LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices



Reply
 
Search this Thread
Old 09-17-2009, 12:10 PM   #1
vesperto
LQ Newbie
 
Registered: Jun 2006
Location: Portugal
Posts: 10

Rep: Reputation: 0
Juggling HTTP and HTTPS content for multiple virtual hosts.


(i couldn't find similar posts 'cos my browser kept on wanting to download the php file, hmm...)

I have multiple virtual hosts with their domains all under the same IP. Recently i decided to venture into SSL.

All the 4 vhosts are served through HTTP. For two of them, i want HTTPS. This poses an immediate chicken-n-egg problem as one can't have two SSL vhosts under the same ip/port. I won't bring SNI into the subject since that doesn't seem to be mature yet.

I guess i'll hav'em under different ports then, which poses another problem, easier to solve i think, although not elegant. I'd have to direct requests to https://domain.com:unusualPort

Could i have the firewall - i'm using shorewall, so by fw i mean the kernel's pf - to the de/cryption? In that case from the fw to the server the requests could be already in plain text. Just a wild thought.

I've found some links on how to be your own CA and that's what i'll use since these sites aren't (very) commercial. I won't mind about the popup as most users just ignore it anyway.

One issue i stumble upon is content organization. Should i have one single site with regular http content and some other content that's only available though https? It's fairily ok if i'm only filtering with scripting+db, but throwing https into the mix kinda makes things messy if i keep using the same pages for different access levels.

Or should i have the public site - login - the private site? Seems more clean.

What about the files themselves, on the server, should i keep the http site under /whatever/site/ and the https content under /whatever/site/ssl/ ? Or /whatever/site_ssl/ ?

How about the transition? There'll be a login form, of course (and its handling something i should look into better), but should it be served as http and have its action point to https or be served as https directly? Maybe the latter.

I'm mostly sure of the answers, as well as the work it'll imply after work already done. I'd like to hear some opinions though, especially from those who have experience.

I'm using X/HTML, CSS and PHP (5.2.10), maybe some XSLT (much) later. I'm running debian unstable with nginx 8.10 +FastCGI and MySQL 5.1.37. All in UTF-8. I'm not using a CMS but rather doing it almost from scratch (the login system i got elsewhere), since this is academic/hobby work and i want to learn.

Any rtfm links are more than welcome.

TIA,
Nuno
 
Old 09-18-2009, 08:50 PM   #2
jhwilliams
Senior Member
 
Registered: Apr 2007
Location: Portland, OR
Distribution: Debian, Android, LFS
Posts: 1,168

Rep: Reputation: 208Reputation: 208Reputation: 208
Quote:
Originally Posted by vesperto View Post
This poses an immediate chicken-n-egg problem as one can't have two SSL vhosts under the same ip/port.
But Sir, O, how you can!

Apache would kind of blow, if you couldn't. Here's what I do:

Code:
NameVirtualHost *:80
NameVirtualHost *:443

<VirtualHost *:80>
  ServerName MyReallyFunHost.FunTLD
  # other stuff...
</VirtualHost>

<VirtualHost *:443>
  ServerName ReallyFunSecureHost.FunTLD
  # ... other immportant stuffz?
</VirtualHost>

<VirtualHost *:443>
  ServerName TotallyDifferentButAlsoReallyFunSecureHost.FunTLD
  # .. other important stuff ... ?
</VirtualHost>

Last edited by jhwilliams; 09-18-2009 at 08:52 PM.
 
Old 09-20-2009, 09:02 AM   #3
vesperto
LQ Newbie
 
Registered: Jun 2006
Location: Portugal
Posts: 10

Original Poster
Rep: Reputation: 0
But... AFAIK SSL encrypts the http header, including the Host:, so you can't know which vhost it belongs to until you decrypt - and you need the vhost's key for that.. 'sides, i'm not using apache, but thanks.
 
Old 09-20-2009, 07:52 PM   #4
jhwilliams
Senior Member
 
Registered: Apr 2007
Location: Portland, OR
Distribution: Debian, Android, LFS
Posts: 1,168

Rep: Reputation: 208Reputation: 208Reputation: 208
Quote:
Originally Posted by vesperto View Post
But... AFAIK SSL encrypts the http header, including the Host:, so you can't know which vhost it belongs to until you decrypt - and you need the vhost's key for that..
Hm, that does sound like a reasonable explanation of why it shouldn't work. However, lo-and-behold, I run multiple secure vhosts on my box and it Just Works (tm)

Quote:
Originally Posted by vesperto View Post
'sides, i'm not using apache, but thanks.
That's too damn bad.

What are you using though?
 
Old 09-20-2009, 08:29 PM   #5
AlucardZero
Senior Member
 
Registered: May 2006
Location: USA
Distribution: Debian
Posts: 4,652

Rep: Reputation: 536Reputation: 536Reputation: 536Reputation: 536Reputation: 536Reputation: 536
Quote:
However, lo-and-behold, I run multiple secure vhosts on my box and it Just Works (tm)
How many SSL certs do you have? Do you have a wildcard?
 
