LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 09-15-2007, 07:34 AM   #1
cbonar
Member
 
Registered: Apr 2004
Location: Paris, FRANCE
Distribution: Kubuntu + Debian
Posts: 53

Rep: Reputation: 15
Question Best apache2 configuration to provide independent services


Hello,

I've read the apache docs, but I don't see any clear explanation on what's the best configuration to provide several independent services with the same web server.

I want for instance to provide some services through https and/or plain http, on the local network and/or the Internet. I want also for instance to be able to deactivate a service without affecting the others or to activate / deactivate a service on http and leave it accessible through https.


My idea was to have one config file in /etc/apache/sites-available for each combination like 'service1-http', 'service1-https', ... so I can enable/disable each one with the 'a2ensite' and 'a2dissite' commands.

But I'm not quite sure it's the best approach (it seems to complexify the configuration rather than simplifying it), or if there's any impact on performances and memory.


Also, I dont want to write the full qualified name of the server in the config files in case it changes in the future.

What's the best approach for this when I want to provide both local and public/remote services ? Do I really need to use virtual hosts ?
 
Old 09-15-2007, 11:00 AM   #2
andyccn
Member
 
Registered: Aug 2006
Distribution: Fedora 7
Posts: 46

Rep: Reputation: 15
Virtual hosts allow you to use a different combination of IP and name-based virtual hosts. If your server only has 1 IP address, and you want to host different domains (e.g. www.site1.com and www.site2.com) then you need to use virtual hosts, otherwise Apache will simply serve the same site out.

One thing to remember with virtual hosts, is when enabled, if Apache can't locate a site/virtual host, it will serve the first configured virtual host in it's config.

What we do here, is define the default DocumentRoot and first virtual host to be a "default" site - look at www.mailnetwork.co.uk. That's a site that's not yet configured on one of our machines - so Apache serves the first virtual host - which is the page you see.

We then have a different configuration file for each domain - e.g. andyshellam.eu has it's own config file, as does mailnetwork.co.uk. The virtual hosts needed for each site are then inside this config file, and they're Include'd into the main httpd.conf file.

As for logging we do the same thing, we have a directory called 'www' in /var/logs, and inside this we have one log file per domain, with the virtual host (%v) at the beginning of each host line (see LogFormat.)

So in /var/logs/www, we have "access.log", "error.log" (which are the default log files) and "access-andyshellam_eu.log", "access-mailnetwork_co_uk.log" and "error-andyshellam_eu.log" etc.

You can have different VirtualHost containers for different ports, although we don't use SSL yet. You could have one set of config files for port 80 virtual hosts, and one for port 443 hosts, and have them in separate folder (e.g. /usr/local/apache2/conf/sites/80, /443 etc.)
 
Old 09-15-2007, 11:58 AM   #3
cbonar
Member
 
Registered: Apr 2004
Location: Paris, FRANCE
Distribution: Kubuntu + Debian
Posts: 53

Original Poster
Rep: Reputation: 15
Thanks for taking time to reply, andyccn.

Do you have any idea on how to make the different services independent on an apache installation (that was the first part of my question) ?
 
Old 09-16-2007, 04:25 AM   #4
Wim Sturkenboom
Senior Member
 
Registered: Jan 2005
Location: Roodepoort, South Africa
Distribution: Slackware 10.1/10.2/12, Ubuntu 12.04, Crunchbang Statler
Posts: 3,786

Rep: Reputation: 282Reputation: 282Reputation: 282
No answer to your question, but be aware the each independent secure website (https) needs its own ip address and that you need to use ip-based virtual hosting, not name-based.
 
Old 09-16-2007, 08:58 AM   #5
cbonar
Member
 
Registered: Apr 2004
Location: Paris, FRANCE
Distribution: Kubuntu + Debian
Posts: 53

Original Poster
Rep: Reputation: 15
Well, thanks to point that out Wim, but I'm bit confused about it because I see a lot of <VirtualHost _default_:443> on the Internet, isn't it name based virtual hosting ?

In fact, I read somewhere that, because of the intrinsic nature of SSL (no clue about what, precisely), the virtual hosts should be distinguished using IP addresses, so I'm inclined to trust you, but I've no real explanation for that : do you know of an article/tutorial/... I can read about that ?
 
Old 09-16-2007, 10:25 AM   #6
Wim Sturkenboom
Senior Member
 
Registered: Jan 2005
Location: Roodepoort, South Africa
Distribution: Slackware 10.1/10.2/12, Ubuntu 12.04, Crunchbang Statler
Posts: 3,786

Rep: Reputation: 282Reputation: 282Reputation: 282
I know that there is an article somewhere on the Apache website, but I have always problems to find it. The explanation:

https encrypts the (http) data part of the TCP/IP packets. This includes the name of the requested site. Hence apache does not have a way to determine which virtual host to use. However, the ip address of the server is not encrypted as it's not in the data part of the TCP/IP packets and therefore apache can distinguish different sites based on the ip address.
 
