Apache2 configuration - help me understand VirtualHost vs NameVirtualHost

CNBarnes · 10-14-2010, 11:25 AM

Try as I might, figuring out when to use NameVirtualHost vs VirtualHost in Apache2 configuration file has me totally baffled. I am hoping someone can give me a quick primer on the proper way to use them.

My setup: Debian 5 running Apache2 server.
1 server has roughly 50 different websites running on it. Eg.
Main site is http://physics.tamu.edu. Going to www.physics should display the same page.
Going to http://astronomy.physics.tamu.edu should show (and does) that site. Going to http://physicsfestival.tamu.edu should (and does) goto that site.

My problem is that when I restart apache, I get tons of warnings:

Code:

[Thu Oct 14 10:44:03 2010] [warn] VirtualHost collider.physics.tamu.edu:443 overlaps with VirtualHost www.physics.tamu.edu:443, the first has precedence, perhaps you need a NameVirtualHost directive
[Thu Oct 14 10:44:03 2010] [warn] VirtualHost www.physics.tamu.edu:443 overlaps with VirtualHost collider.physics.tamu.edu:443, the first has precedence, perhaps you need a NameVirtualHost directive
[Thu Oct 14 10:44:03 2010] [warn] VirtualHost webmail.physics.tamu.edu:443 overlaps with VirtualHost webmail.physics.tamu.edu:443, the first has precedence, perhaps you need a NameVirtualHost directive
[Thu Oct 14 10:44:03 2010] [warn] VirtualHost webmail.physics.tamu.edu:80 overlaps with VirtualHost webmail.physics.tamu.edu:80, the first has precedence, perhaps you need a NameVirtualHost directive
[Thu Oct 14 10:44:03 2010] [warn] VirtualHost tasks.physics.tamu.edu:443 overlaps with VirtualHost tasks.physics.tamu.edu:443, the first has precedence, perhaps you need a NameVirtualHost directive
[Thu Oct 14 10:44:03 2010] [warn] VirtualHost tasks.physics.tamu.edu:80 overlaps with VirtualHost tasks.physics.tamu.edu:80, the first has precedence, perhaps you need a NameVirtualHost directive
[Thu Oct 14 10:44:03 2010] [warn] VirtualHost physics.tamu.edu:443 overlaps with VirtualHost physics.tamu.edu:443, the first has precedence, perhaps you need a NameVirtualHost directive
[Thu Oct 14 10:44:03 2010] [warn] VirtualHost collider.physics.tamu.edu:443 overlaps with VirtualHost www.physics.tamu.edu:443, the first has precedence, perhaps you need a NameVirtualHost directive
[Thu Oct 14 10:44:03 2010] [warn] NameVirtualHost *:443 has no VirtualHosts
[Thu Oct 14 10:44:03 2010] [warn] NameVirtualHost *:443 has no VirtualHosts
[Thu Oct 14 10:44:03 2010] [warn] NameVirtualHost *:80 has no VirtualHosts
[Thu Oct 14 10:44:03 2010] [warn] NameVirtualHost *:80 has no VirtualHosts
 ... waiting [Thu Oct 14 10:44:05 2010] [warn] VirtualHost collider.physics.tamu.edu:443 overlaps with VirtualHost www.physics.tamu.edu:443, the first has precedence, perhaps you need a NameVirtualHost directive
[Thu Oct 14 10:44:05 2010] [warn] VirtualHost www.physics.tamu.edu:443 overlaps with VirtualHost collider.physics.tamu.edu:443, the first has precedence, perhaps you need a NameVirtualHost directive
[Thu Oct 14 10:44:05 2010] [warn] VirtualHost webmail.physics.tamu.edu:443 overlaps with VirtualHost webmail.physics.tamu.edu:443, the first has precedence, perhaps you need a NameVirtualHost directive
[Thu Oct 14 10:44:05 2010] [warn] VirtualHost webmail.physics.tamu.edu:80 overlaps with VirtualHost webmail.physics.tamu.edu:80, the first has precedence, perhaps you need a NameVirtualHost directive
[Thu Oct 14 10:44:05 2010] [warn] VirtualHost tasks.physics.tamu.edu:443 overlaps with VirtualHost tasks.physics.tamu.edu:443, the first has precedence, perhaps you need a NameVirtualHost directive
[Thu Oct 14 10:44:05 2010] [warn] VirtualHost tasks.physics.tamu.edu:80 overlaps with VirtualHost tasks.physics.tamu.edu:80, the first has precedence, perhaps you need a NameVirtualHost directive
[Thu Oct 14 10:44:05 2010] [warn] VirtualHost physics.tamu.edu:443 overlaps with VirtualHost physics.tamu.edu:443, the first has precedence, perhaps you need a NameVirtualHost directive
[Thu Oct 14 10:44:05 2010] [warn] VirtualHost collider.physics.tamu.edu:443 overlaps with VirtualHost www.physics.tamu.edu:443, the first has precedence, perhaps you need a NameVirtualHost directive
[Thu Oct 14 10:44:05 2010] [warn] NameVirtualHost *:443 has no VirtualHosts
[Thu Oct 14 10:44:05 2010] [warn] NameVirtualHost *:443 has no VirtualHosts
[Thu Oct 14 10:44:05 2010] [warn] NameVirtualHost *:80 has no VirtualHosts
[Thu Oct 14 10:44:05 2010] [warn] NameVirtualHost *:80 has no VirtualHosts

