hqgCg00CUKq87adKhi3IY6YkN gaCv
ABIAn3wh6YNtWSGJFGv4BKLy9/bRK3n5
=VeoB
-----END PGP SIGNATURE-----

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: Options for multiple SSL domains on 1 server

am 07.10.2010 05:06:29 von grant

>> I'm sorry that this message is not as detailed as it could be. =A0This
>> is my third attempt at sending it. =A0It keeps tripping the spam filter,
>> probably because of all the IP and domain references.
> odd, the list isn't configured to trip on ip or domain references. must
> be a glitch somewhere between then, unless your own mail system is
> scanning outbound and it's triggering the spam there.

I got:

Delivery to the following recipient failed permanently:

users@httpd.apache.org

Technical details of permanent failure:
Google tried to deliver your message, but it was rejected by the
recipient domain. We recommend contacting the other email provider for
further information about the cause of this error. The error that the
other server returned was: 552 552 spam score (5.5) exceeded threshold
(state 18).

>> I'm baffled because even if I enter the IP after https in a browser,
>> I'm presented with the wrong SSL cert. =A0I used openssl on the command
>> line to be sure I had named the certificates correctly. =A0Any ideas?
>
> we really will need to see the conf file for the listen and the vhost
> sections, someone may see the issue faster then.

It was ServerName. I had ServerName defined as www.example1.com in
Gentoo's /etc/apache2/vhosts.d/default_vhost.include. I removed it
from there and added it to each of my SSL VirtualHost blocks and now
everything works. I noticed that removing ServerName entirely works
for Firefox, but in that case SSL wouldn't work for either domain in
Opera.

I thought ServerName was just a label like ServerAdmin. Should I be
OK having it defined only in each of my SSL VirtualHost blocks?

Thanks a lot for everyone's help with this.

- Grant

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: Options for multiple SSL domains on 1 server

am 07.10.2010 07:32:32 von lists

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Grant wrote:

> It was ServerName. I had ServerName defined as www.example1.com in
> Gentoo's /etc/apache2/vhosts.d/default_vhost.include. I removed it
> from there and added it to each of my SSL VirtualHost blocks and now
> everything works. I noticed that removing ServerName entirely works
> for Firefox, but in that case SSL wouldn't work for either domain in
> Opera.
>
> I thought ServerName was just a label like ServerAdmin. Should I be
> OK having it defined only in each of my SSL VirtualHost blocks?
>
> Thanks a lot for everyone's help with this.
>
> - Grant
>
actually, it's a good item to have in the vhost, the server uses it to
present names in the urls instead of ip addresses
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkytW2oACgkQ3Z/m3C3esu1bEACeNz3x0imhevClTZw9T8lx Tk1w
H84AoL7QhysHxsb2606X+boiyH2j0AmM
=HJNe
-----END PGP SIGNATURE-----

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: Options for multiple SSL domains on 1 server

am 07.10.2010 18:27:15 von grant

>> It was ServerName. =A0I had ServerName defined as www.example1.com in
>> Gentoo's /etc/apache2/vhosts.d/default_vhost.include. =A0I removed it
>> from there and added it to each of my SSL VirtualHost blocks and now
>> everything works. =A0I noticed that removing ServerName entirely works
>> for Firefox, but in that case SSL wouldn't work for either domain in
>> Opera.
>>
>> I thought ServerName was just a label like ServerAdmin. =A0Should I be
>> OK having it defined only in each of my SSL VirtualHost blocks?
>>
>> Thanks a lot for everyone's help with this.
>>
>> - Grant
>>
> actually, it's a good item to have in the vhost, the server uses it to
> present names in the urls instead of ip addresses

I'm surprised it's necessary since I'm not using name-based virtual
hosting. Should I have ServerName in the port 80 vhost blocks or is
it sufficient in the SSL blocks?

- Grant

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: Options for multiple SSL domains on 1 server

am 07.10.2010 21:45:20 von lists

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Grant wrote:

>>>
>> actually, it's a good item to have in the vhost, the server uses it to
>> present names in the urls instead of ip addresses
>
> I'm surprised it's necessary since I'm not using name-based virtual
> hosting. Should I have ServerName in the port 80 vhost blocks or is
> it sufficient in the SSL blocks?

without it, the site visitors will only get the ip address url. even on
http sites.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkyuI0YACgkQ3Z/m3C3esu3SrQCfe+caF3zFp7D7Nu0xjy+F VhF5
81AAoMKFWdD7GF34w/Z3IxP7m243iO51
=k13c
-----END PGP SIGNATURE-----

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: Options for multiple SSL domains on 1 server

am 07.10.2010 22:02:27 von Eric Covener

>>> actually, it's a good item to have in the vhost, the server uses it to
>>> present names in the urls instead of ip addresses
>>
>> I'm surprised it's necessary since I'm not using name-based virtual
>> hosting. =A0Should I have ServerName in the port 80 vhost blocks or is
>> it sufficient in the SSL blocks?
>
> without it, the site visitors will only get the ip address url. even on
> http sites.

Not in 2.2.x by default they won't. See UseCanonicalName.

--=20
Eric Covener
covener@gmail.com

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: Options for multiple SSL domains on 1 server

am 08.10.2010 19:00:14 von grant

>>>> actually, it's a good item to have in the vhost, the server uses it to
>>>> present names in the urls instead of ip addresses
>>>
>>> I'm surprised it's necessary since I'm not using name-based virtual
>>> hosting. =A0Should I have ServerName in the port 80 vhost blocks or is
>>> it sufficient in the SSL blocks?
>>
>> without it, the site visitors will only get the ip address url. even on
>> http sites.
>
> Not in 2.2.x by default they won't. See UseCanonicalName.

In case it's useful for anyone:

Default: UseCanonicalName Off

With UseCanonicalName Off Apache will form self-referential URLs using
the hostname and port supplied by the client if any are supplied
(otherwise it will use the canonical name, as defined above). These
values are the same that are used to implement name based virtual
hosts, and are available with the same clients. The CGI variables
SERVER_NAME and SERVER_PORT will be constructed from the client
supplied values as well.

http://httpd.apache.org/docs/current/mod/core.html#usecanoni calname

- Grant

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: Options for multiple SSL domains on 1 server

am 08.10.2010 19:08:11 von grant

>>>> actually, it's a good item to have in the vhost, the server uses it to
>>>> present names in the urls instead of ip addresses
>>>
>>> I'm surprised it's necessary since I'm not using name-based virtual
>>> hosting. =A0Should I have ServerName in the port 80 vhost blocks or is
>>> it sufficient in the SSL blocks?
>>
>> without it, the site visitors will only get the ip address url. even on
>> http sites.
>
> Not in 2.2.x by default they won't. See UseCanonicalName.

Strange that https URLs don't work in Opera without ServerName isn't
it? They work in firefox.

- Grant

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org