LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Software (http://www.linuxquestions.org/questions/linux-software-2/)
-   -   Solutions to Apache SSL Virtual Host woes (for dynamic IP too) (http://www.linuxquestions.org/questions/linux-software-2/solutions-to-apache-ssl-virtual-host-woes-for-dynamic-ip-too-125361/)

Silly22 12-12-2003 07:24 PM

Solutions to Apache SSL Virtual Host woes (for dynamic IP too)
 
So I've wracked my brain for the last 24 hours reading and playing with a stock installation of Mandrake Linux 9.2 with MySQL, PHP, and mod_ssl for apache.

My goal was to get name-based Virtual Hosts working so that multiple domains resolving to my server's Internet routable IP would point to specific folders on my server.

I wanted silly.somedomain.com pointing to /home/silly/www
misc.somedomain.com pointing to /home/misc/www
and harv.somedomain.com pointing to /var/www/html

In Mandrake 9.2 (and i think for 9.1 too), the default installation of Apache includes .conf files in /etc/httpd/conf and /etc/httpd/conf/vhosts and /etc/httpd/conf.d/

Now as seen in many other threads (I'll reference at the end of this post), after you add the Virtualhost directives to /etc/httpd/conf/vhosts/Vhosts.conf in a fashion for name-based virtual hosting, things mess up.

Code:

NameVirtualHost *
<VirtualHost *>
DocumentRoot /var/www/html
ServerName harv.somedomain.com
</VirtualHost>

<VirtualHost *>
DocumentRoot /home/misc/www
ServerName misc.somedomain.com
</VirtualHost>

<VirtualHost *>
DocumentRoot /home/silly/www
ServerName silly.somedomain.com
</VirtualHost>

Things mess up after adding the above to Vhosts.conf and restarting httpd. You are only able to access your webpages using https://harv.somedomain.com/ (notice the 's' after http) SSL http protocol. I DON'T want to have to use https to access files in /home/misc/www.
This problem arises because SSL Vhosts is already set-up by default when installing Apache with Mandrake 9.2. (though this probably doesn't only apply to Mandrake). Looking at the file /etc/httpd/conf.d/41_mod_ssl.default-vhost.conf you'll see the following near the start of the file:

Code:

<IfModule mod_ssl.c>

##
## SSL Virtual Host Context
##

<VirtualHost _default_:443>

#  General setup for the virtual host

DocumentRoot "/var/www/html"
#ServerName localhost:443
#ServerAdmin root@localhost
ErrorLog logs/ssl_error_log
<IfModule mod_log_config.c>
TransferLog logs/ssl_access_log
</IfModule>
#  SSL Engine Switch:
#  Enable/Disable SSL for this virtual host.

SSLEngine on

... Many more directives mostly related to SSL and ending with...

</VirtualHost>
</IfModule>

The line <VirtualHost _default_:443> appears to be the problem. The constant "_default_" keyword seems to be making the VirtualHost defined in this file (/etc/httpd/conf.d/41_mod_ssl.default-vhost.conf) wrap itself around or override the vhosts defined in /etc/httpd/conf/vhosts/Vhosts.conf. Thus making them all use SSL.
Quotes from http://httpd.apache.org/docs-2.0/mod/core.html
Quote:

The string _default_, which is used only with IP virtual hosting to catch unmatched IP addresses.
I believe _default_ is catching everything because we use the wildcard '*' in Vhosts.conf in the lines:
NameVirtualHost *
<VirtualHost *>

Quote:

the special name _default_ can be specified in which case this virtual host will match any IP address that is not explicitly listed in another virtual host. In the absence of any _default_ virtual host the "main" server config, consisting of all those definitions outside any VirtualHost section, is used when no IP-match occurs. (But note that any IP address that matches a NameVirtualHost directive will use neither the "main" server config nor the _default_ virtual host.)
Sounds confusing to me, and the part in brackets seems redundant

Now the solutions!
First, ensure that Apache is allowed to serve files from /home/users/www (in my case at least). The file /etc/httpd/conf/commonhttpd.conf is set to be restrictive on files outside of /var/www/html.
Code:

#Restricted set of options
<Directory />
  Options -All -Multiviews
  AllowOverride None
  <IfModule mod_access.c>
    Order deny,allow
    Deny from all
  </IfModule>
</Directory>

