Linux - Server This forum is for the discussion of Linux Software used in a server related context. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
02-15-2011, 11:45 PM
|
#1
|
Member
Registered: Oct 2010
Distribution: Red Hat
Posts: 228
Rep:
|
How to set up multiple SSL sites for multiple IP based and name based Virtual Hosts.
Hi,
I have set up a SSL site for my default Apache server. But i want to set up multiple SSL sites for multiple IP based as well as Name based Virtual hosts.
Is there a way where in I can include definitions for SSL certificates and keys within the Virtual Host directive in the httpd.conf, so that i can specify separate key and cert file for every Virtual Host.
|
|
|
02-16-2011, 12:29 AM
|
#2
|
Member
Registered: Feb 2008
Distribution: Fedora,RHEL,Ubuntu
Posts: 661
Rep:
|
The problem is that in order to know from which virtual host to serve content a
webserver must inspect the "host" header. This is part of the http
request. However the SSL handshake takes place before any http request
is initiated. In order to complete the handshake the webserver needs
to know which SSL certificate to use. Since the websever can't yet
know which virtual host content is being requested from it uses the
certificate of the first host. It's really a limit of the protocol, not the server.
However the latest version of the HTTPS protocol includes SNI, which
permits a client to transmit to the host the name of the virtualhost
it wants to contact during the SSL handshake. So what you need to do
is make sure you have the very latest apache, compiled with the latest
openssl libraries, and use a recent webbrowser.
Thanks
|
|
|
02-16-2011, 02:05 AM
|
#3
|
Member
Registered: Oct 2010
Distribution: Red Hat
Posts: 228
Original Poster
Rep:
|
Quote:
Originally Posted by vishesh
The problem is that in order to know from which virtual host to serve content a
webserver must inspect the "host" header. This is part of the http
request. However the SSL handshake takes place before any http request
is initiated. In order to complete the handshake the webserver needs
to know which SSL certificate to use. Since the websever can't yet
know which virtual host content is being requested from it uses the
certificate of the first host. It's really a limit of the protocol, not the server.
However the latest version of the HTTPS protocol includes SNI, which
permits a client to transmit to the host the name of the virtualhost
it wants to contact during the SSL handshake. So what you need to do
is make sure you have the very latest apache, compiled with the latest
openssl libraries, and use a recent webbrowser.
Thanks
|
I guess you didn't understood my exact query. Let me explain you again. Lets say i have my apache running on this IP 192.168.120.180 and i have generated a SSL cert and key file for the Server(lets say Server Name site1.myserve.mydomain) and self signed and it is running fine. Now i want to do the following things :
1. Now lets say i create a new IP based Vhost with IP 192.168.120.185 (Server Name site2.myserve.mydomain) and i want to generate SSL cert and key file for it and run it as a SSL site.
2. I create a new name based Vhost on the same default IP which is 192.168.120.180 with the Server Name site2.myserve.mydomain and I want to run it as a SSL site.
So how can i do the following.
TIA...
|
|
|
02-16-2011, 11:02 AM
|
#4
|
Member
Registered: Feb 2008
Distribution: Fedora,RHEL,Ubuntu
Posts: 661
Rep:
|
Rohit i understood your problem completely. I elaborated limitation of https protocol. One thing you can do is start multiple instances of apache. Read my last post carefully and search google for "https SNI"
Thanks
|
|
|
02-16-2011, 09:23 PM
|
#5
|
Member
Registered: Oct 2010
Distribution: Red Hat
Posts: 228
Original Poster
Rep:
|
Quote:
Originally Posted by vishesh
Rohit i understood your problem completely. I elaborated limitation of https protocol. One thing you can do is start multiple instances of apache. Read my last post carefully and search google for "https SNI"
Thanks
|
Hey Thanks a lot Vishesh. Now i understand what you were trying to say. Thanks for the info.
|
|
|
02-17-2011, 12:15 AM
|
#6
|
Member
Registered: Oct 2010
Distribution: Red Hat
Posts: 228
Original Poster
Rep:
|
Hey Vishesh,
I have one more issue, probably if you can help on that also it will be great. I have created multiple virtual hosts on a single IP address and however i have generated SSL certificate and key only for 1st named Vhost i.e. default Vhost.
