LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices



Reply
 
Search this Thread
Old 10-14-2010, 12:25 PM   #1
CNBarnes
Member
 
Registered: Apr 2004
Location: Texas
Distribution: Debian
Posts: 41

Rep: Reputation: 15
Apache2 configuration - help me understand VirtualHost vs NameVirtualHost


Try as I might, figuring out when to use NameVirtualHost vs VirtualHost in Apache2 configuration file has me totally baffled. I am hoping someone can give me a quick primer on the proper way to use them.

My setup: Debian 5 running Apache2 server.
1 server has roughly 50 different websites running on it. Eg.
Main site is http://physics.tamu.edu. Going to www.physics should display the same page.
Going to http://astronomy.physics.tamu.edu should show (and does) that site. Going to http://physicsfestival.tamu.edu should (and does) goto that site.


My problem is that when I restart apache, I get tons of warnings:
Code:
[Thu Oct 14 10:44:03 2010] [warn] VirtualHost collider.physics.tamu.edu:443 overlaps with VirtualHost www.physics.tamu.edu:443, the first has precedence, perhaps you need a NameVirtualHost directive
[Thu Oct 14 10:44:03 2010] [warn] VirtualHost www.physics.tamu.edu:443 overlaps with VirtualHost collider.physics.tamu.edu:443, the first has precedence, perhaps you need a NameVirtualHost directive
[Thu Oct 14 10:44:03 2010] [warn] VirtualHost webmail.physics.tamu.edu:443 overlaps with VirtualHost webmail.physics.tamu.edu:443, the first has precedence, perhaps you need a NameVirtualHost directive
[Thu Oct 14 10:44:03 2010] [warn] VirtualHost webmail.physics.tamu.edu:80 overlaps with VirtualHost webmail.physics.tamu.edu:80, the first has precedence, perhaps you need a NameVirtualHost directive
[Thu Oct 14 10:44:03 2010] [warn] VirtualHost tasks.physics.tamu.edu:443 overlaps with VirtualHost tasks.physics.tamu.edu:443, the first has precedence, perhaps you need a NameVirtualHost directive
[Thu Oct 14 10:44:03 2010] [warn] VirtualHost tasks.physics.tamu.edu:80 overlaps with VirtualHost tasks.physics.tamu.edu:80, the first has precedence, perhaps you need a NameVirtualHost directive
[Thu Oct 14 10:44:03 2010] [warn] VirtualHost physics.tamu.edu:443 overlaps with VirtualHost physics.tamu.edu:443, the first has precedence, perhaps you need a NameVirtualHost directive
[Thu Oct 14 10:44:03 2010] [warn] VirtualHost collider.physics.tamu.edu:443 overlaps with VirtualHost www.physics.tamu.edu:443, the first has precedence, perhaps you need a NameVirtualHost directive
[Thu Oct 14 10:44:03 2010] [warn] NameVirtualHost *:443 has no VirtualHosts
[Thu Oct 14 10:44:03 2010] [warn] NameVirtualHost *:443 has no VirtualHosts
[Thu Oct 14 10:44:03 2010] [warn] NameVirtualHost *:80 has no VirtualHosts
[Thu Oct 14 10:44:03 2010] [warn] NameVirtualHost *:80 has no VirtualHosts
 ... waiting [Thu Oct 14 10:44:05 2010] [warn] VirtualHost collider.physics.tamu.edu:443 overlaps with VirtualHost www.physics.tamu.edu:443, the first has precedence, perhaps you need a NameVirtualHost directive
[Thu Oct 14 10:44:05 2010] [warn] VirtualHost www.physics.tamu.edu:443 overlaps with VirtualHost collider.physics.tamu.edu:443, the first has precedence, perhaps you need a NameVirtualHost directive
[Thu Oct 14 10:44:05 2010] [warn] VirtualHost webmail.physics.tamu.edu:443 overlaps with VirtualHost webmail.physics.tamu.edu:443, the first has precedence, perhaps you need a NameVirtualHost directive
[Thu Oct 14 10:44:05 2010] [warn] VirtualHost webmail.physics.tamu.edu:80 overlaps with VirtualHost webmail.physics.tamu.edu:80, the first has precedence, perhaps you need a NameVirtualHost directive
[Thu Oct 14 10:44:05 2010] [warn] VirtualHost tasks.physics.tamu.edu:443 overlaps with VirtualHost tasks.physics.tamu.edu:443, the first has precedence, perhaps you need a NameVirtualHost directive
[Thu Oct 14 10:44:05 2010] [warn] VirtualHost tasks.physics.tamu.edu:80 overlaps with VirtualHost tasks.physics.tamu.edu:80, the first has precedence, perhaps you need a NameVirtualHost directive
[Thu Oct 14 10:44:05 2010] [warn] VirtualHost physics.tamu.edu:443 overlaps with VirtualHost physics.tamu.edu:443, the first has precedence, perhaps you need a NameVirtualHost directive
[Thu Oct 14 10:44:05 2010] [warn] VirtualHost collider.physics.tamu.edu:443 overlaps with VirtualHost www.physics.tamu.edu:443, the first has precedence, perhaps you need a NameVirtualHost directive
[Thu Oct 14 10:44:05 2010] [warn] NameVirtualHost *:443 has no VirtualHosts
[Thu Oct 14 10:44:05 2010] [warn] NameVirtualHost *:443 has no VirtualHosts
[Thu Oct 14 10:44:05 2010] [warn] NameVirtualHost *:80 has no VirtualHosts
[Thu Oct 14 10:44:05 2010] [warn] NameVirtualHost *:80 has no VirtualHosts
Contents of 00-virtualhosts.conf:
Code:
NameVirtualHost *:80
NameVirtualHost *:443

