Best apache2 configuration to provide independent services

cbonar · 09-15-2007, 07:34 AM

Hello,

I've read the apache docs, but I don't see any clear explanation on what's the best configuration to provide several independent services with the same web server.

I want for instance to provide some services through https and/or plain http, on the local network and/or the Internet. I want also for instance to be able to deactivate a service without affecting the others or to activate / deactivate a service on http and leave it accessible through https.

My idea was to have one config file in /etc/apache/sites-available for each combination like 'service1-http', 'service1-https', ... so I can enable/disable each one with the 'a2ensite' and 'a2dissite' commands.

But I'm not quite sure it's the best approach (it seems to complexify the configuration rather than simplifying it), or if there's any impact on performances and memory.

Also, I dont want to write the full qualified name of the server in the config files in case it changes in the future.

What's the best approach for this when I want to provide both local and public/remote services ? Do I really need to use virtual hosts ?

andyccn · 09-15-2007, 11:00 AM

Virtual hosts allow you to use a different combination of IP and name-based virtual hosts. If your server only has 1 IP address, and you want to host different domains (e.g. www.site1.com and www.site2.com) then you need to use virtual hosts, otherwise Apache will simply serve the same site out.

One thing to remember with virtual hosts, is when enabled, if Apache can't locate a site/virtual host, it will serve the first configured virtual host in it's config.

What we do here, is define the default DocumentRoot and first virtual host to be a "default" site - look at www.mailnetwork.co.uk. That's a site that's not yet configured on one of our machines - so Apache serves the first virtual host - which is the page you see.

We then have a different configuration file for each domain - e.g. andyshellam.eu has it's own config file, as does mailnetwork.co.uk. The virtual hosts needed for each site are then inside this config file, and they're Include'd into the main httpd.conf file.

As for logging we do the same thing, we have a directory called 'www' in /var/logs, and inside this we have one log file per domain, with the virtual host (%v) at the beginning of each host line (see LogFormat.)

So in /var/logs/www, we have "access.log", "error.log" (which are the default log files) and "access-andyshellam_eu.log", "access-mailnetwork_co_uk.log" and "error-andyshellam_eu.log" etc.

You can have different VirtualHost containers for different ports, although we don't use SSL yet. You could have one set of config files for port 80 virtual hosts, and one for port 443 hosts, and have them in separate folder (e.g. /usr/local/apache2/conf/sites/80, /443 etc.)

cbonar · 09-15-2007, 11:58 AM

Thanks for taking time to reply, andyccn.

Do you have any idea on how to make the different services independent on an apache installation (that was the first part of my question) ?

Wim Sturkenboom · 09-16-2007, 04:25 AM

No answer to your question, but be aware the each independent secure website (https) needs its own ip address and that you need to use ip-based virtual hosting, not name-based.

cbonar · 09-16-2007, 08:58 AM

Well, thanks to point that out Wim, but I'm bit confused about it because I see a lot of <VirtualHost _default_:443> on the Internet, isn't it name based virtual hosting ?

In fact, I read somewhere that, because of the intrinsic nature of SSL (no clue about what, precisely), the virtual hosts should be distinguished using IP addresses, so I'm inclined to trust you, but I've no real explanation for that : do you know of an article/tutorial/... I can read about that ?

Wim Sturkenboom · 09-16-2007, 10:25 AM

I know that there is an article somewhere on the Apache website, but I have always problems to find it. The explanation:

https encrypts the (http) data part of the TCP/IP packets. This includes the name of the requested site. Hence apache does not have a way to determine which virtual host to use. However, the ip address of the server is not encrypted as it's not in the data part of the TCP/IP packets and therefore apache can distinguish different sites based on the ip address.

andyccn · 09-17-2007, 12:54 PM

I currently use a name-based virtual host for SSL, and we do in IIS at work - so, yes, you can use name-based virtual hosting for SSL sites too. I believe it's because the web-server does know how to decrypt the packets, because it was the service that encrypted them in the first place.

cbonar · 09-17-2007, 01:49 PM

Yes, I've seen it myself working. But there seems to be something very specific with ssl anyway :

I'm using apache2 on debian, and I've installed the phpmyadmin package from the debian repositories. This package creates the file /etc/apache2/conf.d/phpmyadmin which holds the configuration for the phpmyadmin site (alias, etc.).

I've myself created /etc/apache2/sites-available/mysite and /etc/apache2/sites-available/mysite-https to run my own site both on plain http and https.

I've tried several configurations with and without virtual hosts, and it's only working fine when I put a single site in https (whether mysite-https or phpmyadmin by modifying its configuration).

I don't understand what's messing my configuration, because phpmyadmin and mysite are working well together when no ssl is used...

Maybe the problem comes from the order / precedence of the SSL directives ?

The following code is for SSL and is either in phpmyadmin or mysite-https, I even tried to put in both, and also inside / outside of the <VirtualHost> directive.

Code:

        <IfModule mod_ssl.c>
               SSLEngine On
               SSLCertificateFile    /etc/apache2/ssl/apache2.crt
               SSLCertificateKeyFile /etc/apache2/ssl/apache2.key
        </IfModule>

andyccn · 09-17-2007, 04:52 PM

Take a look at these sites I've setup to show how/that it can be done:

https://secure.mailnetwork.co.uk
https://dspam.mailnetwork.co.uk (this site will prompt for a user/pass - just cancel.)

They're both hosted on the same server, using SSL (D-spam uses the same certificate as secure.mailnetwork.co.uk.)

Here's the configuration:

In httpd.conf:

Code:

... blah blah ...

NameVirtualHost *:80
NameVirtualHost *:443

# Default virtual host - 'No website is configured at this address'
<VirtualHost *:80>
        DocumentRoot /usr/home/wwwserver/htdocs/_default
</VirtualHost>

# Default virtual host - 'No website is configured at this address'
<VirtualHost *:443>
        SSLEngine on
        SSLCertificateFile /usr/local/openssl/data/certs/secure.mailnetwork.co.uk.crt
        SSLCertificateKeyFile /usr/local/openssl/data/certs/key.pem
        DocumentRoot /usr/home/wwwserver/htdocs/_default
</VirtualHost>

# Include site-specific config files
Include conf/vsites/mailnetwork.co.uk.conf

In conf/vsites/mailnetwork.co.uk.conf:

Code:

<VirtualHost *:443>
        SSLEngine on
        SSLCertificateFile /usr/local/openssl/data/certs/secure.mailnetwork.co.uk.crt
        SSLCertificateKeyFile /usr/local/openssl/data/certs/key.pem

        ServerName secure.mailnetwork.co.uk
        DocumentRoot /path/to/secure
</VirtualHost>

<VirtualHost *:443>
        SSLEngine on
        SSLCertificateFile /usr/local/openssl/data/certs/secure.mailnetwork.co.uk.crt
        SSLCertificateKeyFile /usr/local/openssl/data/certs/key.pem

        ServerName dspam.mailnetwork.co.uk
        DocumentRoot /path/to/dspam
</VirtualHost>

Hope this helps.

Andy

andyccn · 09-17-2007, 04:54 PM

Quick note:

I don't use many conditional IfModule statements as our standard build includes the modules we need anyway.

Try putting your SSL directives outside of the IfModule statement and see what you get.
Also try using <IfModule ssl_module> instead.

cbonar · 09-29-2007, 05:07 AM

This configuration doesn't work with me, there must be some slight difference somewhere but I can't find it...

Aynway I've set up a temporary solution using one Include directive per service I want to provide.

There are only two virtual hosts : one http only and one with ssl, and in each one I include the configurations for the services I want, which are distinguished by their path (e.g. /service1, /service2).

Code:

<VirtualHost _default_:80>
...
    Include services/service1.conf
    Include services/service2.conf
...
</VirtualHost>

Code:

<VirtualHost _default_:443>
...
    Include services/service1.conf
    Include services/service3.conf
...
</VirtualHost>

One problem is that I cannot enable/disable a given service without editing the config of the server (by adding/removing the corresponding Include directive).
I tried to make the services as modules so I can use a2enmod/dismod, but then they're enabled/disabled for all hosts.

Another problem is that the services's access rules cannot be clearly detached from their config file.
I want to put all access rules in the virtual host's config because they can be different from one vh to another ; for instance : access is authorized in plain http only from local network or in ssl for everybody.
But if I do that, that means I've to have knowledge of the paths defined in the module, in order to give or deny access to them.

Wim Sturkenboom · 09-29-2007, 12:49 PM

Quote:

Originally Posted by andyccn

Take a look at these sites I've setup to show how/that it can be done:

https://secure.mailnetwork.co.uk
https://dspam.mailnetwork.co.uk (this site will prompt for a user/pass - just cancel.)

They're both hosted on the same server, using SSL (D-spam uses the same certificate as secure.mailnetwork.co.uk.)

Here's the configuration:

In httpd.conf:

Code:

... blah blah ...

NameVirtualHost *:80
NameVirtualHost *:443

# Default virtual host - 'No website is configured at this address'
<VirtualHost *:80>
        DocumentRoot /usr/home/wwwserver/htdocs/_default
</VirtualHost>

# Default virtual host - 'No website is configured at this address'
<VirtualHost *:443>
        SSLEngine on
        SSLCertificateFile /usr/local/openssl/data/certs/secure.mailnetwork.co.uk.crt
        SSLCertificateKeyFile /usr/local/openssl/data/certs/key.pem
        DocumentRoot /usr/home/wwwserver/htdocs/_default
</VirtualHost>

# Include site-specific config files
Include conf/vsites/mailnetwork.co.uk.conf

In conf/vsites/mailnetwork.co.uk.conf:

Code:

<VirtualHost *:443>
        SSLEngine on
        SSLCertificateFile /usr/local/openssl/data/certs/secure.mailnetwork.co.uk.crt
        SSLCertificateKeyFile /usr/local/openssl/data/certs/key.pem

        ServerName secure.mailnetwork.co.uk
        DocumentRoot /path/to/secure
</VirtualHost>

<VirtualHost *:443>
        SSLEngine on
        SSLCertificateFile /usr/local/openssl/data/certs/secure.mailnetwork.co.uk.crt
        SSLCertificateKeyFile /usr/local/openssl/data/certs/key.pem

        ServerName dspam.mailnetwork.co.uk
        DocumentRoot /path/to/dspam
</VirtualHost>

Hope this helps.

Andy

You're using subdomains and (I assume) a wildcard certificate in which case you can use a single IP address. That will not work for different domains. The visitor will get warnings that the certificate does not belong to the site.

andyccn · 09-30-2007, 05:01 AM

Quote:

Originally Posted by Wim Sturkenboom

You're using subdomains and (I assume) a wildcard certificate in which case you can use a single IP address. That will not work for different domains. The visitor will get warnings that the certificate does not belong to the site.

For the moment, we're using a self-signed certificate, when we get a verified certificate it will just be for the domain secure.mailnetwork.co.uk.

Saying that, I don't know why dspam.mailnetwork.co.uk is set up as a secure site, as there's a redirect on the insecure site dspam.mailnetwork.co.uk which redirects to https://secure.mailnetwork.co.uk/dspam.

I'll change that.