So I added, to commonhttpd.conf, some very lax rules (maybe too lax) on 'www' directories in user accounts.
Code:

<Directory /home/*/www>
    AllowOverride All
    Options MultiViews -Indexes Includes FollowSymLinks
    <IfModule mod_access.c>
      Order allow,deny
      Allow from all
    </IfModule>
</Directory>

Now, one way to fix the SSL Vhost configured in (/etc/httpd/conf.d/41_mod_ssl.default-vhost.conf is to change the line
Code:

<VirtualHost _default_:443>

to a name that will match a request like

<VirtualHost harv.somedomain.com:443>
and I added the following line too but it doesn't seem to do much
ServerName harv.somedomain.com:443

After doing this I am able to use normal http protocol without SSL to reach:
http://silly.somedomain.com/
http://misc.somedomain.com/
http://harv.somedomain.com/
https://harv.somedomain.com/

But it also acts a little strange:
https://silly.somedomain.com/ and
https://misc.somedomain.com/
both go to the same page as https://harv.somedomain.com/.
However, https://silly.somedomain.com/webpage.html and https://misc.somedomain.com/webpage2.html end up going nowhere. Anyone care to explain?

So now only https://harv.somedomain.com/ can use SSL. I've also yet to try accessing these virtual hosts from my LAN which is behind this Linux-based web server/firewall.

Note that this means that only one certificate can be given out among these virtual hosts. But this is a limitation of name-based Virtual hosting and not of my proposed fix. It is a much discussed fact that you need multiple IP's each with their own domain name in order for your server to distribute unique certificates to visitors of those websites. i.e. only one of your virtual hosts using the given external IP can now use SSL.

There is another solution in which you replace the '*' wildcards with the actual numeric IP address in the file /etc/httpd/conf/vhosts/Vhosts.conf. But I believe this is called an IP-based virtual host. I'll test this solution out later... I've already spent too long on this... does anyone have any explanations why what I tried works?

Related threads:
http://www.linuxquestions.org/questi...tualhost+https
http://www.linuxquestions.org/questi...625#post193625
http://www.linuxquestions.org/questi...tualhost+https
http://www.mail-archive.com/modssl-u.../msg16357.html
http://www.linuxquestions.org/questi...tualhost+https
http://www.linuxquestions.org/questi...tualhost+https
http://www.linuxquestions.org/questi...135#post410135

Silly22 12-22-2003 01:24 AM

Ok, now I've tried the other method, and after 2-3 hours of screwing around with the Vhosts.conf file and the 41_mod_ssl.default-vhost.conf, I've finally figured it out. This method works best with a static IP.

In the file /etc/httpd/conf/vhosts/Vhosts.conf.
Replace the '*'s (asterisks) with your IP and port 80 like below
Code:

NameVirtualHost XXX.XXX.XXX.201:80
<VirtualHost XXX.XXX.XXX.201:80>
DocumentRoot /var/www/html
ServerName harv.somedomain.com:80
</VirtualHost>

<VirtualHost XXX.XXX.XXX.201:80>
DocumentRoot /home/misc/www
ServerName misc.somedomain.com:80
</VirtualHost>

etc.

And then you'll have another name-based virtual host, specifically for connections to port 443 (https, SSL), in the file /etc/httpd/conf.d/41_mod_ssl.default-vhost.conf
Code:

<IfModule mod_ssl.c>

##
## SSL Virtual Host Context
##

NameVirtualHost XXX.XXX.XXX.201:443  #this is added to match https connections to this IP
<VirtualHost XXX.XXX.XXX.201:443>  #this replaces <VirtualHost _default_:443>
DocumentRoot /var/www/html
ServerName harv.somedomain.com:443

...Other directives in this file...

</VirtualHost>
</IfModule>

Mandrake Linux 9.2 has a pretty confusing default installation for Apache... I hope this helps people out.

ronpeled 10-14-2009 05:07 PM

Thanks - totally resolved my issue!
 
Thanks Silly22, your solution helped me save a couple of hours. Only if I saw this yesterday...

I ended up using your first method just because it suited best for my project. Thanks!


All times are GMT -5. The time now is 11:48 AM.