Old 09-20-2009, 09:45 PM   #6
jhwilliams
Senior Member
 
Registered: Apr 2007
Location: Portland, OR
Distribution: Debian, Android, LFS
Posts: 1,168

Rep: Reputation: 208Reputation: 208Reputation: 208
Quote:
Originally Posted by AlucardZero View Post
How many SSL certs do you have? Do you have a wildcard?
It is true that they use the same certificate. And yes, I use the wildcard setup described above.
 
Old 09-21-2009, 05:41 AM   #7
vesperto
LQ Newbie
 
Registered: Jun 2006
Location: Portugal
Posts: 10

Original Poster
Rep: Reputation: 0
Well if it's the same certificate it makes sense
I'm using nginx.

How do you separate public content (http) from private (https)? I.e. how's your login form like? Straight https or the action="" is https?
 
Old 09-21-2009, 07:49 AM   #8
jhwilliams
Senior Member
 
Registered: Apr 2007
Location: Portland, OR
Distribution: Debian, Android, LFS
Posts: 1,168

Rep: Reputation: 208Reputation: 208Reputation: 208
Quote:
Originally Posted by vesperto View Post
Well if it's the same certificate it makes sense
I'm using nginx.

How do you separate public content (http) from private (https)? I.e. how's your login form like? Straight https or the action="" is https?
I hadn't heard of nginx before -- do you prefer it? What do you like about it?

As for the http/https separation: for certain <Location>'s of my site, I have a redirect like this:

Code:
    RewriteCond %{HTTPS} !=on
    RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI} [QSA,L,R=permanent]
However, since my vhosts are necessarily bound to either :80 or :443, for "important" stuff (webmail) I just simply dont setup a corresponding HTTP host (which would otherwise serve the same content, unencrypted.)

Last edited by jhwilliams; 09-21-2009 at 07:51 AM.
 
Old 09-22-2009, 05:28 AM   #9
vesperto
LQ Newbie
 
Registered: Jun 2006
Location: Portugal
Posts: 10

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by jhwilliams View Post
I hadn't heard of nginx before -- do you prefer it? What do you like about it?
I haven't used apache extensively so i can't compare them both, however, i am a bit 'allergic' to apache's ubiquity. Not that it's the most widely used - i think that's great for the OS world -, but that everyone in linux assumes you're using it. I also don't like huge applications and apache is pretty big. Silly rant, i know.

From what i've searched around, nginx is much faster and light than apache (although with correct versions and modules apache can become almost as fast as nginx), and doesn't have the memory-leak problems lighty has/had. Like i said, this is all hearsay, i haven't personally benchmarked them both, but 99% of the reviews out there praise nginx when compared to apache, as well as with others.

A common approach for big sites is to have nginx as a front end load-balancer and an apache farm in the back end.

For me i like the syntax of the .conf files, the extra modules it has and the very active community.

For you... dunno, try it out
 
Old 10-12-2009, 10:45 AM   #10
vesperto
LQ Newbie
 
Registered: Jun 2006
Location: Portugal
Posts: 10

Original Poster
Rep: Reputation: 0
Btw,

From what i've seen so far, you either use different ports for the same IP, or use SNI. The downside is that server and browser compatiblity with SNI isn't all that great yet.
 
Old 10-12-2009, 11:34 AM   #11
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora, Lubuntu, FreeBSD
Posts: 3,930
Blog Entries: 5

Rep: Reputation: Disabled
@vesperto: Not sure if you're still reading this thread (almost a month later), but here are some ideas anyway...

Quote:
Originally Posted by vesperto
I have multiple virtual hosts with their domains all under the same IP. Recently i decided to venture into SSL.

All the 4 vhosts are served through HTTP. For two of them, i want HTTPS. This poses an immediate chicken-n-egg problem as one can't have two SSL vhosts under the same ip/port. I won't bring SNI into the subject since that doesn't seem to be mature yet.
Since we're brainstorming, one option that comes to mind is adding two more http namevirtualhosts that redirect to your https content. i.e.: Requests to http/foo.your.host would be redirected to https/your.host/foo, and requests to http/bar.your.host would be redirected to https/your.host/bar.

I haven't tested this out. Just a thought.
 
  


Reply

Tags
http, ssl


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Apache 2 / SSL and virtual host under GNU/Linux Debian Etch - http and https scls19fr Linux - Server 0 10-09-2008 11:11 AM
Redirecting http to https on virtual server Oobydoobywapwap Linux - Security 1 01-25-2008 05:02 PM
lighttpd: multiple virtual hosts? neocookie Linux - Software 8 03-27-2006 11:37 PM
whats wrong with my http.conf and virtual hosts kuplo Fedora 1 11-22-2005 01:26 AM
multiple virtual hosts iquadri1 Linux - Networking 1 09-25-2001 11:12 AM


All times are GMT -5. The time now is 10:18 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration