Re: [us...@httpd] Questions about implementing SSL/VirtualHosts
Peter Schober wrote: * Boyle Owen [2009-12-15 10:22]: -Original Message- From: Justin Pasher [mailto:just...@newmediagateway.com] (a) Single FQDN, single DocumentRoot - Single IP. (b) Multiple FQDN, single DocumentRoot - Single IP, assuming cert supports all (sub)domains listed. Otherwise Multiple IP (c) Multiple FQDN, multiple DocumentRoot - Multiple IP addresses (one for each FQDN) Why is no-one mentioning the SubjectAltName solution (http://marc.info/?l=apache-httpd-users&m=125889530300657&w=2)? Does it not really work or is no-one actually using it? Because I'm tired of constantly repeating myself ;) I sounds like the Apache list is a little crankier than other lists that I'm subscribed to. ;-) My situation is described in option (b) including the assumption. I think I'm going to be ok. I will just plan on making the change on a Sunday when our customers are not using our system (car dealerships). Thanks all for your advice and incite. Dan Schaefer Web Developer/Systems Analyst Performance Administration Corp.
Re: [us...@httpd] Questions about implementing SSL/VirtualHosts
* Boyle Owen [2009-12-15 10:22]: > > -Original Message- > > From: Justin Pasher [mailto:just...@newmediagateway.com] > > (a) Single FQDN, single DocumentRoot - Single IP. > > (b) Multiple FQDN, single DocumentRoot - Single IP, assuming cert > > supports all (sub)domains listed. Otherwise Multiple IP > > (c) Multiple FQDN, multiple DocumentRoot - Multiple IP addresses (one > > for each FQDN) > > Why is no-one mentioning the SubjectAltName solution > (http://marc.info/?l=apache-httpd-users&m=125889530300657&w=2)? Does it > not really work or is no-one actually using it? Because I'm tired of constantly repeating myself ;) But I guess it'S actually contained in variant (b) listed above, since all hostnames are listed in a single certificate. Just not using wildcard certs (which our CA-contract does not allow, btw). And yes, this works just fine (we're stuffing as many vhosts into a cert as the CA allows and split off a new IP/certificate once that overflows). -peter - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
RE: [us...@httpd] Questions about implementing SSL/VirtualHosts
> -Original Message- > From: Justin Pasher [mailto:just...@newmediagateway.com] > > Many others have provided some information, but here's a > basic summary > (assuming no SNI support): > > (a) Single FQDN, single DocumentRoot - Single IP. > (b) Multiple FQDN, single DocumentRoot - Single IP, assuming cert > supports all (sub)domains listed. Otherwise Multiple IP > (c) Multiple FQDN, multiple DocumentRoot - Multiple IP addresses (one > for each FQDN) Why is no-one mentioning the SubjectAltName solution (http://marc.info/?l=apache-httpd-users&m=125889530300657&w=2)? Does it not really work or is no-one actually using it? Rgds, Owen Boyle Disclaimer: Any disclaimer attached to this message may be ignored. > > -- > Justin Pasher > > - > The official User-To-User support forum of the Apache HTTP > Server Project. > See http://httpd.apache.org/userslist.html> for more info. > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org >" from the digest: users-digest-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org > > This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. The sender's company reserves the right to monitor all e-mail communications through their networks. - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] Questions about implementing SSL/VirtualHosts
Dan Schaefer wrote: Does it help to mention that my example.com and www.example.com certificates are the exact same cert? My apologies for not mentioning this in the beginning. If and when we do add SSL to other subdomains, they will be different certs. I *don't* see that happening in the near future, however. Will I be able to use the same public IP for both example.com and www.example.com? Many others have provided some information, but here's a basic summary (assuming no SNI support): (a) Single FQDN, single DocumentRoot - Single IP. (b) Multiple FQDN, single DocumentRoot - Single IP, assuming cert supports all (sub)domains listed. Otherwise Multiple IP (c) Multiple FQDN, multiple DocumentRoot - Multiple IP addresses (one for each FQDN) -- Justin Pasher - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] Questions about implementing SSL/VirtualHosts
> > http://markmail.org/message/yr52ptnpgbocgvad > > But we should just push for SNI, I guess. > -peter Yea I agree. -r - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] Questions about implementing SSL/VirtualHosts
* Roger [2009-12-14 17:47]: > The situation that I was talking about is that if someone access > http://example.com or http://www.example.com > then redirect to either https://www.example.com OR https://example.com. Sure. > But of course, you cannot stop someone for trying to access > https://www.example.com when you only have SSL for > https://example.com or the other way around. Given that hardly anyone ever types complete URLs including the schema, sticking with a single SSL vhost and redirecting to that from all the plain HTTP vhosts is very probably "good enough". > But sometimes multiple public IPs are not an option. http://markmail.org/message/yr52ptnpgbocgvad But we should just push for SNI, I guess. -peter - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] Questions about implementing SSL/VirtualHosts
