Apache2 configuration - help me understand VirtualHost vs NameVirtualHost
Try as I might, figuring out when to use NameVirtualHost vs VirtualHost in Apache2 configuration file has me totally baffled. I am hoping someone can give me a quick primer on the proper way to use them.
My setup: Debian 5 running Apache2 server. 1 server has roughly 50 different websites running on it. Eg. Main site is http://physics.tamu.edu. Going to www.physics should display the same page. Going to http://astronomy.physics.tamu.edu should show (and does) that site. Going to http://physicsfestival.tamu.edu should (and does) goto that site. My problem is that when I restart apache, I get tons of warnings: Code:
[Thu Oct 14 10:44:03 2010] [warn] VirtualHost collider.physics.tamu.edu:443 overlaps with VirtualHost www.physics.tamu.edu:443, the first has precedence, perhaps you need a NameVirtualHost directive Code:
NameVirtualHost *:80 Code:
<VirtualHost *:80> Code:
<VirtualHost *:80> so - what am I doing wrong? |
If you use same single ip for multiple websites then its named based virtual host.
With name-based virtual hosts, one instance of Apache hosts several domains. You do not need to set up multiple IPs for a machine. To activate name-based virtual hosts, specify a suitable directive. NameVirtualHost *. * is sufficient to prompt Apache to accept all incoming requests. Subsequently, configure the individual hosts: Example: Quote:
Example: Quote:
Quote:
|
Apache can support multiple virtual hosts. The virtual hosts can be on separate IP addresses or you can have one IP address with multiple named virtual hosts. For example, on address 1.2.3.4 you could have server1.domain and server2.domain and serve up different pages. This is achieved by part of the connection process where the desired server is identified by name.
SSL / secure web pages however (port 443 typically) technically don't support this. The reason is that the secure connection is established before the server name is known and the process uses only IP addresses. Consequently, when you try to have multiple named virtual hosts that are secure, you get warnings like you have seen. While it will 'work' in as much as you will get encrypted web sites, only the first declared host will have the 'valid' certificate. Depending on your application, this may or may not be a problem. For example, I run a server for a small e-commerce site and this site has the certificate and it is valid for that site. I also run a named domain on the same server and make it a secured site. It uses the 'wrong' certificate, but as it is my personal web mail, I don't care, but a customer to the e-commerce site would. There continues to be growing interest in individuals wanting to run multiple secure hosts with one IP and to this end there has been proposals made to change the protocols. For example, the GNU TLS supports a technique called SNI (server name indication) where the requested server name is used as part of the establishment of the secure connection and can support this. Others have patched the SSL libraries to support this functionality too. I had read that future versions of Apache will support this feature, but I don't believe that the present ones do. Also, when you want to use name virtual hosts (port 80) specify that you have named virtual hosts on port 80 and then declare the virtual hosts by name:80 like you did and then use the server name directive. Hope this helps clarify what is happening for you. |
Thank you for the VERY quick response!
Quote:
Quote:
|
Quote:
<A light bulb of understanding just went on above my head!> |
|
|
Ok, I'm back. I read through this stuff and am somewhat more confused than ever. So I'm going to start over - asking a "how would the config file look for this?":
Let's say you have a linux server running apache2, that has 2 ip numbers for * https://secure1.mydomain.com/ (tied to ip 192.0.0.10) * https://secure2.mydomain.com/ (tied to ip 192.0.0.11) In addition, you have 4 other virtual (non secure) sites: * http://site1.mydomain.com/ * http://site2.mydomain.com/ * http://site3.mydomain.com/ * http://site4.mydomain.com/ What does the config file look like? |
Hi,
We have given and you have referred so many sites. Please give it a try and when you get stuck some where we will help you. |
As a rough template you would have something like the following:
Code:
NameVirtualHost *:80 |
Quote:
This is VERY useful. So if I have multiple secure pages (each with their own IP & certificate), I do NOT use Code:
NameVirtualHost *:443 I have a followup question that I think I know the answer to. If secure1 & secure2 also have non-secure pages, I assume I also include Code:
<VirtualHost *:80> Followup question 2: If I have secure pages for for secure1 & secure2, is there any reason to have NON-secure pages? |
To be TECHNICALLY correct, no you don't use NameVirtualHost on 443 (secure servers). This goes back to my original post, that a secure page doesn't resolve based upon name per the SSL protocol. It will work, at least more or less, if you do, but one of the sites won't get the correct certificate and you will get apache warnings.
I think your syntax for followup question1 will work. You can also have <VirtualHost 192.0.0.10:80>. The primary reason you would want to have non secure pages where the encryption isn't required is that the secure pages take a lot more processing overhead, especially on the server. Initially the secure transaction is accomplished using a form of PKI (public key infrastructure) which allows a client to establish a one way encrypted connection and to also verify the authenticity of the host using a 3rd party verification server (such as verisign). This is a slow process which requires a good bit of math. After establishing the secure channel, the encryption is done with temporary synchronous ciphers which are a lot faster. If you get an appreciable amount of traffic establishing all the connections can become an unnecessary burden on your system. |
All times are GMT -5. The time now is 12:08 AM. |