Contents of 00-virtualhosts.conf:

Code:

NameVirtualHost *:80
NameVirtualHost *:443

# Virtualhost definition are in a site-specific file.

Contents of conf.d/collider.physics.tamu.edu:

Code:

<VirtualHost *:80>
        ServerAdmin support@physics.tamu.edu
        ServerName collider.physics.tamu.edu
        ServerAlias Collider collider
        DocumentRoot /var/www/collider/htdocs/
        ScriptAlias /cgi-bin/ /var/www/collider/cgi-bin/

        Redirect permanent /internal https://collider.physics.tamu.edu/internal

        <Directory /var/www/collider.physics.tamu.edu/internal/>
                AuthType Basic
                AuthName "Collider Internal"
                AuthPAM_Enabled On
                AuthBasicAuthoritative off
                Require valid-user
        </Directory>
</VirtualHost>

<VirtualHost collider.physics.tamu.edu:443>
        ServerAdmin support@physics.tamu.edu
        ServerName collider.physics.tamu.edu
        ServerAlias Collider collider
        DocumentRoot /var/www/collider/htdocs/
        ScriptAlias /cgi-bin/ /var/www/collider/cgi-bin/

        <Directory /var/www/collider.physics.tamu.edu/internal/>
                AuthType Basic
                AuthName "Department of Physics"
                AuthPAM_Enabled On
                AuthBasicAuthoritative off
                Require valid-user
        </Directory>

        SSLEngine on
        SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
        SSLCertificateFile              /etc/apache2/ssl.crt/collider.crt
        SSLCertificateKeyFile           /etc/apache2/ssl.key/collider.key

        <Files ~ "\.(cgi|shtml|phtml|php3?)$">
                SSLOptions +StdEnvVars
        </Files>
        <Directory "/var/www/cgi-bin">
                SSLOptions +StdEnvVars
        </Directory>

        SetEnvIf User-Agent ".*MSIE.*" \
                 nokeepalive ssl-unclean-shutdown \
                 downgrade-1.0 force-response-1.0


</VirtualHost>

Contents of conf.d/physics.tamu.edu:

Code:

<VirtualHost *:80>
    ServerName physics.tamu.edu
    ServerAdmin support@physics.tamu.edu
    ServerAlias www
    DocumentRoot /var/www/www2.physics.tamu.edu/
    ErrorLog /var/log/apache2/www2-error_log
    CustomLog /var/log/apache2/www2-access_log combined
    Options Indexes FollowSymLinks Includes

    ScriptAlias /cgi-bin/ "/var/www/www2.physics.tamu.edu/cgi-bin/"
    Alias /images/ "/var/www/www2.physics.tamu.edu/images/"

    <Directory /var/www/www2.physics.tamu.edu/lib/>
        Order Deny,Allow
        Deny From All
    </Directory>