# Virtualhost definition are in a site-specific file.
Contents of conf.d/collider.physics.tamu.edu:
Code:
<VirtualHost *:80>
        ServerAdmin support@physics.tamu.edu
        ServerName collider.physics.tamu.edu
        ServerAlias Collider collider
        DocumentRoot /var/www/collider/htdocs/
        ScriptAlias /cgi-bin/ /var/www/collider/cgi-bin/

        Redirect permanent /internal https://collider.physics.tamu.edu/internal

        <Directory /var/www/collider.physics.tamu.edu/internal/>
                AuthType Basic
                AuthName "Collider Internal"
                AuthPAM_Enabled On
                AuthBasicAuthoritative off
                Require valid-user
        </Directory>
</VirtualHost>

<VirtualHost collider.physics.tamu.edu:443>
        ServerAdmin support@physics.tamu.edu
        ServerName collider.physics.tamu.edu
        ServerAlias Collider collider
        DocumentRoot /var/www/collider/htdocs/
        ScriptAlias /cgi-bin/ /var/www/collider/cgi-bin/

        <Directory /var/www/collider.physics.tamu.edu/internal/>
                AuthType Basic
                AuthName "Department of Physics"
                AuthPAM_Enabled On
                AuthBasicAuthoritative off
                Require valid-user
        </Directory>

        SSLEngine on
        SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
        SSLCertificateFile              /etc/apache2/ssl.crt/collider.crt
        SSLCertificateKeyFile           /etc/apache2/ssl.key/collider.key

        <Files ~ "\.(cgi|shtml|phtml|php3?)$">
                SSLOptions +StdEnvVars
        </Files>
        <Directory "/var/www/cgi-bin">
                SSLOptions +StdEnvVars
        </Directory>

        SetEnvIf User-Agent ".*MSIE.*" \
                 nokeepalive ssl-unclean-shutdown \
                 downgrade-1.0 force-response-1.0