> If both vhosts are accessed via https you'll need both covered, as the > ssl connection happens before the redirect (as has been pointed out > dozens of times in recent weeks), > -peter > The situation that I was talking about is that if someone access http://example.com or http://www.example.com then redirect to either https://www.example.com OR https://example.com. But of course, you cannot stop someone for trying to access https://www.example.com when you only have SSL for https://example.com or the other way around. But sometimes multiple public IPs are not an option. -r - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] Questions about implementing SSL/VirtualHosts
Peter Schober wrote: * Roger [2009-12-14 17:26]: Is the content under example.com and www.example.com the same? If it is, then just redirect all requests to example.com, www.example.com to one location. You don't need two certificates. In my opinion, if it is the same content then having multiple certificates is not cost effective. If both vhosts are accessed via https you'll need both covered, as the ssl connection happens before the redirect (as has been pointed out dozens of times in recent weeks), -peter - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org I'm sorry, but I just joined the list in Friday. Dan Schaefer Web Developer/Systems Analyst Performance Administration Corp.
Re: [us...@httpd] Questions about implementing SSL/VirtualHosts
* Roger [2009-12-14 17:26]: > Is the content under example.com and www.example.com the same? > If it is, then just redirect all requests to example.com, www.example.com to > one > location. You don't need two certificates. In my opinion, if it is the same > content then having multiple certificates is not cost effective. If both vhosts are accessed via https you'll need both covered, as the ssl connection happens before the redirect (as has been pointed out dozens of times in recent weeks), -peter - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] Questions about implementing SSL/VirtualHosts
Roger wrote: Does it help to mention that my example.com and www.example.com certificates are the exact same cert? My apologies for not mentioning this in the beginning. If and when we do add SSL to other subdomains, they will be different certs. I don't see that happening in the near future, however. Will I be able to use the same public IP for both example.com and www.example.com? Is the content under example.com and www.example.com the same? If it is, then just redirect all requests to example.com, www.example.com to one location. You don't need two certificates. In my opinion, if it is the same content then having multiple certificates is not cost effective. -r - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org Roger, You make a good point. Yes, the DocumentRoot is the exact same and shows the same content. In fact, as stated in my OP, although not very clear, all http and https sites will have the same DocumentRoot on this server. Will the said redirect need to be a htaccess rule? Dan Schaefer Web Developer/Systems Analyst Performance Administration Corp.
Re: [us...@httpd] Questions about implementing SSL/VirtualHosts
> > Does it help to mention that my example.com and www.example.com certificates > are the exact same cert? My apologies for not mentioning this in the > beginning. If and when we do add SSL to other subdomains, they will be > different certs. I don't see that happening in the near future, however. > Will I be able to use the same public IP for both example.com and > www.example.com? Is the content under example.com and www.example.com the same? If it is, then just redirect all requests to example.com, www.example.com to one location. You don't need two certificates. In my opinion, if it is the same content then having multiple certificates is not cost effective. -r - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] Questions about implementing SSL/VirtualHosts
Justin Pasher wrote: Dan Schaefer wrote: So are you suggesting that I need multiple public IPs to implement this, or just multiple private IPs? Private IPs is not a problem, however, due to the fact that we have limited public IPS in our range, it could be a problem when if and when we add new SSL certs. We would need to re-evaluate our ISP contract before it expires. You will need a unique public IP address for each SSL site (e.g. FQDN) you are planning on running, unless you have a wildcard cert for multiple subdomains that should all pull the same VirtualHost content. Since SSL encrypts all of the data sent between the server, including the Host: header, there's no way for Apache to know which VirtualHost should handle the request unless it is IP based. SNI[1] is a new extension that allows the Host header to be sent separately, thus eliminating the need for dedicated IP addresses, but it does not have universal browser support (most notably for IE 7.0 only on Vista or higher). Now, if these sites are being used by the general public, then you don't have to assign unique public IP addresses, assuming the sites are only being accessed through the private IP address on the local network. [1] http://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI Does it help to mention that my example.com and www.example.com certificates are the exact same cert? My apologies for not mentioning this in the beginning. If and when we do add SSL to other subdomains, they will be different certs. I *don't* see that happening in the near future, however. Will I be able to use the same public IP for both example.com and www.example.com? Dan Schaefer Web Developer/Systems Analyst Performance Administration Corp.
Re: [us...@httpd] Questions about implementing SSL/VirtualHosts
Dan Schaefer wrote: So are you suggesting that I need multiple public IPs to implement this, or just multiple private IPs? Private IPs is not a problem, however, due to the fact that we have limited public IPS in our range, it could be a problem when if and when we add new SSL certs. We would need to re-evaluate our ISP contract before it expires. You will need a unique public IP address for each SSL site (e.g. FQDN) you are planning on running, unless you have a wildcard cert for multiple subdomains that should all pull the same VirtualHost content. Since SSL encrypts all of the data sent between the server, including the Host: header, there's no way for Apache to know which VirtualHost should handle the request unless it is IP based. SNI[1] is a new extension that allows the Host header to be sent separately, thus eliminating the need for dedicated IP addresses, but it does not have universal browser support (most notably for IE 7.0 only on Vista or higher). Now, if these sites are being used by the general public, then you don't have to assign unique public IP addresses, assuming the sites are only being accessed through the private IP address on the local network. [1] http://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI -- Justin Pasher - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] Questions about implementing SSL/VirtualHosts
Justin Pasher wrote: Serge Fonville wrote: Hi, My company is wanting to keep this configuration for port 80 and add an SSL certificate for just the www.example.com and example.com hostnames. Is it possible to have Virtualhosts for just the 443 port and still allow *.example.com to react the same way it does now? Yes, it is. However, you'll generally need separate IP addresses for www.example.com and example.com. Then just define the virtual hosts Not neccesarily, You can use virtualdocumentroot instead of virtualhosts. Almost all config in virtualhosts directives can also be done in htaccess, which you can even put one level higher. I believe he recommended multiple VirtualHost containers because the OP was asking about essentially two SSL sites (www.example.com and example.com), which requires individual IP address to get universal browser support (i.e. without SNI). Even with a wildcard cert for *.example.com, I don't believe that will work to example.com. So are you suggesting that I need multiple public IPs to implement this, or just multiple private IPs? Private IPs is not a problem, however, due to the fact that we have limited public IPS in our range, it could be a problem when if and when we add new SSL certs. We would need to re-evaluate our ISP contract before it expires. Dan Schaefer Web Developer/Systems Analyst Performance Administration Corp. - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] Questions about implementing SSL/VirtualHosts
Serge Fonville wrote: Hi, My company is wanting to keep this configuration for port 80 and add an SSL certificate for just the www.example.com and example.com hostnames. Is it possible to have Virtualhosts for just the 443 port and still allow *.example.com to react the same way it does now? Yes, it is. However, you'll generally need separate IP addresses for www.example.com and example.com. Then just define the virtual hosts Not neccesarily, You can use virtualdocumentroot instead of virtualhosts. Almost all config in virtualhosts directives can also be done in htaccess, which you can even put one level higher. I believe he recommended multiple VirtualHost containers because the OP was asking about essentially two SSL sites (www.example.com and example.com), which requires individual IP address to get universal browser support (i.e. without SNI). Even with a wildcard cert for *.example.com, I don't believe that will work to example.com. -- Justin Pasher - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] Questions about implementing SSL/VirtualHosts
Hi, >> My company is wanting to keep this configuration for port 80 and add an >> SSL certificate for just the www.example.com and example.com hostnames. Is >> it possible to have Virtualhosts for just the 443 port and still allow >> *.example.com to react the same way it does now? > > Yes, it is. However, you'll generally need separate IP addresses for > www.example.com and example.com. Then just define the virtual hosts > > > > > Not neccesarily, You can use virtualdocumentroot instead of virtualhosts. Almost all config in virtualhosts directives can also be done in htaccess, which you can even put one level higher. HTH Regards, Serge Fonville -- http://www.sergefonville.nl Convince Google!! They need to support Adsense over SSL https://www.google.com/adsense/support/bin/answer.py?hl=en&answer=10528 http://www.google.com/support/forum/p/AdSense/thread?tid=1884bc9310d9f923&hl=en - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] Questions about implementing SSL/VirtualHosts
Dan Schaefer wrote: My company is wanting to keep this configuration for port 80 and add an SSL certificate for just the www.example.com and example.com hostnames. Is it possible to have Virtualhosts for just the 443 port and still allow *.example.com to react the same way it does now? Yes, it is. However, you'll generally need separate IP addresses for www.example.com and example.com. Then just define the virtual hosts -- Toomas Aas ... Someday we'll look back on all this and plow into a parked car. - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