    Redirect permanent /authentication  https://www.physics.tamu.edu/authentication
    Redirect permanent /BuildingPlans   https://www.physics.tamu.edu/BuildingPlans
    Redirect permanent /data            https://www.physics.tamu.edu/data
    Redirect permanent /ldapadmin       https://www.physics.tamu.edu/ldapadmin
    Redirect permanent /pos/admin       https://www.physics.tamu.edu/pos/admin
    Redirect permanent /squirrelmail    https://www.physics.tamu.edu/squirrelmail
    Redirect permanent /tasks           https://tasks.physics.tamu.edu
    Redirect permanent /services/comp_support/docs  https://physics.tamu.edu/services/comp_support/docs

</VirtualHost>



<VirtualHost physics.tamu.edu:443>
    ServerName physics.tamu.edu
    ServerAdmin support@physics.tamu.edu
    DocumentRoot /var/www/www2.physics.tamu.edu/
    ErrorLog /var/log/apache2/www2-ssl-error_log
    CustomLog /var/log/apache2/www2-ssl-access_log combined
    ScriptAlias /cgi-bin/ "/var/www/www2.physics.tamu.edu/cgi-bin/"
    Alias /images/ "/var/www/www2.physics.tamu.edu/images/"

   SSLEngine on
   SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
   SSLCertificateFile           /etc/apache2/ssl.crt/physics.tamu.edu.crt
   SSLCertificateKeyFile                /etc/apache2/ssl.key/physics.key
   SSLCertificateChainFile         /etc/apache2/ssl.bundle/gd_bundle.crt

   SetEnvIf User-Agent ".*MSIE.*" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0

   <Files ~ "\.(cgi|shtml|phtml|php3?)$">
        SSLOptions +StdEnvVars
   </Files>
   <Directory "/var/www/cgi-bin">
        SSLOptions +StdEnvVars
   </Directory>

so - what am I doing wrong?

prayag_pjs · 10-14-2010, 11:34 AM

If you use same single ip for multiple websites then its named based virtual host.

With name-based virtual hosts, one instance of Apache hosts several domains. You do not need to set up multiple IPs for a machine.

To activate name-based virtual hosts, specify a suitable directive. NameVirtualHost *. * is sufficient to prompt Apache to accept all incoming requests. Subsequently, configure the individual hosts:

Example:

Quote:

<VirtualHost *>
ServerName www.example.com
DocumentRoot /home/www/htdocs/example.com
ServerAdmin webmaster@example.com
ErrorLog /var/log/apache2/www.example.com-error_log
CustomLog /var/log/apache2/www.example.com-access_log common
</VirtualHost>

<VirtualHost *>
ServerName www.myothercompany.com
DocumentRoot /home/www/htdocs/myothercompany.com
ServerAdmin webmaster@myothercompany.com
ErrorLog /var/log/apache2/www.myothercompany.com-error_log
CustomLog /var/log/apache2/www.myothercompany.com-access_log common
</VirtualHost>

IP Based virtual hosting alternative requires the setup of multiple IPs for a machine. In this case, one instance of Apache hosts several domains, each of which is assigned a different IP.

Example:

Quote:

<VirtualHost 192.168.1.20>
ServerName www.myothercompany.com
DocumentRoot /home/www/htdocs/myothercompany.com
ServerAdmin webmaster@myothercompany.com
ErrorLog /var/log/apache2/www.myothercompany.com-error_log
CustomLog /var/log/apache2/www.myothercompany.com-access_log common
</VirtualHost>

<VirtualHost 192.168.1.21>
ServerName www.anothercompany.com
DocumentRoot /home/www/htdocs/anothercompany.com
ServerAdmin webmaster@anothercompany.com
ErrorLog /var/log/apache2/www.anothercompany.com-error_log
CustomLog /var/log/apache2/www.anothercompany.com-access_log common
</VirtualHost>

Quote:

For Apache to host multiple IPs, the underlying machine must accept requests for multiple IPs. This is called multi-IP hosting. For this purpose, IP aliasing must be activated in the kernel.