</VirtualHost>
Contents of conf.d/physics.tamu.edu:
Code:
<VirtualHost *:80>
    ServerName physics.tamu.edu
    ServerAdmin support@physics.tamu.edu
    ServerAlias www
    DocumentRoot /var/www/www2.physics.tamu.edu/
    ErrorLog /var/log/apache2/www2-error_log
    CustomLog /var/log/apache2/www2-access_log combined
    Options Indexes FollowSymLinks Includes

    ScriptAlias /cgi-bin/ "/var/www/www2.physics.tamu.edu/cgi-bin/"
    Alias /images/ "/var/www/www2.physics.tamu.edu/images/"

    <Directory /var/www/www2.physics.tamu.edu/lib/>
        Order Deny,Allow
        Deny From All
    </Directory>

    Redirect permanent /authentication  https://www.physics.tamu.edu/authentication
    Redirect permanent /BuildingPlans   https://www.physics.tamu.edu/BuildingPlans
    Redirect permanent /data            https://www.physics.tamu.edu/data
    Redirect permanent /ldapadmin       https://www.physics.tamu.edu/ldapadmin
    Redirect permanent /pos/admin       https://www.physics.tamu.edu/pos/admin
    Redirect permanent /squirrelmail    https://www.physics.tamu.edu/squirrelmail
    Redirect permanent /tasks           https://tasks.physics.tamu.edu
    Redirect permanent /services/comp_support/docs  https://physics.tamu.edu/services/comp_support/docs

</VirtualHost>



<VirtualHost physics.tamu.edu:443>
    ServerName physics.tamu.edu
    ServerAdmin support@physics.tamu.edu
    DocumentRoot /var/www/www2.physics.tamu.edu/
    ErrorLog /var/log/apache2/www2-ssl-error_log
    CustomLog /var/log/apache2/www2-ssl-access_log combined
    ScriptAlias /cgi-bin/ "/var/www/www2.physics.tamu.edu/cgi-bin/"
    Alias /images/ "/var/www/www2.physics.tamu.edu/images/"

   SSLEngine on
   SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
   SSLCertificateFile           /etc/apache2/ssl.crt/physics.tamu.edu.crt
   SSLCertificateKeyFile                /etc/apache2/ssl.key/physics.key
   SSLCertificateChainFile         /etc/apache2/ssl.bundle/gd_bundle.crt

   SetEnvIf User-Agent ".*MSIE.*" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0

   <Files ~ "\.(cgi|shtml|phtml|php3?)$">
        SSLOptions +StdEnvVars
   </Files>
   <Directory "/var/www/cgi-bin">
        SSLOptions +StdEnvVars
   </Directory>

so - what am I doing wrong?
 
Old 10-14-2010, 12:34 PM   #2
prayag_pjs
Senior Member
 
Registered: Feb 2008
Location: Pune - India
Distribution: Fedora,RedHat,CentOS,Gentoo
Posts: 1,138
Blog Entries: 4

Rep: Reputation: 147Reputation: 147
If you use same single ip for multiple websites then its named based virtual host.

With name-based virtual hosts, one instance of Apache hosts several domains. You do not need to set up multiple IPs for a machine.

To activate name-based virtual hosts, specify a suitable directive. NameVirtualHost *. * is sufficient to prompt Apache to accept all incoming requests. Subsequently, configure the individual hosts:

Example:

Quote:
<VirtualHost *>
ServerName www.example.com
DocumentRoot /home/www/htdocs/example.com
ServerAdmin webmaster@example.com
ErrorLog /var/log/apache2/www.example.com-error_log
CustomLog /var/log/apache2/www.example.com-access_log common
</VirtualHost>

<VirtualHost *>
ServerName www.myothercompany.com
DocumentRoot /home/www/htdocs/myothercompany.com
ServerAdmin webmaster@myothercompany.com
ErrorLog /var/log/apache2/www.myothercompany.com-error_log
CustomLog /var/log/apache2/www.myothercompany.com-access_log common
</VirtualHost>
IP Based virtual hosting alternative requires the setup of multiple IPs for a machine. In this case, one instance of Apache hosts several domains, each of which is assigned a different IP.

