I have one nic configured for multiple IP addresses. I'm running Slackware (the examples are from my Slackware 10.1 box), so you have to figure out how to do that on Centos
I have created one IP (172.31.212.190) the 'normal way' and added the following lines to rc.local
Code:
/sbin/ifconfig eth0:1 172.31.212.191 netmask 255.255.254.0 broadcast 172.31.213.255
/sbin/ifconfig eth0:2 172.31.212.192 netmask 255.255.254.0 broadcast 172.31.213.255
/sbin/ifconfig eth0:3 172.31.212.193 netmask 255.255.254.0 broadcast 172.31.213.255
The box has now 4 IP addresses (190 .. 193)
My mod_ssl.conf (stuff marked with WimS are basically the changes that I've made). To limit the size of the file it only contains some generic stuff and the first server. I use includes at the end to add the other servers.
Code:
LoadModule ssl_module libexec/apache/libssl.so
<IfDefine SSL>
Listen 443
</IfDefine>
<IfDefine SSL>
#WimS
#AddType application/x-x509-ca-cert .cert
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
</IfDefine>
<IfModule mod_ssl.c>
SSLPassPhraseDialog builtin
#SSLSessionCache none
#SSLSessionCache shm:/var/log/apache/ssl_scache(512000)
SSLSessionCache dbm:/var/log/apache/ssl_scache
SSLSessionCacheTimeout 300
SSLMutex file:/var/log/apache/ssl_mutex
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
#SSLRandomSeed startup file:/dev/random 512
#SSLRandomSeed startup file:/dev/urandom 512
#SSLRandomSeed connect file:/dev/random 512
#SSLRandomSeed connect file:/dev/urandom 512
SSLLog /var/log/apache/ssl_engine_log
SSLLogLevel info
</IfModule>
<IfDefine SSL>
##
## SSL Virtual Host Context
##
#################################################
#WimS: first server
#################################################
#<VirtualHost _default_:443>
#<VirtualHost btd-techweb01:443>
<VirtualHost 172.31.212.190:443>
# General setup for the virtual host
#WimS; new location
DocumentRoot "/server/www/htdocs/btd/web"
#DocumentRoot "/var/www/htdocs"
#WimS; new server name
ServerName btd-techweb01
#ServerName new.host.name
#WimS
ServerAdmin xx@yy.zz
#ServerAdmin you@your.address
ErrorLog /var/log/apache/error_log
TransferLog /var/log/apache/access_log
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
#WimS
SSLCertificateFile /etc/apache/ssl.crt/btd-techweb01.cert
#SSLCertificateFile /etc/apache/ssl.crt/server.crt
#SSLCertificateFile /etc/apache/ssl.crt/server-dsa.crt
#WimS
SSLCertificateKeyFile /etc/apache/ssl.key/btd-techweb01.key
#SSLCertificateKeyFile /etc/apache/ssl.key/server-dsa.key
#SSLCertificateChainFile /etc/apache/ssl.crt/ca.crt
#SSLCACertificatePath /etc/apache/ssl.crt
#SSLCACertificateFile /etc/apache/ssl.crt/ca-bundle.crt
#SSLCARevocationPath /etc/apache/ssl.crl
#SSLCARevocationFile /etc/apache/ssl.crl/ca-bundle.crl
#SSLVerifyClient require
#SSLVerifyDepth 10
#<Location />
#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
#</Location>
#SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog /var/log/apache/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
#################################################
#WimS: second server
#################################################
Include /etc/apache/mod_ssl_commcentre.conf
#################################################
#WimS: third server
#################################################
Include /etc/apache/mod_ssl_tacroom.conf
#################################################
#WimS: fourth server
#################################################
Include /etc/apache/mod_ssl_docdir.conf
</IfDefine>
My commcentre configuration (second server):
Code:
<VirtualHost 172.31.212.191:443>
# General setup for the virtual host
DocumentRoot "/home/wim/commandcentre/web"
ServerName cc.btd-techweb01
ServerAdmin xx@yy.zz
ErrorLog /var/log/apache/error_log
TransferLog /var/log/apache/access_log
# SSL Engine Switch:
SSLEngine on
# SSL Cipher Suite:
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
# Server Certificate:
SSLCertificateFile /etc/apache/btd-techweb01/btd-techweb01.crt
# Server Private Key:
SSLCertificateKeyFile /etc/apache/btd-techweb01/btd-techweb01.key
# Server Certificate Chain:
#SSLCertificateChainFile /etc/apache/ssl.crt/ca.crt
# Certificate Authority (CA):
#SSLCACertificatePath /etc/apache/ssl.crt
#SSLCACertificateFile /etc/apache/ssl.crt/ca-bundle.crt
# Certificate Revocation Lists (CRL):
#SSLCARevocationPath /etc/apache/ssl.crl
#SSLCARevocationFile /etc/apache/ssl.crl/ca-bundle.crl
# Client Authentication (Type):
#SSLVerifyClient require
#SSLVerifyDepth 10
# Access Control:
#<Location />
#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
#</Location>
# SSL Engine Options:
#SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
# SSL Protocol Adjustments:
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
# Per-Server Logging:
# The home of a custom SSL log file. Use this when you want a
# compact non-error SSL logfile on a virtual host basis.
CustomLog /var/log/apache/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
I use a wildcard certificate, hence the references point to the same certificate. This however gives me some grey hairs (warnings from both apache (at startup) and browsers) and on the new server that I'm currently configuring I will no longer use it.
Hope that it helps.