Apache 2

msound · 03-31-2008, 05:35 PM

Alrighty, I need to setup a 2nd NameBasedVirtualHost on an Apache 2 server that needs to be served up over SSL. I understand that the 2nd SSL vhost needs to use either a separate listen address or separate port # than the existing SSL vhost.

So here's my question...

Let's say I have both SSL vhosts listen on the same IP but have one listen on port 443, and the other on port 4043, how would I get around adding :4043 to the domain's url? So basically instead of:

https://www.mydomain.com:4041/home.htm

I can continue to use:

https://www.mydomain.com/home.html

Would I be able to use mod_rewrite to rewrite all https://www.mydomain.com/ requests to https://www.mydomain.com:4043/?

Any advice would be greatly appreciated. Thaaaanks!

tuliojm · 03-31-2008, 08:28 PM

Hello,

you could use mod_rewrite or redirect the request to other port with html redirection, but some clients could find problems with firewalls blocking connections in ports higher than 1024.
Check if mod_gnutls can help you (but be aware that its an experimental module): http://www.outoforder.cc/projects/apache/mod_gnutls/

check the tricks below too:
http://wiki.cacert.org/wiki/VhostTaskForce
http://sweon.net/2008/01/hosting-mul...e-with-apache2

I hope this helps

msound · 04-01-2008, 08:58 AM

Hmmm. Well we host our own web server and have full control over its firewall and security. I don't think IT would have an issue opening up the new port, but if they do I could always designate a lower port like 442 or 444.

Wouldn't HTML redirection show the port number on the client side? If an html page redirects the users from:

https://www.mydomain.com/home.htm
to:
https://www.mydomain.com:4043/home.htm

then that's not what I want. I want the port redirection to be completely transparent to the end user, which is why I'm thinking mod_rewrite might be the best way to go.

I was also hoping to hear from some people who are already running two or more SSL vhosts on a single web server, to see how they're handling the issue of only 1 IP or 1 port per SSL vhost.

Cheers!

msound · 04-02-2008, 10:37 AM

So does anyone here host two SSL vhosts on a single server? I plan on trying the mod_rewrite approach this weekend but I would love some feedback from people who already have this kind of setup running in a production environment.

Thanks!

Wim Sturkenboom · 04-03-2008, 12:42 AM

Yep, but IP based.

msound · 04-03-2008, 11:37 AM

Err... would care to tell me a little more about how you have your server setup? Are you running multiple nics? Are you using virtual ips? etc. etc. I'm new to this multiple SSL virtual hosts on a single box thing so any extra info would be much appreciated.

Thanks!

Wim Sturkenboom · 04-04-2008, 02:04 AM

I have one nic configured for multiple IP addresses. I'm running Slackware (the examples are from my Slackware 10.1 box), so you have to figure out how to do that on Centos

I have created one IP (172.31.212.190) the 'normal way' and added the following lines to rc.local

Code:

/sbin/ifconfig eth0:1 172.31.212.191 netmask 255.255.254.0 broadcast 172.31.213.255
/sbin/ifconfig eth0:2 172.31.212.192 netmask 255.255.254.0 broadcast 172.31.213.255
/sbin/ifconfig eth0:3 172.31.212.193 netmask 255.255.254.0 broadcast 172.31.213.255

The box has now 4 IP addresses (190 .. 193)

My mod_ssl.conf (stuff marked with WimS are basically the changes that I've made). To limit the size of the file it only contains some generic stuff and the first server. I use includes at the end to add the other servers.

Code:

LoadModule ssl_module libexec/apache/libssl.so

<IfDefine SSL>
Listen 443
</IfDefine>

<IfDefine SSL>
#WimS
#AddType application/x-x509-ca-cert .cert
AddType application/x-x509-ca-cert .crt

AddType application/x-pkcs7-crl    .crl
</IfDefine>

<IfModule mod_ssl.c>

SSLPassPhraseDialog  builtin

#SSLSessionCache        none
#SSLSessionCache        shm:/var/log/apache/ssl_scache(512000)
SSLSessionCache         dbm:/var/log/apache/ssl_scache
SSLSessionCacheTimeout  300

SSLMutex  file:/var/log/apache/ssl_mutex

SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
#SSLRandomSeed startup file:/dev/random  512
#SSLRandomSeed startup file:/dev/urandom 512
#SSLRandomSeed connect file:/dev/random  512
#SSLRandomSeed connect file:/dev/urandom 512

