On Tue, 18 Feb 2014, Olivier Mehani wrote:
> Hi all,
>
> I have been battling with this issue for far too long, and I am at wits
> end.
>
> I have an OpenBSD 5.4 machine, with httpd serving pages successfully
> over both HTTP and HTTPS (with a CaCert-issued certificate). I want to
> serve multiple sites on both protocols (the certificate has AltNames for
> the various sites).
>
> (Almost) everything works fine, and I do indeed manage to successfully
> access all sites over HTTPS as expected. However, the HTTPS environment
> variable, which should be set to 'on' for HTTPS sessions, is missing for
> all but the first VHost. This is problematic because multiple apps
> (mostly php-5.3.27, but also some CGI and Rewrites) inspect this
> variable and behave differently depending on whether it is set to 'on'
> or anything else.
>
> The relevant bits of my configuration file are as follows (diffed from
> the original src/usr.sbin/httpd/conf/httpd.conf from CVS on branch
> OPENBSD_5_4):
> 938a939,940
>
> > NameVirtualHost *:80
> > NameVirtualHost *:443
>
> 1024,1025c1026,1027
> < ServerName new.host.name
> < ServerAdmin [email protected]
> ---
>
> > #ServerName new.host.name
> > #ServerAdmin [email protected]
>
> 1121a1124,1125
>
> > Include /srv/www/conf/sites.d
>
> The ServerName/ServerAdmin/... are all in the <VirtualHost _default_:443>
> group. The Include is at the very end of the file.
>
> I reduced my test case to /srv/www/conf/sites.d containing only one
> file:
> <VirtualHost *:80 *:443>
> ServerName www.domain2.tld
> ServerAdmin [email protected]
> DocumentRoot /var/www/sites/domain2.tld/www
> </VirtualHost>
> <Directory "/sites/domain2.tld/www">
> Options MultiViews SymLinksIfOwnerMatch Includes
> AllowOverride FileInfo
> Order allow,deny
> Allow from all
> </Directory>
>
> Neither /var/www/htdocs nor /var/www/sites/domain2.tld/www contain
> .htaccess files.
>
> This is a rather standard setup, and I've had this working on previous
> machines (<=5.3). The HTTPD and SSL logs do not show any error nor
> warning. I have been trying many combinations of NameVirtualHost,
> VirtualHost and ServerName / ServerAlias.
>
> In all (working) cases, the first (_default_) VHost has HTTPS set to
> 'on', and the other one simply hasn't anything set (as shown through a
> phpinfo() page). Swapping the ServerName of the _default_ VHost to
> another of the AltName'd names in the certificare sees that particular
> domain get the HTTPS variable, and none of the others.
>
> I'm not sure what to try next, if there is indeed anything else. Could
> anybody offer some insight/experience about this type of setups? I guess
> I'm missing something obvious, but searching the web for hours on end
> hasn't yielded anything helpful... Does anybody have any idea what the
> problem might be there?
Name-based virtual hosting and SSL is a can of worms. In short, without SNI
(which AFAICT the base httpd does not support) the server does not know which
virtual server is required until after the SSL session has already been
established. To be honest I am somewhat surprised that this actually works as
well as it does - seemingly once SSL has been negotiated with the
_default_:443 virtual host it will then switch virtual hosts based on the
Host: header (which is how non-SSL name-based virtual hosting works).
In this particular case the lack of HTTPS=on is due to the fact that you do
not actually have SSL enabled in the /srv/www/conf/sites.d/ configuration
snippet. Normally this would have (at minimum) SSLEngine, SSLCertificateFile
and SSLCertificateKeyFile directives in the /srv/www/conf/sites.d/
VirtualHost configuration files (as an aside, if your hosting/application
requires SSL, you probably should consider setting up :80 as a redirect to
https, rather than configuring both *:80 and *:443 on the same virtual host).
Generally speaking, you will likely have fewer challenges if you configure
each HTTPS virtual host using a dedicated IP address (or port). That way the
virtual host selection is made prior to SSL negotitation occurring.
--
"Action without study is fatal. Study without action is futile."
-- Mary Ritter Beard
