Re: [httpd] Multiple HTPS servers & redirection

[Olivier]

Hello all,

Sorry for the delay.

Yes i am using the " tls certicate file *option*" for both servers :

(...)
server "daenerys.burelli.fr" {
         listen on $ext_addr port 80
         block return 301 "https://$SERVER_NAME$REQUEST_URI";
 }
server "daenerys.burelli.fr" {
        listen on $ext_addr tls port 443
        root "/htdocs/default"
        log style combined
        hsts
        tls {
                certificate     "/etc/ssl/daenerys.burelli.fr.crt"
                key             "/etc/ssl/private/daenerys.burelli.fr.key"
        }
(...)
 server "cloud.burelli.fr" {
         listen on $ext_addr port 80
         block return 301 "https://cloud.burelli.fr:444/$REQUEST_URI";
}
server "cloud.burelli.fr" {
        listen on $ext_addr tls port 444
        root "/htdocs/nextcloud"
        directory index index.php
        hsts
        tls {
                certificate "/etc/ssl/cloud.burelli.fr.crt"
                key     "/etc/ssl/private/cloud.burelli.fr.key"

        }

(...)


In fact  I understand here that httpd is listening on tcp port 80 for each
websites.

httpd split request from each sever based on $SERVE_NAME to call correct pages
for each $SERVER_NAME websites.

I would like to know if is possible to redirect the request on tcp port 80 URI
based on $SERVER_NAME to each https server on different port (443 & 444,
depending on $SERVER_NAME).

If yes what is the best way ?


-----Message d'origine-----
De : owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] De la part de
Joris Vanhecke
Envoyé : Thursday, December 29, 2016 11:48 PM
À : misc@openbsd.org
Objet : Re: [httpd] Multiple HTPS servers & redirection

On Sun, 25 Dec 2016, at 12:24 PM, Olivier wrote:
> Hello all,
>
> I would like to know, what is the best practice to manage multilple
> https servers with httpd. I installed 2 certificates for both hostname
below:
>
> _ daenerys.burelli.fr
> _ cloud.burelli.fr
>
> I would like to redirect all request for:
>
> _ http://daenerys.burelli.fr    to https://cloud.burelli.fr     → OK
> _  http://cloud.burelli.fr              to https://cloud.burelli.fr:444 →
> KO - however the certificate is ok when I try to reach directly
> https://cloud.burelli.fr:444
>
> I would like to avoid to obtain the followings message for second
> https
> server:  SSL_ERROR_BAD_CERT_DOMAIN (The certificate is only valid for
> the following names: daenerys.burelli.fr, www.daenerys.burelli.fr)
>
> Part of my httpd.conf:
>
> server "daenerys.burelli.fr" {
>         listen on $ext_addr port 80
>         block return 301 "https://$SERVER_NAME$REQUEST_URI";
> }
>
> server "daenerys.burelli.fr" {
>         alias "www.burelli.fr"
>         listen on $ext_addr tls port 443
> (…)
> }
>
> server "cloud.burelli.fr" {
>         listen on $ext_addr port 80
>         block return 301 "https://cloud.burelli.fr:444/$REQUEST_URI";
> }
>
> server "cloud.burelli.fr" {
>         listen on $ext_addr tls port 444
> (…)
> }
>
> I tried also with: block return 301
> https://$SERVER_NAME:444$REQUEST_URI
> or
> block return 301 https://cloud.burelli.fr:444$REQUEST_URI
>
> What is the right way to rewrite the URL?
>
> Thanks in advance for your help and support.
>
> Olivier.
>

Seems like httpd is using the first cert for both domains.
Are you using the "tls certificate *file*" option?