Example:
Quote:
<VirtualHost 192.168.1.20>
ServerName www.myothercompany.com
DocumentRoot /home/www/htdocs/myothercompany.com
ServerAdmin webmaster@myothercompany.com
ErrorLog /var/log/apache2/www.myothercompany.com-error_log
CustomLog /var/log/apache2/www.myothercompany.com-access_log common
</VirtualHost>

<VirtualHost 192.168.1.21>
ServerName www.anothercompany.com
DocumentRoot /home/www/htdocs/anothercompany.com
ServerAdmin webmaster@anothercompany.com
ErrorLog /var/log/apache2/www.anothercompany.com-error_log
CustomLog /var/log/apache2/www.anothercompany.com-access_log common
</VirtualHost>
Quote:
For Apache to host multiple IPs, the underlying machine must accept requests for multiple IPs. This is called multi-IP hosting. For this purpose, IP aliasing must be activated in the kernel.

Once the kernel has been configured for IP aliasing, the commands ifconfig and route can be used to set up additional IPs on the host. These commands must be executed as root. For the following example, it is assumed that the host already has its own IP, such as 192.168.1.10, which is assigned to the network device eth0.

Enter the command ifconfig to find out the IP of the host. Further IPs can be added with commands like the following:

/sbin/ifconfig eth0:0 192.168.1.20
/sbin/ifconfig eth0:1 192.168.1.21

All these IPs are assigned to the same physical network device (eth0).

Last edited by prayag_pjs; 10-14-2010 at 12:37 PM.
 
1 members found this post helpful.
Old 10-14-2010, 12:40 PM   #3
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Ubuntu 10.10, Slackware 64-current
Posts: 2,124

Rep: Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776
Apache can support multiple virtual hosts. The virtual hosts can be on separate IP addresses or you can have one IP address with multiple named virtual hosts. For example, on address 1.2.3.4 you could have server1.domain and server2.domain and serve up different pages. This is achieved by part of the connection process where the desired server is identified by name.

SSL / secure web pages however (port 443 typically) technically don't support this. The reason is that the secure connection is established before the server name is known and the process uses only IP addresses. Consequently, when you try to have multiple named virtual hosts that are secure, you get warnings like you have seen. While it will 'work' in as much as you will get encrypted web sites, only the first declared host will have the 'valid' certificate. Depending on your application, this may or may not be a problem. For example, I run a server for a small e-commerce site and this site has the certificate and it is valid for that site. I also run a named domain on the same server and make it a secured site. It uses the 'wrong' certificate, but as it is my personal web mail, I don't care, but a customer to the e-commerce site would.

There continues to be growing interest in individuals wanting to run multiple secure hosts with one IP and to this end there has been proposals made to change the protocols. For example, the GNU TLS supports a technique called SNI (server name indication) where the requested server name is used as part of the establishment of the secure connection and can support this. Others have patched the SSL libraries to support this functionality too. I had read that future versions of Apache will support this feature, but I don't believe that the present ones do.

Also, when you want to use name virtual hosts (port 80) specify that you have named virtual hosts on port 80 and then declare the virtual hosts by name:80 like you did and then use the server name directive.

Hope this helps clarify what is happening for you.
 
1 members found this post helpful.
Old 10-14-2010, 12:43 PM   #4
CNBarnes
Member
 
Registered: Apr 2004
Location: Texas
Distribution: Debian
Posts: 41

Original Poster
Rep: Reputation: 15
Thank you for the VERY quick response!

Quote:
Originally Posted by prayag_pjs View Post
To activate name-based virtual hosts, specify a suitable directive. NameVirtualHost *.
Where do I put this directive (in the conf.d/00-virtualhosts file?)?


Quote:
IP Based virtual hosting alternative requires the setup of multiple IPs for a machine. In this case, one instance of Apache hosts several domains, each of which is assigned a different IP.

Example:
Actually, MOST of these use the same IP number as the "main site", but there are a couple that use different IPs (which the server is already setup to answer).
 
