Greetings,
I have been reading the thread relating to the problem of using an SSL
virtual host along with named-based virtual hosting (NBVH). I ran into
this problem myself but I think I have solved it in a fairly simple way
and I thought others might be interested in this solution. I'd also be
interested if anyone can see any nasty side-effects of the solution...
The Problem:
------------
You have one IP address serving two or more different sites using NBVH.
Your config-file looks like this (only important directives shown):
NameVirtualHost 192.168.200.1
<VirtualHost 192.168.200.1>
ServerName banana.fruit.com
DocumentRoot /home/banana
</VirtualHost>
<VirtualHost 192.168.200.1>
ServerName kiwi.fruit.com
DocumentRoot /home/kiwi
</VirtualHost>
Now you want to add an SSL virtual host. So you just add something like:
<VirtualHost 192.168.200.1:443>
ServerName ssl.fruit.com
DocumentRoot /home/ssl
SSLEngine On
</VirtualHost>
However, the problem is that (as I understand it):
- the GET request for the SSL page comes in already encrypted (the
browser knows to encrypt it because the URL begins with "https").
- The server tries to do virtual host resolution first so tries to find
the ServerName in the request.
- Since the request is encrypted, it can't get the ServerName.
- Without the ServerName, it doesn't know which VirtualHost to use.
- So it can't start the SSL engine since it hasn't seen an "SSLEngine
On" directive because this is in the SSL virtual host definition.
- So we've come full circle and we're stuck.
The Solution:
-------------
The recommended solution is to use a different IP address for the SSL
virtual host. This would obviously solve the problem since the server
can go immediately to the SSL VirtualHost as soon as it receives a
request on that IP address - no need to look in the request for a
ServerName. It then sees it has to start SSL and we're off.
However, the solution I tried was to define the port numbers explicitly
when declaring the IP addresses. The config file is then:
NameVirtualHost 192.168.200.1:80
<VirtualHost 192.168.200.1:80>
ServerName banana.fruit.com
DocumentRoot /home/banana
</VirtualHost>
<VirtualHost 192.168.200.1:80>
ServerName kiwi.fruit.com
DocumentRoot /home/kiwi
</VirtualHost>
<VirtualHost 192.168.200.1:443>
ServerName ssl.fruit.com
DocumentRoot /home/ssl
SSLEngine On
</VirtualHost>
Now, I guess, the server uses the port number to decide whether to do
name-based virtual host resolution and if it receives a request on port
443 it does not attempt NBVH.
This seems to work for me and I'd be interested to hear if anyone knows
of any pitfalls of this approach.
Best regards,
Owen Boyle.
--
SWX Swiss Exchange, 10 Cours de Rive, 1211 Geneve 3
--------------------------+-------------------------
Phone: +41 (0)22 849 5648 | Fax: +41 (0)22 849 5643
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
