Addressed to: [EMAIL PROTECTED]
Mads Toftum <[EMAIL PROTECTED]>
** Reply to note from Mads Toftum <[EMAIL PROTECTED]> Wed, 17 May 2000 09:59:45 +0200
>
> On Tue, May 16, 2000 at 02:19:40PM +0000, [EMAIL PROTECTED]
> wrote:
> > ** Reply to note from "Steve Fairhead" <[EMAIL PROTECTED]> Tue, 16 May 2000
>00:43:19 +0100
> > >
> > > .... but mustn't they also be IP-based rather than name-based?
> > >
> >
> > That is a reccomendation, not a requirement. The reason for it, I
> > belive is to allow the web server to start even if DNS is not operating.
> > (For example if all your servers go down in a power failure and the DNS
> > server takes longer to boot than the web server.) IP based VirtualHost
> > entries will still work, name based entries will go thru slow, painful
> > DNS lookup attempts, and finaly fail. (After about 30 sec for each
> > VirtualHost.)
> >
> > There are other alternatives like adding the names to /etc/hosts or
> > running a slave DNS server on the web server to make sure there is
> > something to answer the DNS requests as Apache starts. Or you can do it
> > the easy way and just list the IP addresses in httpd.conf. (Or where
> > ever you keep your virtual host declarations.)
> >
> For SSL this is not quite true. See
> http://www.modssl.org/docs/2.6/ssl_faq.html#ToC46. Sure, the server
> will start, but it will not exactly seem very nice at the client end.
<whisper>
Shhh... Don't tell my web servers! :)
</whisper>
I've got plenty of virtual hosts running on my servers, and not a single
IP address listed in any of my web server configuration files. The
material you quoted refers to the Apache recommendation that you use
<VirtualHost 111.211.154.215>
rather than
<VirtualHost www.mydomain.com>
If the web server is not able to resolve the names to ip addresses
during boot, you get to wait a full DNS timeout for each virtual host
you have configured. It can take a VERY LONG time. I know, I've done
it. You can either kill the boot in progress then restart the machine
in single user mode, or go to lunch... it should be done booting in
15-30 minutes. The easy way to prevent the problem is to just list the
IP addresses rather than the host name in your Apache configuration.
I fixed the 'DNS during startup' problem long before the suggestion to
list VirtualHost by IP address rather than name popped up in the FAQ. I
know I am going to have to renumber many of my virtual hosts soon, so I
have everything setup to rely on DNS.
> The only way to get NameBased vhosts to function without too much
> trouble would be to get a "wildcard" certificate - like *.domain.com
> and then setting up the vhosts as aaa.domain.com, zzz.domain.com etc.
> I think Thawte will sell you a cert like that.
>
Wildcard certificates allow you to authenticate many web servers within
your domain, and pay for only one certificate. You pay much more for a
wildcard certificate, but if you have more than 5 hosts in your domain
that need SSL it is cost effective. (At least when I checked Thawte's
prices a few months ago.)
They have no effect on the requirement for a different IP address for
each SSL enabled virtual host. The only way I know of to get around
this is using different ports for each virtual host. This is the
subject of the FAQ you referenced.
Just to make sure we are talking about the same thing, when I hear 'Name
Based vhosts' I think of:
NameVirtualHost 123.134.145.156
<VirtualHost www.somedomain.com>
..
..
..
<VirtualHost www.anotherdomain.com>
..
..
..
Where you have two or more virtual domains sharing the same IP address.
This is a great way to save IP addresses, but it will not work with SSL.
You can use if for non SSL VirtualHosts on the same server with SSL
VirtualHosts. You can even have one SSL VirtualHost in each
NameVirtualHost block. The problem is, you can only have one.
I hope you can prove me wrong on this, it would make my life much
easier, but I'm pretty sure about it.
Rick Widmer
http://www.developersdesk.com
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