Old 09-17-2007, 12:54 PM   #7
andyccn
Member
 
Registered: Aug 2006
Distribution: Fedora 7
Posts: 46

Rep: Reputation: 15
I currently use a name-based virtual host for SSL, and we do in IIS at work - so, yes, you can use name-based virtual hosting for SSL sites too. I believe it's because the web-server does know how to decrypt the packets, because it was the service that encrypted them in the first place.
 
Old 09-17-2007, 01:49 PM   #8
cbonar
Member
 
Registered: Apr 2004
Location: Paris, FRANCE
Distribution: Kubuntu + Debian
Posts: 53

Original Poster
Rep: Reputation: 15
Yes, I've seen it myself working. But there seems to be something very specific with ssl anyway :

I'm using apache2 on debian, and I've installed the phpmyadmin package from the debian repositories. This package creates the file /etc/apache2/conf.d/phpmyadmin which holds the configuration for the phpmyadmin site (alias, etc.).

I've myself created /etc/apache2/sites-available/mysite and /etc/apache2/sites-available/mysite-https to run my own site both on plain http and https.

I've tried several configurations with and without virtual hosts, and it's only working fine when I put a single site in https (whether mysite-https or phpmyadmin by modifying its configuration).

I don't understand what's messing my configuration, because phpmyadmin and mysite are working well together when no ssl is used...

Maybe the problem comes from the order / precedence of the SSL directives ?

The following code is for SSL and is either in phpmyadmin or mysite-https, I even tried to put in both, and also inside / outside of the <VirtualHost> directive.

Code:
        <IfModule mod_ssl.c>
               SSLEngine On
               SSLCertificateFile    /etc/apache2/ssl/apache2.crt
               SSLCertificateKeyFile /etc/apache2/ssl/apache2.key
        </IfModule>
 
Old 09-17-2007, 04:52 PM   #9
andyccn
Member
 
Registered: Aug 2006
Distribution: Fedora 7
Posts: 46

Rep: Reputation: 15
Take a look at these sites I've setup to show how/that it can be done:

https://secure.mailnetwork.co.uk
https://dspam.mailnetwork.co.uk (this site will prompt for a user/pass - just cancel.)

They're both hosted on the same server, using SSL (D-spam uses the same certificate as secure.mailnetwork.co.uk.)

Here's the configuration:

In httpd.conf:

Code:
... blah blah ...

NameVirtualHost *:80
NameVirtualHost *:443

# Default virtual host - 'No website is configured at this address'
<VirtualHost *:80>
        DocumentRoot /usr/home/wwwserver/htdocs/_default
</VirtualHost>

# Default virtual host - 'No website is configured at this address'
<VirtualHost *:443>
        SSLEngine on
        SSLCertificateFile /usr/local/openssl/data/certs/secure.mailnetwork.co.uk.crt
        SSLCertificateKeyFile /usr/local/openssl/data/certs/key.pem
        DocumentRoot /usr/home/wwwserver/htdocs/_default
</VirtualHost>

# Include site-specific config files
Include conf/vsites/mailnetwork.co.uk.conf
In conf/vsites/mailnetwork.co.uk.conf:

Code:
<VirtualHost *:443>
        SSLEngine on
        SSLCertificateFile /usr/local/openssl/data/certs/secure.mailnetwork.co.uk.crt
        SSLCertificateKeyFile /usr/local/openssl/data/certs/key.pem

        ServerName secure.mailnetwork.co.uk
        DocumentRoot /path/to/secure
</VirtualHost>

<VirtualHost *:443>
        SSLEngine on
        SSLCertificateFile /usr/local/openssl/data/certs/secure.mailnetwork.co.uk.crt
        SSLCertificateKeyFile /usr/local/openssl/data/certs/key.pem

        ServerName dspam.mailnetwork.co.uk
        DocumentRoot /path/to/dspam
</VirtualHost>
Hope this helps.

Andy
 
Old 09-17-2007, 04:54 PM   #10
andyccn
Member
 
Registered: Aug 2006
Distribution: Fedora 7
Posts: 46

Rep: Reputation: 15
Quick note:

I don't use many conditional IfModule statements as our standard build includes the modules we need anyway.

Try putting your SSL directives outside of the IfModule statement and see what you get.
Also try using <IfModule ssl_module> instead.
 
Old 09-29-2007, 05:07 AM   #11
cbonar
Member
 
Registered: Apr 2004
Location: Paris, FRANCE
Distribution: Kubuntu + Debian
Posts: 53

Original Poster
Rep: Reputation: 15
Post

This configuration doesn't work with me, there must be some slight difference somewhere but I can't find it...

Aynway I've set up a temporary solution using one Include directive per service I want to provide.

There are only two virtual hosts : one http only and one with ssl, and in each one I include the configurations for the services I want, which are distinguished by their path (e.g. /service1, /service2).