It works perfectly fine when i'm opening the default named Vhost(site1.LinuxServ1.mydomain), the problem is it also keep on working for any other named Vhost also even if i haven't generated different key and cert file for it.
As to my knowledge it should work and shouldn't open via "Https", but it works and also serves the contents from the defualt server when opened via Https other shows its own index page when opened via Http.
Infact as many named Vhost i create without generating key and certs files keeps opening on a secure channel and contents keep getting served from default server.
So could you kindly explain on this.
I am pretty new to Linux so please ignore if have said something wrong but do correct me at that.
Thanks in advance..
|
|
|
02-17-2011, 06:31 AM
|
#7
|
Member
Registered: Feb 2008
Distribution: Fedora,RHEL,Ubuntu
Posts: 661
Rep:
|
Dear rohit,
When you use SSL , keep in mind that you doesn't access your vhost , but you access server securely. SSL certificate used for server can't for virtual host. One workaround could be specify port number for virtual hosts
<VirtualHost x.x.x.x:80>
Instead of
<VirtualHost x.x.x.x:*>
Thanks
|
|
|
02-17-2011, 08:17 AM
|
#8
|
Member
Registered: Oct 2010
Distribution: Red Hat
Posts: 228
Original Poster
Rep:
|
Quote:
Originally Posted by vishesh
Dear rohit,
When you use SSL , keep in mind that you doesn't access your vhost , but you access server securely. SSL certificate used for server can't for virtual host. One workaround could be specify port number for virtual hosts
<VirtualHost x.x.x.x:80>
Instead of
<VirtualHost x.x.x.x:*>
Thanks
|
I am not using it, it is by default using the certificate of default vhost for all the virtual vhosts. It is really driving me nuts. And by the way i am using the latest Apache 2.2.3 so version isn't the issue. I will post the httpd.conf file along with some snap shots from browser about whats happening. See if you can help.
Thanks
|
|
|
02-17-2011, 08:40 AM
|
#9
|
Member
Registered: Oct 2010
Distribution: Red Hat
Posts: 228
Original Poster
Rep:
|
And one more thing then as you said, does that mean we can host multiple domains securely over one IP ??
|
|
|
02-17-2011, 11:26 PM
|
#10
|
Member
Registered: Feb 2008
Distribution: Fedora,RHEL,Ubuntu
Posts: 661
Rep:
|
We can host multiple vhost over one ip , but all will use same SSL Certificate .
Thanks
|
|
|
02-18-2011, 10:28 AM
|
#11
|
Member
Registered: Oct 2010
Distribution: Red Hat
Posts: 228
Original Poster
Rep:
|
Quote:
Originally Posted by vishesh
We can host multiple vhost over one ip , but all will use same SSL Certificate .
Thanks
|
Thats the main issue.. Isnt there any way to overcome it ? That means if v are hosting multiple domains per IP then all will use the certificate of the default vhost n once that site will be accessed securely it ll serve contents of default vhost which is wrong n hence we can never serve contents of other domains securely ?? AM i right ?
|
|
|
02-28-2011, 09:28 AM
|
#12
|
Senior Member
Registered: Jul 2007
Distribution: Gentoo
Posts: 2,125
|
As Vishesh was trying to explain to you, SSL web pages are identified by IP address, not host name. The secure connection is established BEFORE the requested host name. Consequently, using the standard SSL protocols, there is no way to distinguish which host is being requested. There is an alternate protocol called SNI, which stands for Server Name Indication. As far as I know, this protocol is still not supported in the standard SSL or in Apache, though because of the large demand it is (or was) planned for inclusion at a future date. There are some alternate protocols, such as GNU-TLS which does support SNI. You can configure Apache to use it, but you must also patch and compile it. Here is a link on another forum where I reference the process I used to successfully accomplish this: link. The links in that thread should give you enough information to incorporate this feature, if you wish. In addition to supporting it on the server side, it has been my experience that browsers need to support it too. At the time when I worked on this, Firefox supported it just fine, but IE-7 did not.
|
|
|
All times are GMT -5. The time now is 06:00 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|