Old 10-14-2010, 12:45 PM   #5
CNBarnes
Member
 
Registered: Apr 2004
Location: Texas
Distribution: Debian
Posts: 41

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by Noway2 View Post
Apache can support multiple virtual hosts. The virtual hosts can be on separate IP addresses or you can have one IP address with multiple named virtual hosts. For example, on address 1.2.3.4 you could have server1.domain and server2.domain and serve up different pages. This is achieved by part of the connection process where the desired server is identified by name.

SSL / secure web pages however (port 443 typically) technically don't support this. The reason is that the secure connection is established before the server name is known and the process uses only IP addresses. Consequently, when you try to have multiple named virtual hosts that are secure, you get warnings like you have seen. While it will 'work' in as much as you will get encrypted web sites, only the first declared host will have the 'valid' certificate. Depending on your application, this may or may not be a problem. For example, I run a server for a small e-commerce site and this site has the certificate and it is valid for that site. I also run a named domain on the same server and make it a secured site. It uses the 'wrong' certificate, but as it is my personal web mail, I don't care, but a customer to the e-commerce site would.

There continues to be growing interest in individuals wanting to run multiple secure hosts with one IP and to this end there has been proposals made to change the protocols. For example, the GNU TLS supports a technique called SNI (server name indication) where the requested server name is used as part of the establishment of the secure connection and can support this. Others have patched the SSL libraries to support this functionality too. I had read that future versions of Apache will support this feature, but I don't believe that the present ones do.

Also, when you want to use name virtual hosts (port 80) specify that you have named virtual hosts on port 80 and then declare the virtual hosts by name:80 like you did and then use the server name directive.

Hope this helps clarify what is happening for you.


<A light bulb of understanding just went on above my head!>
 
Old 10-14-2010, 01:42 PM   #6
prayag_pjs
Senior Member
 
Registered: Feb 2008
Location: Pune - India
Distribution: Fedora,RedHat,CentOS,Gentoo
Posts: 1,138
Blog Entries: 4

Rep: Reputation: 147Reputation: 147
Hi,

Hope this link helps you.

http://www.cahilig.net/2008/08/26/ap...g-debianubuntu
 
Old 10-14-2010, 01:42 PM   #7
prayag_pjs
Senior Member
 
Registered: Feb 2008
Location: Pune - India
Distribution: Fedora,RedHat,CentOS,Gentoo
Posts: 1,138
Blog Entries: 4

Rep: Reputation: 147Reputation: 147
Hi,

Hope this link helps you.

http://www.cahilig.net/2008/08/26/ap...g-debianubuntu
 
1 members found this post helpful.
Old 10-19-2010, 03:39 PM   #8
CNBarnes
Member
 
Registered: Apr 2004
Location: Texas
Distribution: Debian
Posts: 41

Original Poster
Rep: Reputation: 15
Ok, I'm back. I read through this stuff and am somewhat more confused than ever. So I'm going to start over - asking a "how would the config file look for this?":

Let's say you have a linux server running apache2, that has 2 ip numbers for
* https://secure1.mydomain.com/ (tied to ip 192.0.0.10)
* https://secure2.mydomain.com/ (tied to ip 192.0.0.11)

In addition, you have 4 other virtual (non secure) sites:
* http://site1.mydomain.com/
* http://site2.mydomain.com/
* http://site3.mydomain.com/
* http://site4.mydomain.com/


What does the config file look like?
 
Old 10-20-2010, 12:55 AM   #9
prayag_pjs
Senior Member
 
Registered: Feb 2008
Location: Pune - India
Distribution: Fedora,RedHat,CentOS,Gentoo
Posts: 1,138
Blog Entries: 4

Rep: Reputation: 147Reputation: 147
Hi,

We have given and you have referred so many sites.

Please give it a try and when you get stuck some where we will help you.
 
