Dear Wiki user, You have subscribed to a wiki page or wiki category on "Httpd Wiki" for change notification.
The following page has been changed by slive: http://wiki.apache.org/httpd/ScratchPad/NameBasedSSLVHosts The comment on the change is: Major rewrite; sorry, I couldn't resist ------------------------------------------------------------------------------ - == NameBased VirtualHosts and SSL == + == Name-Based VirtualHosts and SSL == + As a rule, it is impossible to host more than one SSL virtual host on the same IP address and port. This is because Apache needs to know the name of the host in order to choose the correct certificate to setup the encryption layer. But the name of the host being requested is contained only in the HTTP request headers, which are part of the encrypted content. It is therefore not available until after the encryption is already negotiated. This means that the correct certificate cannot be selected, and clients will receive certificate mismatch warnings and be vulnerable to man-in-the-middle attacks. - In {{{#Apache}}} we often see people asking how they can host more than one SSL vhost, on the same IP address. - As a rule this is not something that can be done because the SSL Handshake happens before Apache knows the !ServerName you are trying to connect to, and so doesn't know which SSL Certificate/Key to use for the SSL Handshake! - However, in certain scenarios this can be overcome. But there are several criteria and caveats that must be considered and met: + In reality, Apache will allow you to configure name-based SSL virtual hosts, but it will always use the configuration from the first-listed virtual host (on the selected IP address and port) to setup the encryption layer. In certain specific circumstances, it is acceptable to use a single SSL configuration for several virtual hosts. In particular, this will work if the SSL certificate applies to all the virtual hosts. For example, this will work if: - 1. You can only host !VirtualHost's within the same domain, eg: one.example.com and two.example.com. + 1. All the !VirtualHosts are within the same domain, eg: one.example.com and two.example.com. - 2. You need a wildcard SSL certificate (one where the Common Name begins with an asterix: i.e {{{*.example.com}}}) + 2. You have a wildcard SSL certificate for that domain (one where the Common Name begins with an asterix: i.e {{{*.example.com}}}) - - You should still be able to do the following: - - 1. SSL !VirtualHost for a different domain (example2.com), as long as you use a different IP Address (i.e. one that is not used by the wildcard sites): + Here is the config snippet for two SSL !NameVirtualHost's, using a single wildcard SSL certificate. Remember that the SSL directives from the second virtual host will be ignored when setting up the initial SSL connection. - {{{ - <VirtualHost 192.168.1.2:443> - ServerName www.example2.com - ... - </VirtualHost> - }}} - 2.#2 {{{NameVirtualHost <IP>:443}}} for a different domain (*.example2.com), where {{{<IP>}}} is different from the IP Address used for *.example.com - {{{ - NameVirtualHost 192.168.1.2:443 - <VirtualHost 192.168.1.2:443> - ServerName one.example2.com - ... - </VirtualHost> - - <VirtualHost 192.168.1.2:443> - ServerName two.example2.com - ... - </VirtualHost> - }}} - - - However you cannot do the following: - - SSL !VirtualHost for a different !ServerName (three.example2.com), where the IP address is the same as that used for *.example.com. - {{{ - <VirtualHost 192.168.1.1:443> - ServerName three.example2.com - ... - </VirtualHost> - }}} - - - Here is the config snippet for two SSL !NameVirtualHost's, using a single wildcard SSL certificate: {{{ Listen 192.168.1.1:443 @@ -107, +70 @@ </VirtualHost> }}} + + In addition to this configuration, you should still be able to do the following: + + 1. SSL !VirtualHost for a different domain (example2.com), as long as you use a different IP Address or port (i.e. one that is not used by the wildcard sites): + + + {{{ + <VirtualHost 192.168.1.2:443> + ServerName www.example2.com + ... + </VirtualHost> + }}} + 2.#2 {{{NameVirtualHost <IP>:443}}} for a different domain (*.example2.com), where {{{<IP>}}} is different from the IP Address used for *.example.com + {{{ + NameVirtualHost 192.168.1.2:443 + <VirtualHost 192.168.1.2:443> + ServerName one.example2.com + ... + </VirtualHost> + + <VirtualHost 192.168.1.2:443> + ServerName two.example2.com + ... + </VirtualHost> + }}} + + + However you cannot do the following: + + SSL !VirtualHost for a different !ServerName (three.example2.com), where the IP address is the same as that used for *.example.com. + {{{ + <VirtualHost 192.168.1.1:443> + ServerName three.example2.com + ... + </VirtualHost> + }}} +