Once the kernel has been configured for IP aliasing, the commands ifconfig and route can be used to set up additional IPs on the host. These commands must be executed as root. For the following example, it is assumed that the host already has its own IP, such as 192.168.1.10, which is assigned to the network device eth0.

Enter the command ifconfig to find out the IP of the host. Further IPs can be added with commands like the following:

/sbin/ifconfig eth0:0 192.168.1.20
/sbin/ifconfig eth0:1 192.168.1.21

All these IPs are assigned to the same physical network device (eth0).

Noway2 · 10-14-2010, 11:40 AM

Apache can support multiple virtual hosts. The virtual hosts can be on separate IP addresses or you can have one IP address with multiple named virtual hosts. For example, on address 1.2.3.4 you could have server1.domain and server2.domain and serve up different pages. This is achieved by part of the connection process where the desired server is identified by name.

SSL / secure web pages however (port 443 typically) technically don't support this. The reason is that the secure connection is established before the server name is known and the process uses only IP addresses. Consequently, when you try to have multiple named virtual hosts that are secure, you get warnings like you have seen. While it will 'work' in as much as you will get encrypted web sites, only the first declared host will have the 'valid' certificate. Depending on your application, this may or may not be a problem. For example, I run a server for a small e-commerce site and this site has the certificate and it is valid for that site. I also run a named domain on the same server and make it a secured site. It uses the 'wrong' certificate, but as it is my personal web mail, I don't care, but a customer to the e-commerce site would.

There continues to be growing interest in individuals wanting to run multiple secure hosts with one IP and to this end there has been proposals made to change the protocols. For example, the GNU TLS supports a technique called SNI (server name indication) where the requested server name is used as part of the establishment of the secure connection and can support this. Others have patched the SSL libraries to support this functionality too. I had read that future versions of Apache will support this feature, but I don't believe that the present ones do.

Also, when you want to use name virtual hosts (port 80) specify that you have named virtual hosts on port 80 and then declare the virtual hosts by name:80 like you did and then use the server name directive.

Hope this helps clarify what is happening for you.

CNBarnes · 10-14-2010, 11:43 AM

Thank you for the VERY quick response!

Quote:

Originally Posted by prayag_pjs

To activate name-based virtual hosts, specify a suitable directive. NameVirtualHost *.

Where do I put this directive (in the conf.d/00-virtualhosts file?)?

Quote:

IP Based virtual hosting alternative requires the setup of multiple IPs for a machine. In this case, one instance of Apache hosts several domains, each of which is assigned a different IP.

Example:

Actually, MOST of these use the same IP number as the "main site", but there are a couple that use different IPs (which the server is already setup to answer).

CNBarnes · 10-14-2010, 11:45 AM

Quote:

Originally Posted by Noway2

Apache can support multiple virtual hosts. The virtual hosts can be on separate IP addresses or you can have one IP address with multiple named virtual hosts. For example, on address 1.2.3.4 you could have server1.domain and server2.domain and serve up different pages. This is achieved by part of the connection process where the desired server is identified by name.

SSL / secure web pages however (port 443 typically) technically don't support this. The reason is that the secure connection is established before the server name is known and the process uses only IP addresses. Consequently, when you try to have multiple named virtual hosts that are secure, you get warnings like you have seen. While it will 'work' in as much as you will get encrypted web sites, only the first declared host will have the 'valid' certificate. Depending on your application, this may or may not be a problem. For example, I run a server for a small e-commerce site and this site has the certificate and it is valid for that site. I also run a named domain on the same server and make it a secured site. It uses the 'wrong' certificate, but as it is my personal web mail, I don't care, but a customer to the e-commerce site would.

There continues to be growing interest in individuals wanting to run multiple secure hosts with one IP and to this end there has been proposals made to change the protocols. For example, the GNU TLS supports a technique called SNI (server name indication) where the requested server name is used as part of the establishment of the secure connection and can support this. Others have patched the SSL libraries to support this functionality too. I had read that future versions of Apache will support this feature, but I don't believe that the present ones do.

Also, when you want to use name virtual hosts (port 80) specify that you have named virtual hosts on port 80 and then declare the virtual hosts by name:80 like you did and then use the server name directive.

