Re: virtual hosts and mod_ssl

Wed, 28 Mar 2001 00:20:57 -0800 

Gian Maria Gamboni wrote:
> 
> Hi All!
> I'm new to mod_ssl, so the things which I'm going to say may be sounds
> ridicolous but I'm not able to solve this:
> I have just three virtualhosts which should listen on 80 and 443 at the same
> time, how can I do this ?
> 
> I've just built the new release 1.3.19 whit mod_ssl-2.8.1 on the machine who
> previously running 1.3.17 without mod_ssl on a FreeBSD 4.1 i386 platform.
> At this point I need to run some parts of a site under SSL and others
> normally as shown below :
> 
> This configuration works fine on port 80 but not on 443, WHY ?
> 

In a nutshell: You can't do Name-Based Virtual Hosting with SSL.

Check out the following from earlier this week:

http://www.modssl.org/docs/2.8/ssl_faq.html#ToC47

Q: Why is it not possible to use Name-Based Virtual Hosting to identify
different SSL virtual hosts? 

A: Name-Based Virtual Hosting is a very popular method of identifying
different virtual = hosts. It allows you to use the same IP address and
the same port number for many different sites. When people move on to
SSL, it seems natural to assume that the same method can be used to have
lots of different SSL virtual hosts on the same server. 

It comes as rather a shock to learn that it is impossible. 

The reason is that the SSL protocol is a separate layer which
encapsulates the HTTP protocol. So the problem is that the SSL session
is a separate transaction that takes place before the HTTP session even
starts. Therefore all the server receives is an SSL request on IP
address X and port Y (usually 443). Since the SSL request does not
contain any Host: field, the server has no way to decide which SSL
virtual host to use. Usually, it will just use the first one it finds
that matches the port and IP address. 

You can, of course, use Name-Based Virtual Hosting to identify many
non-SSL virtual hosts (all on port 80, for example) and then you can
have no more than 1 SSL virtual host (on port 443). But if you do this,
you must make sure to put the non-SSL port number on the NameVirtualHost
directive, e.g. 

     NameVirtualHost 192.168.1.1:80 

Other workaround solutions are: 

     Use separate IP addresses for different SSL hosts. 
     Use different port numbers for different SSL hosts. 


Rgds,

Owen Boyle.
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      [EMAIL PROTECTED]
Automated List Manager                            [EMAIL PROTECTED]

Reply via email to