Apache2 configuration - help me understand VirtualHost vs NameVirtualHost
Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Apache2 configuration - help me understand VirtualHost vs NameVirtualHost
Try as I might, figuring out when to use NameVirtualHost vs VirtualHost in Apache2 configuration file has me totally baffled. I am hoping someone can give me a quick primer on the proper way to use them.
My problem is that when I restart apache, I get tons of warnings:
Code:
[Thu Oct 14 10:44:03 2010] [warn] VirtualHost collider.physics.tamu.edu:443 overlaps with VirtualHost www.physics.tamu.edu:443, the first has precedence, perhaps you need a NameVirtualHost directive
[Thu Oct 14 10:44:03 2010] [warn] VirtualHost www.physics.tamu.edu:443 overlaps with VirtualHost collider.physics.tamu.edu:443, the first has precedence, perhaps you need a NameVirtualHost directive
[Thu Oct 14 10:44:03 2010] [warn] VirtualHost webmail.physics.tamu.edu:443 overlaps with VirtualHost webmail.physics.tamu.edu:443, the first has precedence, perhaps you need a NameVirtualHost directive
[Thu Oct 14 10:44:03 2010] [warn] VirtualHost webmail.physics.tamu.edu:80 overlaps with VirtualHost webmail.physics.tamu.edu:80, the first has precedence, perhaps you need a NameVirtualHost directive
[Thu Oct 14 10:44:03 2010] [warn] VirtualHost tasks.physics.tamu.edu:443 overlaps with VirtualHost tasks.physics.tamu.edu:443, the first has precedence, perhaps you need a NameVirtualHost directive
[Thu Oct 14 10:44:03 2010] [warn] VirtualHost tasks.physics.tamu.edu:80 overlaps with VirtualHost tasks.physics.tamu.edu:80, the first has precedence, perhaps you need a NameVirtualHost directive
[Thu Oct 14 10:44:03 2010] [warn] VirtualHost physics.tamu.edu:443 overlaps with VirtualHost physics.tamu.edu:443, the first has precedence, perhaps you need a NameVirtualHost directive
[Thu Oct 14 10:44:03 2010] [warn] VirtualHost collider.physics.tamu.edu:443 overlaps with VirtualHost www.physics.tamu.edu:443, the first has precedence, perhaps you need a NameVirtualHost directive
[Thu Oct 14 10:44:03 2010] [warn] NameVirtualHost *:443 has no VirtualHosts
[Thu Oct 14 10:44:03 2010] [warn] NameVirtualHost *:443 has no VirtualHosts
[Thu Oct 14 10:44:03 2010] [warn] NameVirtualHost *:80 has no VirtualHosts
[Thu Oct 14 10:44:03 2010] [warn] NameVirtualHost *:80 has no VirtualHosts
... waiting [Thu Oct 14 10:44:05 2010] [warn] VirtualHost collider.physics.tamu.edu:443 overlaps with VirtualHost www.physics.tamu.edu:443, the first has precedence, perhaps you need a NameVirtualHost directive
[Thu Oct 14 10:44:05 2010] [warn] VirtualHost www.physics.tamu.edu:443 overlaps with VirtualHost collider.physics.tamu.edu:443, the first has precedence, perhaps you need a NameVirtualHost directive
[Thu Oct 14 10:44:05 2010] [warn] VirtualHost webmail.physics.tamu.edu:443 overlaps with VirtualHost webmail.physics.tamu.edu:443, the first has precedence, perhaps you need a NameVirtualHost directive
[Thu Oct 14 10:44:05 2010] [warn] VirtualHost webmail.physics.tamu.edu:80 overlaps with VirtualHost webmail.physics.tamu.edu:80, the first has precedence, perhaps you need a NameVirtualHost directive
[Thu Oct 14 10:44:05 2010] [warn] VirtualHost tasks.physics.tamu.edu:443 overlaps with VirtualHost tasks.physics.tamu.edu:443, the first has precedence, perhaps you need a NameVirtualHost directive
[Thu Oct 14 10:44:05 2010] [warn] VirtualHost tasks.physics.tamu.edu:80 overlaps with VirtualHost tasks.physics.tamu.edu:80, the first has precedence, perhaps you need a NameVirtualHost directive
[Thu Oct 14 10:44:05 2010] [warn] VirtualHost physics.tamu.edu:443 overlaps with VirtualHost physics.tamu.edu:443, the first has precedence, perhaps you need a NameVirtualHost directive
[Thu Oct 14 10:44:05 2010] [warn] VirtualHost collider.physics.tamu.edu:443 overlaps with VirtualHost www.physics.tamu.edu:443, the first has precedence, perhaps you need a NameVirtualHost directive
[Thu Oct 14 10:44:05 2010] [warn] NameVirtualHost *:443 has no VirtualHosts
[Thu Oct 14 10:44:05 2010] [warn] NameVirtualHost *:443 has no VirtualHosts
[Thu Oct 14 10:44:05 2010] [warn] NameVirtualHost *:80 has no VirtualHosts
[Thu Oct 14 10:44:05 2010] [warn] NameVirtualHost *:80 has no VirtualHosts
Contents of 00-virtualhosts.conf:
Code:
NameVirtualHost *:80
NameVirtualHost *:443
# Virtualhost definition are in a site-specific file.
If you use same single ip for multiple websites then its named based virtual host.
With name-based virtual hosts, one instance of Apache hosts several domains. You do not need to set up multiple IPs for a machine.
To activate name-based virtual hosts, specify a suitable directive. NameVirtualHost *. * is sufficient to prompt Apache to accept all incoming requests. Subsequently, configure the individual hosts:
IP Based virtual hosting alternative requires the setup of multiple IPs for a machine. In this case, one instance of Apache hosts several domains, each of which is assigned a different IP.
For Apache to host multiple IPs, the underlying machine must accept requests for multiple IPs. This is called multi-IP hosting. For this purpose, IP aliasing must be activated in the kernel.
Once the kernel has been configured for IP aliasing, the commands ifconfig and route can be used to set up additional IPs on the host. These commands must be executed as root. For the following example, it is assumed that the host already has its own IP, such as 192.168.1.10, which is assigned to the network device eth0.
Enter the command ifconfig to find out the IP of the host. Further IPs can be added with commands like the following:
Apache can support multiple virtual hosts. The virtual hosts can be on separate IP addresses or you can have one IP address with multiple named virtual hosts. For example, on address 1.2.3.4 you could have server1.domain and server2.domain and serve up different pages. This is achieved by part of the connection process where the desired server is identified by name.
SSL / secure web pages however (port 443 typically) technically don't support this. The reason is that the secure connection is established before the server name is known and the process uses only IP addresses. Consequently, when you try to have multiple named virtual hosts that are secure, you get warnings like you have seen. While it will 'work' in as much as you will get encrypted web sites, only the first declared host will have the 'valid' certificate. Depending on your application, this may or may not be a problem. For example, I run a server for a small e-commerce site and this site has the certificate and it is valid for that site. I also run a named domain on the same server and make it a secured site. It uses the 'wrong' certificate, but as it is my personal web mail, I don't care, but a customer to the e-commerce site would.
There continues to be growing interest in individuals wanting to run multiple secure hosts with one IP and to this end there has been proposals made to change the protocols. For example, the GNU TLS supports a technique called SNI (server name indication) where the requested server name is used as part of the establishment of the secure connection and can support this. Others have patched the SSL libraries to support this functionality too. I had read that future versions of Apache will support this feature, but I don't believe that the present ones do.
Also, when you want to use name virtual hosts (port 80) specify that you have named virtual hosts on port 80 and then declare the virtual hosts by name:80 like you did and then use the server name directive.
Hope this helps clarify what is happening for you.
To activate name-based virtual hosts, specify a suitable directive. NameVirtualHost *.
Where do I put this directive (in the conf.d/00-virtualhosts file?)?
Quote:
IP Based virtual hosting alternative requires the setup of multiple IPs for a machine. In this case, one instance of Apache hosts several domains, each of which is assigned a different IP.
Example:
Actually, MOST of these use the same IP number as the "main site", but there are a couple that use different IPs (which the server is already setup to answer).
Apache can support multiple virtual hosts. The virtual hosts can be on separate IP addresses or you can have one IP address with multiple named virtual hosts. For example, on address 1.2.3.4 you could have server1.domain and server2.domain and serve up different pages. This is achieved by part of the connection process where the desired server is identified by name.
SSL / secure web pages however (port 443 typically) technically don't support this. The reason is that the secure connection is established before the server name is known and the process uses only IP addresses. Consequently, when you try to have multiple named virtual hosts that are secure, you get warnings like you have seen. While it will 'work' in as much as you will get encrypted web sites, only the first declared host will have the 'valid' certificate. Depending on your application, this may or may not be a problem. For example, I run a server for a small e-commerce site and this site has the certificate and it is valid for that site. I also run a named domain on the same server and make it a secured site. It uses the 'wrong' certificate, but as it is my personal web mail, I don't care, but a customer to the e-commerce site would.
There continues to be growing interest in individuals wanting to run multiple secure hosts with one IP and to this end there has been proposals made to change the protocols. For example, the GNU TLS supports a technique called SNI (server name indication) where the requested server name is used as part of the establishment of the secure connection and can support this. Others have patched the SSL libraries to support this functionality too. I had read that future versions of Apache will support this feature, but I don't believe that the present ones do.
Also, when you want to use name virtual hosts (port 80) specify that you have named virtual hosts on port 80 and then declare the virtual hosts by name:80 like you did and then use the server name directive.
Hope this helps clarify what is happening for you.
<A light bulb of understanding just went on above my head!>
Ok, I'm back. I read through this stuff and am somewhat more confused than ever. So I'm going to start over - asking a "how would the config file look for this?":
To be TECHNICALLY correct, no you don't use NameVirtualHost on 443 (secure servers). This goes back to my original post, that a secure page doesn't resolve based upon name per the SSL protocol. It will work, at least more or less, if you do, but one of the sites won't get the correct certificate and you will get apache warnings.
I think your syntax for followup question1 will work. You can also have <VirtualHost 192.0.0.10:80>. The primary reason you would want to have non secure pages where the encryption isn't required is that the secure pages take a lot more processing overhead, especially on the server. Initially the secure transaction is accomplished using a form of PKI (public key infrastructure) which allows a client to establish a one way encrypted connection and to also verify the authenticity of the host using a 3rd party verification server (such as verisign). This is a slow process which requires a good bit of math. After establishing the secure channel, the encryption is done with temporary synchronous ciphers which are a lot faster. If you get an appreciable amount of traffic establishing all the connections can become an unnecessary burden on your system.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.