Hope this helps clarify what is happening for you.

prayag_pjs · 10-14-2010, 12:42 PM

Hi,

Hope this link helps you.

http://www.cahilig.net/2008/08/26/ap...g-debianubuntu

prayag_pjs · 10-14-2010, 12:42 PM

Hi,

Hope this link helps you.

http://www.cahilig.net/2008/08/26/ap...g-debianubuntu

CNBarnes · 10-19-2010, 02:39 PM

Ok, I'm back. I read through this stuff and am somewhat more confused than ever. So I'm going to start over - asking a "how would the config file look for this?":

Let's say you have a linux server running apache2, that has 2 ip numbers for
* https://secure1.mydomain.com/ (tied to ip 192.0.0.10)
* https://secure2.mydomain.com/ (tied to ip 192.0.0.11)

In addition, you have 4 other virtual (non secure) sites:
* http://site1.mydomain.com/
* http://site2.mydomain.com/
* http://site3.mydomain.com/
* http://site4.mydomain.com/

What does the config file look like?

prayag_pjs · 10-19-2010, 11:55 PM

Hi,

We have given and you have referred so many sites.

Please give it a try and when you get stuck some where we will help you.

Noway2 · 10-20-2010, 04:28 AM

As a rough template you would have something like the following:

Code:

NameVirtualHost *:80


<VirtualHost 192.0.0.10:443>
        ServerName secure1.mydomain.com
        (Server Directives Here)
</VirtualHost>

<VirtualHost 192.0.0.11:443>
        ServerName secure2.mydomain.com
        (Server Directives Here)
</VirtualHost>

<VirtualHost *:80>
        ServerName site1.mydomain.com
        (Server Directives Here)
</VirtualHost>

What areas you are having confusion about? Perhaps we can help provide a more targeted answer.

CNBarnes · 10-20-2010, 08:14 AM

Quote:

Originally Posted by Noway2

As a rough template you would have something like the following:

Code:

NameVirtualHost *:80
<VirtualHost 192.0.0.10:443>
        ServerName secure1.mydomain.com
        (Server Directives Here)
</VirtualHost>

<VirtualHost 192.0.0.11:443>
        ServerName secure2.mydomain.com
        (Server Directives Here)
</VirtualHost>

<VirtualHost *:80>
        ServerName site1.mydomain.com
        (Server Directives Here)
</VirtualHost>

What areas you are having confusion about? Perhaps we can help provide a more targeted answer.

This is VERY useful. So if I have multiple secure pages (each with their own IP & certificate), I do NOT use

Code:

NameVirtualHost *:443

Correct?

I have a followup question that I think I know the answer to. If secure1 & secure2 also have non-secure pages, I assume I also include

Code:

<VirtualHost *:80>
        ServerName secure1.mydomain.com
        (Server Directives Here)
</VirtualHost>

<VirtualHost *:80>
         ServerName secure2.mydomain.com
         (Server Directives Here)
 </VirtualHost>

Correct?

Followup question 2:
If I have secure pages for for secure1 & secure2, is there any reason to have NON-secure pages?

Noway2 · 10-20-2010, 11:38 AM

To be TECHNICALLY correct, no you don't use NameVirtualHost on 443 (secure servers). This goes back to my original post, that a secure page doesn't resolve based upon name per the SSL protocol. It will work, at least more or less, if you do, but one of the sites won't get the correct certificate and you will get apache warnings.

I think your syntax for followup question1 will work. You can also have <VirtualHost 192.0.0.10:80>. The primary reason you would want to have non secure pages where the encryption isn't required is that the secure pages take a lot more processing overhead, especially on the server. Initially the secure transaction is accomplished using a form of PKI (public key infrastructure) which allows a client to establish a one way encrypted connection and to also verify the authenticity of the host using a 3rd party verification server (such as verisign). This is a slow process which requires a good bit of math. After establishing the secure channel, the encryption is done with temporary synchronous ciphers which are a lot faster. If you get an appreciable amount of traffic establishing all the connections can become an unnecessary burden on your system.