So I've wracked my brain for the last 24 hours reading and playing with a stock installation of Mandrake Linux 9.2 with MySQL, PHP, and mod_ssl for apache.
My goal was to get name-based Virtual Hosts working so that multiple domains resolving to my server's Internet routable IP would point to specific folders on my server.
I wanted silly.somedomain.com pointing to /home/silly/www
misc.somedomain.com pointing to /home/misc/www
and harv.somedomain.com pointing to /var/www/html
In Mandrake 9.2 (and i think for 9.1 too), the default installation of Apache includes .conf files in /etc/httpd/conf and /etc/httpd/conf/vhosts and /etc/httpd/conf.d/
Now as seen in many other threads (I'll reference at the end of this post), after you add the Virtualhost directives to /etc/httpd/conf/vhosts/Vhosts.conf in a fashion for name-based virtual hosting, things mess up.
Things mess up after adding the above to Vhosts.conf and restarting httpd. You are only able to access your webpages using https://harv.somedomain.com/
(notice the 's' after http) SSL http protocol. I DON'T want to have to use https to access files in /home/misc/www.
This problem arises because SSL Vhosts is already set-up by default when installing Apache with Mandrake 9.2. (though this probably doesn't only apply to Mandrake). Looking at the file /etc/httpd/conf.d/41_mod_ssl.default-vhost.conf you'll see the following near the start of the file:
## SSL Virtual Host Context
# General setup for the virtual host
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
... Many more directives mostly related to SSL and ending with...
The line <VirtualHost _default_:443> appears to be the problem. The constant "_default_" keyword seems to be making the VirtualHost defined in this file (/etc/httpd/conf.d/41_mod_ssl.default-vhost.conf) wrap itself around or override the vhosts defined in /etc/httpd/conf/vhosts/Vhosts.conf. Thus making them all use SSL.
Quotes from http://httpd.apache.org/docs-2.0/mod/core.html
The string _default_, which is used only with IP virtual hosting to catch unmatched IP addresses.
I believe _default_ is catching everything because we use the wildcard '*' in Vhosts.conf in the lines:
the special name _default_ can be specified in which case this virtual host will match any IP address that is not explicitly listed in another virtual host. In the absence of any _default_ virtual host the "main" server config, consisting of all those definitions outside any VirtualHost section, is used when no IP-match occurs. (But note that any IP address that matches a NameVirtualHost directive will use neither the "main" server config nor the _default_ virtual host.)
Sounds confusing to me, and the part in brackets seems redundant
Now the solutions!
First, ensure that Apache is allowed to serve files from /home/users/www (in my case at least). The file /etc/httpd/conf/commonhttpd.conf is set to be restrictive on files outside of /var/www/html.
#Restricted set of options
Options -All -Multiviews
Deny from all
So I added, to commonhttpd.conf, some very lax rules (maybe too lax) on 'www' directories in user accounts.
Options MultiViews -Indexes Includes FollowSymLinks
Allow from all
Now, one way to fix the SSL Vhost configured in (/etc/httpd/conf.d/41_mod_ssl.default-vhost.conf is to change the line
to a name that will match a request like
and I added the following line too but it doesn't seem to do much
After doing this I am able to use normal http protocol without SSL to reach:
But it also acts a little strange:
both go to the same page as https://harv.somedomain.com/.
end up going nowhere. Anyone care to explain?
So now only https://harv.somedomain.com/
can use SSL. I've also yet to try accessing these virtual hosts from my LAN which is behind this Linux-based web server/firewall.
Note that this means that only one certificate can be given out among these virtual hosts. But this is a limitation of name-based Virtual hosting and not of my proposed fix. It is a much discussed fact that you need multiple IP's each with their own domain name in order for your server to distribute unique certificates to visitors of those websites. i.e. only one of your virtual hosts using the given external IP can now use SSL.
There is another solution in which you replace the '*' wildcards with the actual numeric IP address in the file /etc/httpd/conf/vhosts/Vhosts.conf. But I believe this is called an IP-based virtual host. I'll test this solution out later... I've already spent too long on this... does anyone have any explanations why what I tried works?