A team member was able to find a working solution (issue: single IP, two
domains, one domain requires client auth, the other domain plain SSL,
both functional with same apache instance using virtual hosts):
NameVirtualHost <ip-address>:443
<Virtualhost <ip-address>:443>
ServerAdmin [EMAIL PROTECTED]
DocumentRoot /var/www
ServerName <domain 1>
ErrorLog /var/log/httpd/error_log
CustomLog /var/log/httpd/access_log common
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
SSLEngine on
SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key
<Location "/">
SSLVerifyClient require
SSLVerifyDepth 5
SSLCACertificateFile /etc/httpd/conf/ssl.crt/server-calist.crt
SSLOptions +StdEnvVars +ExportCertData +OptRenegotiate
</Location>
</VirtualHost>
<Virtualhost <ip-address>:443>
ServerAdmin [EMAIL PROTECTED]
DocumentRoot /var/www
ServerName <domain 2>
ErrorLog /var/log/httpd/error_log
CustomLog /var/log/httpd/access_log common
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
SSLEngine on
SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key
</VirtualHost>
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Eckard Wille
Sent: Tuesday, June 14, 2005 3:06 AM
To: modssl-users@modssl.org
Subject: Re: SSL Client Auth with Virtual Hosts
Hoda Nadeem schrieb:
> Eckard and All,
>
> Does anybody know if there is any work around to get the following
> scenario to work?
>
> 1 IP Address
> 2 domain names attached to the same server IP address
> 2 SSL virtual hosts: 1 with client authentication, 1 without client
> authentication
>
> I need to try to avoid using a second IP address for the same server.
> Some folks are insisting that there must be a way to get the scenario
> to work.
Hi,
maybe you should reach your goal with some mod_rewrite tricks. The
points mentioned at http://www.modssl.org/docs/2.8/ssl_faq.html#vhosts
are still valid, only one vhost per ip. You could give mod_rewrite a try
to push clients to different directories which are configured for secure
and public ssl access.
Try something like this:
ServerName www.vhost1.com
ServerAlias www.vhost2.com
SSLEngine on
SSLVerifyClient none
SSLCACertificateFile conf/ssl.crt/ca.crt
<Location /ssl/securedir>
SSLVerifyClient require
SSLVerifyDepth 1
</Location>
RewriteEngine on
#RewriteLogLevel 7
#RewriteLog logs/RewriteLog
#RewriteCond %{SERVER_NAME}
RewriteCond %{HTTP_HOST} www.vhost1.com
RewriteRule ^(/index.htm)|(/)|()$ /ssl/securedir [R,L]
RewriteCond %{HTTP_HOST} www.vhost2.com
RewriteRule ^(/index.htm)|(/)|()$ /ssl/public [R,L]
This would just be a starting switch, modify the regexp to push all
desired content into the matching secure location (see
http://www.modssl.org/docs/2.8/ssl_howto.html#ToC6). I personally did
not try this, but if this does not work maybe mod_setenvif can be used
to distinguish the different names.
Greetings from Germany,
Eckard
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager [EMAIL PROTECTED]