SSLLog      /var/log/apache/ssl_engine_log
SSLLogLevel info

</IfModule>

<IfDefine SSL>

##
## SSL Virtual Host Context
##

#################################################
#WimS: first server
#################################################
#<VirtualHost _default_:443>
#<VirtualHost btd-techweb01:443>
<VirtualHost 172.31.212.190:443>

#  General setup for the virtual host
#WimS; new location
DocumentRoot "/server/www/htdocs/btd/web"
#DocumentRoot "/var/www/htdocs"
#WimS; new server name
ServerName btd-techweb01
#ServerName new.host.name
#WimS
ServerAdmin xx@yy.zz
#ServerAdmin you@your.address

ErrorLog /var/log/apache/error_log
TransferLog /var/log/apache/access_log

#   SSL Engine Switch:
#   Enable/Disable SSL for this virtual host.
SSLEngine on

SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

#WimS
SSLCertificateFile /etc/apache/ssl.crt/btd-techweb01.cert
#SSLCertificateFile /etc/apache/ssl.crt/server.crt

#SSLCertificateFile /etc/apache/ssl.crt/server-dsa.crt

#WimS
SSLCertificateKeyFile /etc/apache/ssl.key/btd-techweb01.key
#SSLCertificateKeyFile /etc/apache/ssl.key/server-dsa.key

#SSLCertificateChainFile /etc/apache/ssl.crt/ca.crt

#SSLCACertificatePath /etc/apache/ssl.crt
#SSLCACertificateFile /etc/apache/ssl.crt/ca-bundle.crt

#SSLCARevocationPath /etc/apache/ssl.crl
#SSLCARevocationFile /etc/apache/ssl.crl/ca-bundle.crl

#SSLVerifyClient require
#SSLVerifyDepth  10

#<Location />
#SSLRequire (    %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
#            and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
#            and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
#            and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
#            and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20       ) \
#           or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
#</Location>

#SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
    SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
    SSLOptions +StdEnvVars
</Directory>

SetEnvIf User-Agent ".*MSIE.*" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0

CustomLog /var/log/apache/ssl_request_log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

</VirtualHost>

#################################################
#WimS: second server
#################################################
Include /etc/apache/mod_ssl_commcentre.conf

#################################################
#WimS: third server
#################################################
Include /etc/apache/mod_ssl_tacroom.conf

#################################################
#WimS: fourth server
#################################################
Include /etc/apache/mod_ssl_docdir.conf

</IfDefine>

My commcentre configuration (second server):

Code:

<VirtualHost 172.31.212.191:443>

#  General setup for the virtual host
DocumentRoot "/home/wim/commandcentre/web"
ServerName cc.btd-techweb01
ServerAdmin xx@yy.zz

ErrorLog /var/log/apache/error_log
TransferLog /var/log/apache/access_log

#   SSL Engine Switch:
SSLEngine on

#   SSL Cipher Suite:
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

#   Server Certificate:
SSLCertificateFile /etc/apache/btd-techweb01/btd-techweb01.crt

#   Server Private Key:
SSLCertificateKeyFile /etc/apache/btd-techweb01/btd-techweb01.key

#   Server Certificate Chain:
#SSLCertificateChainFile /etc/apache/ssl.crt/ca.crt

#   Certificate Authority (CA):
#SSLCACertificatePath /etc/apache/ssl.crt
#SSLCACertificateFile /etc/apache/ssl.crt/ca-bundle.crt

#   Certificate Revocation Lists (CRL):
#SSLCARevocationPath /etc/apache/ssl.crl
#SSLCARevocationFile /etc/apache/ssl.crl/ca-bundle.crl

#   Client Authentication (Type):
#SSLVerifyClient require
#SSLVerifyDepth  10

#   Access Control:
#<Location />
#SSLRequire (    %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
#            and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
#            and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
#            and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
#            and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20       ) \
#           or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
#</Location>


#   SSL Engine Options:
#SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
    SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
    SSLOptions +StdEnvVars
</Directory>

#   SSL Protocol Adjustments:
SetEnvIf User-Agent ".*MSIE.*" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0

#   Per-Server Logging:
#   The home of a custom SSL log file. Use this when you want a
#   compact non-error SSL logfile on a virtual host basis.
CustomLog /var/log/apache/ssl_request_log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

</VirtualHost>

I use a wildcard certificate, hence the references point to the same certificate. This however gives me some grey hairs (warnings from both apache (at startup) and browsers) and on the new server that I'm currently configuring I will no longer use it.

Hope that it helps.