Code:
<VirtualHost _default_:80>
...
    Include services/service1.conf
    Include services/service2.conf
...
</VirtualHost>
Code:
<VirtualHost _default_:443>
...
    Include services/service1.conf
    Include services/service3.conf
...
</VirtualHost>
One problem is that I cannot enable/disable a given service without editing the config of the server (by adding/removing the corresponding Include directive).
I tried to make the services as modules so I can use a2enmod/dismod, but then they're enabled/disabled for all hosts.

Another problem is that the services's access rules cannot be clearly detached from their config file.
I want to put all access rules in the virtual host's config because they can be different from one vh to another ; for instance : access is authorized in plain http only from local network or in ssl for everybody.
But if I do that, that means I've to have knowledge of the paths defined in the module, in order to give or deny access to them.
 
Old 09-29-2007, 12:49 PM   #12
Wim Sturkenboom
Senior Member
 
Registered: Jan 2005
Location: Roodepoort, South Africa
Distribution: Slackware 10.1/10.2/12, Ubuntu 12.04, Crunchbang Statler
Posts: 3,786

Rep: Reputation: 282Reputation: 282Reputation: 282
Quote:
Originally Posted by andyccn View Post
Take a look at these sites I've setup to show how/that it can be done:

https://secure.mailnetwork.co.uk
https://dspam.mailnetwork.co.uk (this site will prompt for a user/pass - just cancel.)

They're both hosted on the same server, using SSL (D-spam uses the same certificate as secure.mailnetwork.co.uk.)

Here's the configuration:

In httpd.conf:

Code:
... blah blah ...

NameVirtualHost *:80
NameVirtualHost *:443

# Default virtual host - 'No website is configured at this address'
<VirtualHost *:80>
        DocumentRoot /usr/home/wwwserver/htdocs/_default
</VirtualHost>

# Default virtual host - 'No website is configured at this address'
<VirtualHost *:443>
        SSLEngine on
        SSLCertificateFile /usr/local/openssl/data/certs/secure.mailnetwork.co.uk.crt
        SSLCertificateKeyFile /usr/local/openssl/data/certs/key.pem
        DocumentRoot /usr/home/wwwserver/htdocs/_default
</VirtualHost>

# Include site-specific config files
Include conf/vsites/mailnetwork.co.uk.conf
In conf/vsites/mailnetwork.co.uk.conf:

Code:
<VirtualHost *:443>
        SSLEngine on
        SSLCertificateFile /usr/local/openssl/data/certs/secure.mailnetwork.co.uk.crt
        SSLCertificateKeyFile /usr/local/openssl/data/certs/key.pem

        ServerName secure.mailnetwork.co.uk
        DocumentRoot /path/to/secure
</VirtualHost>

<VirtualHost *:443>
        SSLEngine on
        SSLCertificateFile /usr/local/openssl/data/certs/secure.mailnetwork.co.uk.crt
        SSLCertificateKeyFile /usr/local/openssl/data/certs/key.pem

        ServerName dspam.mailnetwork.co.uk
        DocumentRoot /path/to/dspam
</VirtualHost>
Hope this helps.

Andy
You're using subdomains and (I assume) a wildcard certificate in which case you can use a single IP address. That will not work for different domains. The visitor will get warnings that the certificate does not belong to the site.
 
Old 09-30-2007, 05:01 AM   #13
andyccn
Member
 
Registered: Aug 2006
Distribution: Fedora 7
Posts: 46

Rep: Reputation: 15
Quote:
Originally Posted by Wim Sturkenboom View Post
You're using subdomains and (I assume) a wildcard certificate in which case you can use a single IP address. That will not work for different domains. The visitor will get warnings that the certificate does not belong to the site.
For the moment, we're using a self-signed certificate, when we get a verified certificate it will just be for the domain secure.mailnetwork.co.uk.

Saying that, I don't know why dspam.mailnetwork.co.uk is set up as a secure site, as there's a redirect on the insecure site dspam.mailnetwork.co.uk which redirects to https://secure.mailnetwork.co.uk/dspam.

I'll change that.
 
  


Reply

Tags
apache, apache2, configuration, services, virtualhost


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: GigaSpaces to Provide Solutions for Distributed, Financial Services Applications With HP LXer Syndicated Linux News 0 06-22-2006 12:33 PM
LXer: Open-Xchange partners with InTech-Solutions to provide Professional Services for OX 5.0, the Leading Messaging and Collaboration Solution LXer Syndicated Linux News 0 06-14-2006 07:21 AM
LXer: Parameg.net provide non-stop services for Linux Technologies LXer Syndicated Linux News 0 04-17-2006 03:33 AM
Any GUI for services configuration Biased turkey Slackware 8 09-23-2004 05:51 PM
apache2 configuration e1000 Linux - Networking 1 01-27-2004 11:23 PM


All times are GMT -5. The time now is 10:42 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration