Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have many domains in one machine (virtual hosts) and one required SSL.
I got my cert from Thawte.
As I link to my cert via ssl.conf, if I were to need SSL for my other domains, how should I do it? I read somewhere that it can't be done for cert from CAs, but self-signed possible.. anyone?
I link to my ssl via ssl.conf under the option SSLCertificateFile.
I commented the default one (server.key) and linked to mine own one (domainname.com.key)
You can have multiple certs, you need a separate IP address for each website and then in httpd.conf you can set up IP-based virtual hosts. Name based birtual hosts will not work with the secure protocol
Originally posted by phil.d.g You can have multiple certs, you need a separate IP address for each website and then in httpd.conf you can set up IP-based virtual hosts. Name based birtual hosts will not work with the secure protocol
Currently I am having 1 physical machine with many virtual host: that is consider named-based hosting with virtual host is it? not sure if the terminology used is right here...
So basically.. means I can't? Trying to find proper documentation to show my superior on this... only found one out dated one that talks about it
You can have many IP addresses point to your physical machine. My ISP have assigned me a block of 8 IPs that all point to my router for example. If you only have the 1 IP then you are stuck with namebased virtual hosting and can't have multiple secure virtual hosts on your machine.
IP based virtual hosts is where apache decides which wesbite to serve dependant on which IP the browser used to access the site.
Name based virtual hosts is where apache decides which website to serve dependant on the actual domain specified in the address bar of the browser, this only works with the newer http/1.1 version, which most browsers support anyway. Normally in this case all domains hosted on the server have A records pointing to the same IP
You'll find a section in ssl.conf if using apache2 or at the bottom of httpd.conf if using apache1.3 like:
Code:
<VirtualHost _default_:443>
...
lots of options
...
<VirtualHost>
Copy and paste the whole section and for the second change the options to point to the new certificates and wesbite content, for both virtual hosts change _default_ in the line <VirtualHost _default_:443> to one of your allocated IPs and check in httpd.conf that apache is listening on all IPs and restricted to 1.
Originally posted by phil.d.g You'll find a section in ssl.conf if using apache2 or at the bottom of httpd.conf if using apache1.3 like:
Code:
<VirtualHost _default_:443>
...
lots of options
...
<VirtualHost>
Copy and paste the whole section and for the second change the options to point to the new certificates and wesbite content, for both virtual hosts change _default_ in the line <VirtualHost _default_:443> to one of your allocated IPs and check in httpd.conf that apache is listening on all IPs and restricted to 1.
oooh so 2 sets of options for 2 host with different IPs?
then whats the diff if i specify the .key and .crt in this ssl.conf, as compared to specifiying it in httpd.conf?
Mine current config is such that... in httpd.conf for one of the virtual host...
1) SSL Engine is off in httpd.conf, ssl still works somehow??
2) I point directly to the document root, sslcert and sslkey... correct? because httpd.conf i specify also... double job? Initialy I had problem with ssl as i configure httpd.conf only, but after i configure ssl.conf it works. seems like configuring in httpd.conf don make any effect?
and it was through configuring this i realise... works only for one virutal host...
3) my cert is www2.domain.com.sg, as i was told must be same name as domain, but if i have a different alias as in this case www.domain.com, how? will it still work?
4) SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
what does it mean?
5) so must these settings be same for ssl.conf and httpd.conf ??
no, if you have a ssl.conf file then put all your configuration in there, in httpd.conf it will include the file ssl.conf, only in earlier versions of apache you didn't get a ssl.conf, everything was put into httpd.conf. Just to make myself clear if there is a ssl.conf file then put everything to do with ssl in that and not httpd.conf.
If you have an alias and set it up correctly it should go to the right site but you will get an error similar to this image. I'll leave that image on my server for a couple of days only.
I'm not entirely sure what the line in 4 does, alls I know it is required for internet explorer, its due to a bug or incompatability with Microsoft's browser, I'm not sure which
And to reiterate, since you asked again, the ssl options only go in one of the config files, and only httpd.conf if and only if ssl.conf doesn't exist
Originally posted by phil.d.g no, if you have a ssl.conf file then put all your configuration in there, in httpd.conf it will include the file ssl.conf, only in earlier versions of apache you didn't get a ssl.conf, everything was put into httpd.conf. Just to make myself clear if there is a ssl.conf file then put everything to do with ssl in that and not httpd.conf.
If you have an alias and set it up correctly it should go to the right site but you will get an error similar to this image. I'll leave that image on my server for a couple of days only.
I'm not entirely sure what the line in 4 does, alls I know it is required for internet explorer, its due to a bug or incompatability with Microsoft's browser, I'm not sure which
And to reiterate, since you asked again, the ssl options only go in one of the config files, and only httpd.conf if and only if ssl.conf doesn't exist
Hi saw the image.. meaning to say.. i can't have the ssl cert work for both the actual domain and the alias name? or is there a way around it?
ok, i am using apache2...
hmm so saying that.. the DocumentRoot in ssl.conf will supercede the DocumentRoot in httpd.conf for the name-based virtual host that is ssl-enabled?
Meaning to say, whatever I do in httpd.conf for this virtual host (DocumentRoot, SSLCertificateFile, SSLCertificateKeyFile), as long as I specify it in ssl.conf it will take effect from there?
I certificate is only good for one domain, if you set an alias then try and connect with that alias you will get the message in the link, it doesn't mean that the actual connection is any less secure though, it means that you are connecting to one host but the certificate is for another host. There is no way around this. For every hostname/domain you need a separate cert and and a IP dedicated to that domain.
ssl.conf is included in httpd.conf, see the end of section2 of httpd.conf. You don't want to be setting one host in ssl.conf and the same host in httpd.conf, that will just lead to unpredictable results, well maybe not unpredictable but I don't know which one apache will use, the first settings or the last.
In the earlier 1.3 series of apache there wasn't an ssl.conf, it was all appended to httpd.conf.
Keep all the ssl stuff in ssl.conf and keep the global configuration and virtual hosts (name or IP based) for normal connections (port 80) in httpd.conf
Originally posted by phil.d.g I certificate is only good for one domain, if you set an alias then try and connect with that alias you will get the message in the link, it doesn't mean that the actual connection is any less secure though, it means that you are connecting to one host but the certificate is for another host. There is no way around this. For every hostname/domain you need a separate cert and and a IP dedicated to that domain.
ssl.conf is included in httpd.conf, see the end of section2 of httpd.conf. You don't want to be setting one host in ssl.conf and the same host in httpd.conf, that will just lead to unpredictable results, well maybe not unpredictable but I don't know which one apache will use, the first settings or the last.
In the earlier 1.3 series of apache there wasn't an ssl.conf, it was all appended to httpd.conf.
Keep all the ssl stuff in ssl.conf and keep the global configuration and virtual hosts (name or IP based) for normal connections (port 80) in httpd.conf
Because I was following a document to specify <IfDefine_HAVESSL> in httpd where i set the virtual host... so your recommendation is that I ignore it totally, and just leave everything (virtual host settings) as it is, and not put
- SSLEngine On
- SSLCertificateFile
- SSLCertificateKeyFile
- SetEnvIf User-Agent
if i just have the standard <VirtualHost></VirtualHost> without defining SSL, will the https connection to the particular domain still work?
For the last one, without it in the virtual host area, site won't work in IE...
the SSLEngine... doesn't make any difference...
SSLCertificateFile and SSLCertificateKeyFile
there?
Or I still need it to be there?
For document root, i think i will leave it at the virtual host settings as you mentioned.
Follow the guide you have but instead of editing httpd.conf, edit ssl.conf - you will find all the defaults have been set in there and you can change them to suit your particular environment. It seems with the newest versions of apache they want to separate the ssl config from the rest of the configuration
Originally posted by phil.d.g Follow the guide you have but instead of editing httpd.conf, edit ssl.conf - you will find all the defaults have been set in there and you can change them to suit your particular environment. It seems with the newest versions of apache they want to separate the ssl config from the rest of the configuration
What about SSLEngine On/Off?
And do I still need to define another similiar set of virtual host settings with addiditonal <IfDefine_HAVESSL></IfDefine> tags?
been doing some testing (as I am trying to get the ssl site to work via a load balancer - headache... but fun at the same time)
just did some test and have some thoughts. am i right to say.. if i already have a <Virtualhost> setting for a particular domain, and I want it to have SSL connectivity, i can ignore adding another <VirtualHost> settings with the <IfDefine_HAVESSL> settings? As long as in ssl.conf i point:
correctly, it will automatically allow the SSL connection? No need to create an extra virtual host tage just for port 443 and ssl blah blah?
And if say, I want to allow multiple named based virtual host to have SSL (but only 1 IP - yeah shitty huh), I can spoof it by creating another <virtualhost> in ssl.conf but use another port.. say.. port 444... will it work? if the links are given such as https://domainwithssl.com:444
<If Define SSL> bit tells apache to only use these options if you have issued a `httpd startssl` rather than just `httpd start`, you still need the virtual host bit.
Yes you can have different secure sites on different ports with the same IP, but only 1 secure site per port.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.