Old 10-20-2010, 05:28 AM   #10
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Ubuntu 10.10, Slackware 64-current
Posts: 2,124

Rep: Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776
As a rough template you would have something like the following:
Code:
NameVirtualHost *:80


<VirtualHost 192.0.0.10:443>
        ServerName secure1.mydomain.com
        (Server Directives Here)
</VirtualHost>

<VirtualHost 192.0.0.11:443>
        ServerName secure2.mydomain.com
        (Server Directives Here)
</VirtualHost>

<VirtualHost *:80>
        ServerName site1.mydomain.com
        (Server Directives Here)
</VirtualHost>
What areas you are having confusion about? Perhaps we can help provide a more targeted answer.
 
1 members found this post helpful.
Old 10-20-2010, 09:14 AM   #11
CNBarnes
Member
 
Registered: Apr 2004
Location: Texas
Distribution: Debian
Posts: 41

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by Noway2 View Post
As a rough template you would have something like the following:
Code:
NameVirtualHost *:80
<VirtualHost 192.0.0.10:443>
        ServerName secure1.mydomain.com
        (Server Directives Here)
</VirtualHost>

<VirtualHost 192.0.0.11:443>
        ServerName secure2.mydomain.com
        (Server Directives Here)
</VirtualHost>

<VirtualHost *:80>
        ServerName site1.mydomain.com
        (Server Directives Here)
</VirtualHost>
What areas you are having confusion about? Perhaps we can help provide a more targeted answer.

This is VERY useful. So if I have multiple secure pages (each with their own IP & certificate), I do NOT use
Code:
NameVirtualHost *:443
Correct?


I have a followup question that I think I know the answer to. If secure1 & secure2 also have non-secure pages, I assume I also include
Code:
<VirtualHost *:80>
        ServerName secure1.mydomain.com
        (Server Directives Here)
</VirtualHost>

<VirtualHost *:80>
         ServerName secure2.mydomain.com
         (Server Directives Here)
 </VirtualHost>
Correct?


Followup question 2:
If I have secure pages for for secure1 & secure2, is there any reason to have NON-secure pages?

Last edited by CNBarnes; 10-20-2010 at 09:17 AM.
 
Old 10-20-2010, 12:38 PM   #12
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Ubuntu 10.10, Slackware 64-current
Posts: 2,124

Rep: Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776
To be TECHNICALLY correct, no you don't use NameVirtualHost on 443 (secure servers). This goes back to my original post, that a secure page doesn't resolve based upon name per the SSL protocol. It will work, at least more or less, if you do, but one of the sites won't get the correct certificate and you will get apache warnings.

I think your syntax for followup question1 will work. You can also have <VirtualHost 192.0.0.10:80>. The primary reason you would want to have non secure pages where the encryption isn't required is that the secure pages take a lot more processing overhead, especially on the server. Initially the secure transaction is accomplished using a form of PKI (public key infrastructure) which allows a client to establish a one way encrypted connection and to also verify the authenticity of the host using a 3rd party verification server (such as verisign). This is a slow process which requires a good bit of math. After establishing the secure channel, the encryption is done with temporary synchronous ciphers which are a lot faster. If you get an appreciable amount of traffic establishing all the connections can become an unnecessary burden on your system.
 
2 members found this post helpful.
  


Reply

Tags
apache2


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
NameVirtualHost *:80 has no virtual hosts apache2 hosting multiple sites without DNS tkmsr Linux - Server 9 06-21-2010 11:27 AM
Apache2 is serving single NameVirtualHost for all names r3gan Linux - Software 4 06-12-2008 11:33 AM
Apache2 NameVirtualHost not working intramaweb Linux - Server 7 12-12-2007 08:59 AM
apache2 error - namevirtualhost *:0 has no virtualhosts? tiger.woods Ubuntu 2 04-09-2007 11:26 AM
apache2 NameVirtualHost gabsik Linux - Networking 3 01-18-2007 03:26 PM


All times are GMT -5. The time now is 11:06 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration