LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 04-28-2009, 07:16 PM   #1
crispytwo
LQ Newbie
 
Registered: May 2004
Distribution: F10
Posts: 3

Rep: Reputation: 0
Apache with wildcard SSL and virtual host


Hi,

I'm using Apache 2.2 to host multiple subdomains using a single SSL certificate (a wildcard certificate e.g. *.mydomain.com) and, yes, it works! Everything seems to be served correctly and the browsers are pretty happy.

And you can also have the non-SSL sites (virtual hosts on port 80) on the same IP. (That's covered elsewhere)

For those that want similar functionality here's my discovery...

My configuration is like this:

ssl.conf:
Code:
# standard ssl.conf that comes with the distro
LoadModule ssl_module modules/mod_ssl.so
Listen 443
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl    .crl
SSLPassPhraseDialog  builtin
SSLSessionCache         shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout  300
SSLMutex default
SSLRandomSeed startup file:/dev/urandom  256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin

# the default virtual SSL host
<VirtualHost _default_:443>
    DocumentRoot "/var/www/html/"
    ServerName mydomain.com:443
    ServerAlias www.mydomain.com:443
    <Directory "/var/www/html/">
        AllowOverride All
        Options All
    </Directory>
    ErrorLog logs/ssl_main-error_log
    TransferLog logs/ssl_main-transfer-access.log
    LogLevel warn
    SSLEngine on
    SSLProtocol all -SSLv2
    SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
    SSLCertificateFile /etc/ssl/mydomain.cer
    SSLCertificateKeyFile /etc/ssl/mydomain.key
    SSLCertificateChainFile /etc/ssl/server-intermediate-chain.crt
    SetEnvIf User-Agent ".*MSIE.*" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0
    CustomLog logs/ssl_main_request_log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>

# second virtual SSL host
<VirtualHost *:443>
    DocumentRoot "/var/www/sub/"
    ServerName sub.mydomain.com:443
    ServerAlias www.sub.mydomain.com:443
    <Directory "/var/www/sub/">
        AllowOverride All
        Options All
    </Directory>
    ErrorLog logs/ssl_sub-error_log
    TransferLog logs/ssl_sub-transfer-access.log
    LogLevel warn
    SSLEngine on
    SSLProtocol all -SSLv2
    SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
    SSLCertificateFile /etc/ssl/mydomain.cer
    SSLCertificateKeyFile /etc/ssl/mydomain.key
    SSLCertificateChainFile /etc/ssl/server-intermediate-chain.crt
    SetEnvIf User-Agent ".*MSIE.*" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0
    CustomLog logs/ssl_sub_request_log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
I would have to say that I don't believe that this will work if you are not using a wildcard SSL certificate and having anything other than subdomains under that wildcard.

It is somewhat limited in scenario where this is useful, but for a set of company websites that should be under SSL, this can be tremedously useful when you have a single IP.
 
Old 04-28-2009, 07:24 PM   #2
chrism01
Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.5, Centos 5.10
Posts: 16,280

Rep: Reputation: 2032Reputation: 2032Reputation: 2032Reputation: 2032Reputation: 2032Reputation: 2032Reputation: 2032Reputation: 2032Reputation: 2032Reputation: 2032Reputation: 2032
Nice..

however, if you've really got RH9 (codename shrike), its been unsupported for yrs, inc no updates, so its ripe for exploitation.
I'd be surprised if apache 2.2 runs on that....
 
Old 04-28-2009, 08:56 PM   #3
crispytwo
LQ Newbie
 
Registered: May 2004
Distribution: F10
Posts: 3

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by chrism01 View Post
Nice..

however, if you've really got RH9 (codename shrike), its been unsupported for yrs, inc no updates, so its ripe for exploitation.
I'd be surprised if apache 2.2 runs on that....
Haha - I haven't updated my profile since I joined here I guess...
Yes, this is on Fedora 9 and 10 and Cent OS 5...
 
  


Reply

Tags
apache22, ssl, virtualhosts


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Solutions to Apache SSL Virtual Host woes (for dynamic IP too) Silly22 Linux - Software 2 10-14-2009 05:07 PM
Apache 2 / SSL and virtual host under GNU/Linux Debian Etch - http and https scls19fr Linux - Server 0 10-09-2008 10:11 AM
Apache - wildcard ssl dedicated ipaddress for each subdomain? sysconfig Linux - Server 2 04-02-2007 01:04 PM
Apache + SSL + Virtual Hosts otisthegbs Linux - Software 3 10-05-2004 07:59 PM
Apache SSL - how to virtual host two or more secure websites on the same machine? bjoshi Linux - Networking 0 08-30-2001 07:01 PM


All times are GMT -5. The time now is 03:22 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration