Mauro, Thanks for the info on SNI. Russ Herrold also mentioned it last week and that appears to be exactly what we were looking for. I just received confirmation from my colleague (I had forwarded Russ' email to him) that he now has it working, without having to mess with IPs!
I appreciate the advice, Russ! Martha On Mon, 2 Dec 2013 12:37:13 -0200 Mauro Souza said: >There's a feature on Apache names SNI (Server Name Indication). It's >supported on almost all modern browsers, so you can set it up and almost >nobody will complain. > >You can see the complete explanation along with examples at >http://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI > >This way you can host all servers on the same Apache, with the same IP >address, and have different certificates for each. I never tested this >setup, but I think it will work. > >Mauro >http://mauro.limeiratem.com - registered Linux User: 294521 >Scripture is both history, and a love letter from God. > > >2013/12/2 Veencamp, Jonathon D. <[email protected]> > >> I think it's called IP aliasing or something like that. We have a single >> NIC advertising a bunch of IP addresses, and have a different apache >> listener on each one. >> >> We do that via this command in a system startup script on Suse Linux. >> "ip address add 192.168.69.60/24 brd + dev eth0 label eth0:60" >> >> And then ifconfig to list the network addresses shows this: >> >> lnx-dhttp:~ # ifconfig >> eth0 Link encap:Ethernet HWaddr 02:00:03:00:00:05 >> inet addr:192.168.69.34 Bcast:161.250.69.255 Mask:255.255.255.0 >> inet6 addr: fe80::200:300:100:5/64 Scope:Link >> UP BROADCAST RUNNING MULTICAST MTU:1492 Metric:1 >> RX packets:51739450 errors:0 dropped:0 overruns:0 frame:0 >> TX packets:51033519 errors:0 dropped:0 overruns:0 carrier:0 >> collisions:0 txqueuelen:1000 >> RX bytes:25357355357 (24182.6 Mb) TX bytes:28616518230 (27290.8 >> Mb) >> >> eth0:60 Link encap:Ethernet HWaddr 02:00:03:00:00:05 >> inet addr:192.168.69.60 Bcast:161.250.69.255 Mask:255.255.255.0 >> UP BROADCAST RUNNING MULTICAST MTU:1492 Metric:1 >> >> eth0:61 Link encap:Ethernet HWaddr 02:00:03:00:00:05 >> inet addr:192.168.69.61 Bcast:161.250.69.255 Mask:255.255.255.0 >> UP BROADCAST RUNNING MULTICAST MTU:1492 Metric:1 >> >> eth0:62 Link encap:Ethernet HWaddr 02:00:03:00:00:05 >> inet addr:192.168.69.62 Bcast:161.250.69.255 Mask:255.255.255.0 >> UP BROADCAST RUNNING MULTICAST MTU:1492 Metric:1 >> >> eth0:63 Link encap:Ethernet HWaddr 02:00:03:00:00:05 >> inet addr:192.168.69.63 Bcast:161.250.69.255 Mask:255.255.255.0 >> UP BROADCAST RUNNING MULTICAST MTU:1492 Metric:1 >> >> eth0:64 Link encap:Ethernet HWaddr 02:00:03:00:00:05 >> inet addr:192.168.69.64 Bcast:161.250.69.255 Mask:255.255.255.0 >> UP BROADCAST RUNNING MULTICAST MTU:1492 Metric:1 >> >> And then start all the different apache's with something like this: >> /opt/local/HTTPServer/bin/apachectl -f conf/httpd.eth061.conf -k start -D >> eth061 >> /opt/local/HTTPServer/bin/apachectl -f conf/httpd.eth062.conf -k start -D >> eth062 >> /opt/local/HTTPServer/bin/apachectl -f conf/httpd.eth063.conf -k start -D >> eth063 >> /opt/local/HTTPServer/bin/apachectl -f conf/httpd.eth064.conf -k start -D >> eth064 >> >> And I'm reasonably sure when I created the certificates for these, I added >> the various IP addresses & DNS hostnames for them to the extension aliases >> field, and one certificate covered all of them. >> >> Jon Veencamp >> >> >> -----Original Message----- >> From: Linux on 390 Port [mailto:[email protected]] On Behalf Of >> Marcy Cortes >> Sent: Friday, November 29, 2013 12:38 PM >> To: [email protected] >> Subject: Re: Thoughts on multiple certificates for Apache host >> >> Martha wrote: >> > For example, could we host multiple IPs from the same NIC if the >> > server is on a layer 2 vswitch? (Will it do trunking, basically?) Is >> > there an easier way to approach this? >> >> If you haven't already figured this out (and hopefully you've been off >> eating turkey and pumpkin pie instead of having to configure IP >> addresses...) >> >> This is very simple with yast2 on SuSE. >> >> Just go into Yast2 >> Click Network Devices >> Select the current one and click Edit >> Go down to the "Additional Addresses" section >> Click Add >> Name it (vip0 or whatever you'd like) >> put in the IP and Netmask >> >> Et voila! Immediately usable and visible in "ifconfig". >> >> (It basically just adds a couple of lines to the eth0 device (or whatever >> device yours is called) in /etc/sysconfig/network and does whatever is >> needed to dynamically activate it. >> >> Marcy >> >> ---------------------------------------------------------------------- >> For LINUX-390 subscribe / signoff / archive access instructions, >> send email to [email protected] with the message: INFO LINUX-390 or >> visit >> http://www.marist.edu/htbin/wlvindex?LINUX-390 >> ---------------------------------------------------------------------- >> For more information on Linux on System z, visit >> http://wiki.linuxvm.org/ >> >> ________________________________ >> >> The information contained in this e-mail message is intended only for the >> personal and confidential use of the designated recipient(s) named above. >> This message may be an attorney-client or work product communication which >> is privileged and confidential. It may also contain protected health >> information that is protected by federal law. If you have received this >> communication in error, please notify us immediately by telephone and >> destroy (shred) the original message and all attachments. Any review, >> dissemination, distribution or copying of this message by any person other >> than the intended recipient(s) or their authorized agents is strictly >> prohibited. Thank you. >> >> ---------------------------------------------------------------------- >> For LINUX-390 subscribe / signoff / archive access instructions, >> send email to [email protected] with the message: INFO LINUX-390 or >> visit >> http://www.marist.edu/htbin/wlvindex?LINUX-390 >> ---------------------------------------------------------------------- >> For more information on Linux on System z, visit >> http://wiki.linuxvm.org/ >> > >---------------------------------------------------------------------- >For LINUX-390 subscribe / signoff / archive access instructions, >send email to [email protected] with the message: INFO LINUX-390 or visit >http://www.marist.edu/htbin/wlvindex?LINUX-390 >---------------------------------------------------------------------- >For more information on Linux on System z, visit >http://wiki.linuxvm.org/ ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 ---------------------------------------------------------------------- For more information on Linux on System z, visit http://wiki.linuxvm.org/
