I have a similar problem...hopefully someone has as good an answer.
I've got a bunch of virtual hosts running on port 80 just fine. I also have
a single HTTPS running on 443. I'd like to have multiple SSL hosts. So far
all my attempts have ended either with all traffic going to the first
virtual host defined in httpd.conf or an unstartable httpd.
Is this even possible?
I'm including the pertinent section of my current httpd.conf. I realize the
way it's set up there will be certificate issues with one of the virtual
hosts. I don't really care about certificates, just encryption.
Thanks in advance,
~~Brandon
##
## SSL Virtual Host Context
##
NameVirtualHost *
<VirtualHost _default_:443>
# General setup for the virtual host
DocumentRoot "/usr/local/apache/htdocs/secure/htdocs"
ServerName secure.schoolpeople.net
ServerAdmin [EMAIL PROTECTED]
ErrorLog /usr/local/apache/logs/error_log
TransferLog /usr/local/apache/logs/access_log
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXP56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile
/usr/local/apache/conf/secure-spn/secure.schoolpeople.net.cert
SSLCertificateKeyFile
/usr/local/apache/conf/secure-spn/secure.schoolpeople.net.key
ScriptAlias /cgi-bin/ "/usr/local/apache/htdocs/secure/cgi-bin/"
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
<Directory "/usr/local/apache/htdocs/secure/cgi-bin">
AllowOverride All
Options ExecCGI
Order allow,deny
Allow from all
SSLOptions +StdEnvVars
</Directory>
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog /usr/local/apache/logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
# ****************************
# Second secure host
# ****************************
<VirtualHost _default_:443>
# General setup for the virtual host
DocumentRoot "/usr/local/apache/htdocs/securetest"
ServerName securetest.schoolpeople.net
ServerAdmin [EMAIL PROTECTED]
ErrorLog /usr/local/apache/logs/error_log
TransferLog /usr/local/apache/logs/access_log
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXP56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile
/usr/local/apache/conf/secure-spn/secure.schoolpeople.net.cert
SSLCertificateKeyFile
/usr/local/apache/conf/secure-spn/secure.schoolpeople.net.key
ScriptAlias /cgi-bin/ "/usr/local/apache/cgi-bin/"
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
<Directory "/usr/local/apache/cgi-bin">
AllowOverride All
Options ExecCGI
Order allow,deny
Allow from all
SSLOptions +StdEnvVars
</Directory>
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog /usr/local/apache/logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Jason Paul McCartan
Sent: Tuesday, December 19, 2000 7:11 AM
To: [EMAIL PROTECTED]
Subject: Re: Opinion on SSL/Virtual Hosting problem
Hi Owen
Thanks for the reply
Owen Boyle wrote:
>
> Jason Paul McCartan wrote:
> > Recently though the server was used to add other name-based virtual
domains.
> > Now the SSL through HTTPS is totally unavailable, and when we tried to
view
> > anything over HTTPS we get a blank "Page Not Found" page. We have no
problem
> > on port 80 for any of the sites. Initially we could hit the same site on
> > HTTP and HTTPS and the SSL would activate. Now on HTTP it works fine,
but we
> > get that "Page Not Found" error on HTTPS.
>
> One big trap that a lot of people fall into is that you *cannot* have
> SSL name-based virtual hosts. This is basically because SSL negotiation
> has to be complete before any HTTP traffic can be received - to
> negotiate SSL you need the certificate, which is defined in the VH,
> which is selected using the ServerName, which can only be found from
> HTTP, which can't take place until SSL is established... see the
> problem?
Yup. That's what I was afraid would be the case.
> That aside, you don't actually say you are trying to run SSL VHs so you
> may have a simpler solution - define the port numbers explicitly in the
> NameVirtualHost and VirtualHost directives to avoid ambiguities, e.g:
>
> NameVirtualHost 192.168.1.1:80
>
> # HTTP host1
> <VirtualHost 192.168.1.1:80>
> Servername www.site1.com
> </VirtualHost>
>
> # HTTP host2
> <VirtualHost 192.168.1.1:80>
> Servername www.site2.com
> </VirtualHost>
>
> # SSL host
> <VirtualHost 192.168.1.1:443>
> Servername ssl.site1.com
> </VirtualHost>
We had this working before about 4 months ago before we added a
different domain through the virtual servers. Until then all the virtual
servers belonged to the same name, and we had several on port 80 and
only one on port 443 - pretty much as you defined above.
We're not using SSL based virtual hosts. We only require one SSL enabled
site - https://secure.mydomain.com for example. All the other virtual
servers run on port 80.
> Did you get a warning message when starting the server? Check in the
> common_error_log...
No errors at all. The SSL is up and running as far as we can see. There
are no error messages when we telnet into it as well - it closes the
connection which is what we're aware of what it's supposed to do. We
initially got a "cannot mix * ports and non-* ports" error message when
we changed some of the settings, but we nominated all the ports on the
virtual servers to be port 80 or 443.
At this point I'm thinking that it's best for us to used another IP
address, and move the SSL service onto that, and leave all the name
based virtual hosting on the other IP address. Will this do the trick ?
I appreciate the helpfulness of your response.
--
Jason Paul McCartan - [EMAIL PROTECTED]
CEO/President
MindShift Design LLC
http://www.mindshiftdesign.com
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
