LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (http://www.linuxquestions.org/questions/linux-server-73/)
-   -   Apache with wildcard SSL and virtual host (http://www.linuxquestions.org/questions/linux-server-73/apache-with-wildcard-ssl-and-virtual-host-722361/)

crispytwo 04-28-2009 07:16 PM

Apache with wildcard SSL and virtual host
 
Hi,

I'm using Apache 2.2 to host multiple subdomains using a single SSL certificate (a wildcard certificate e.g. *.mydomain.com) and, yes, it works! Everything seems to be served correctly and the browsers are pretty happy.

And you can also have the non-SSL sites (virtual hosts on port 80) on the same IP. (That's covered elsewhere)

For those that want similar functionality here's my discovery...

My configuration is like this:

ssl.conf:
Code:

# standard ssl.conf that comes with the distro
LoadModule ssl_module modules/mod_ssl.so
Listen 443
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl    .crl
SSLPassPhraseDialog  builtin
SSLSessionCache        shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout  300
SSLMutex default
SSLRandomSeed startup file:/dev/urandom  256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin

# the default virtual SSL host
<VirtualHost _default_:443>
    DocumentRoot "/var/www/html/"
    ServerName mydomain.com:443
    ServerAlias www.mydomain.com:443
    <Directory "/var/www/html/">
        AllowOverride All
        Options All
    </Directory>
    ErrorLog logs/ssl_main-error_log
    TransferLog logs/ssl_main-transfer-access.log
    LogLevel warn
    SSLEngine on
    SSLProtocol all -SSLv2
    SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
    SSLCertificateFile /etc/ssl/mydomain.cer
    SSLCertificateKeyFile /etc/ssl/mydomain.key
    SSLCertificateChainFile /etc/ssl/server-intermediate-chain.crt
    SetEnvIf User-Agent ".*MSIE.*" \
        nokeepalive ssl-unclean-shutdown \
        downgrade-1.0 force-response-1.0
    CustomLog logs/ssl_main_request_log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>

# second virtual SSL host
<VirtualHost *:443>
    DocumentRoot "/var/www/sub/"
    ServerName sub.mydomain.com:443
    ServerAlias www.sub.mydomain.com:443
    <Directory "/var/www/sub/">
        AllowOverride All
        Options All
    </Directory>
    ErrorLog logs/ssl_sub-error_log
    TransferLog logs/ssl_sub-transfer-access.log
    LogLevel warn
    SSLEngine on
    SSLProtocol all -SSLv2
    SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
    SSLCertificateFile /etc/ssl/mydomain.cer
    SSLCertificateKeyFile /etc/ssl/mydomain.key
    SSLCertificateChainFile /etc/ssl/server-intermediate-chain.crt
    SetEnvIf User-Agent ".*MSIE.*" \
        nokeepalive ssl-unclean-shutdown \
        downgrade-1.0 force-response-1.0
    CustomLog logs/ssl_sub_request_log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>

I would have to say that I don't believe that this will work if you are not using a wildcard SSL certificate and having anything other than subdomains under that wildcard.

It is somewhat limited in scenario where this is useful, but for a set of company websites that should be under SSL, this can be tremedously useful when you have a single IP.

chrism01 04-28-2009 07:24 PM

Nice..

however, if you've really got RH9 (codename shrike), its been unsupported for yrs, inc no updates, so its ripe for exploitation.
I'd be surprised if apache 2.2 runs on that.... ;)

crispytwo 04-28-2009 08:56 PM

Quote:

Originally Posted by chrism01 (Post 3524135)
Nice..

however, if you've really got RH9 (codename shrike), its been unsupported for yrs, inc no updates, so its ripe for exploitation.
I'd be surprised if apache 2.2 runs on that.... ;)

Haha - I haven't updated my profile since I joined here I guess...
Yes, this is on Fedora 9 and 10 and Cent OS 5...


All times are GMT -5. The time now is 01:54 PM.