LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices


Reply
  Search this Thread
Old 02-15-2011, 11:45 PM   #1
Rohit_4739
Member
 
Registered: Oct 2010
Distribution: Red Hat
Posts: 228

Rep: Reputation: 9
How to set up multiple SSL sites for multiple IP based and name based Virtual Hosts.


Hi,

I have set up a SSL site for my default Apache server. But i want to set up multiple SSL sites for multiple IP based as well as Name based Virtual hosts.

Is there a way where in I can include definitions for SSL certificates and keys within the Virtual Host directive in the httpd.conf, so that i can specify separate key and cert file for every Virtual Host.
 
Old 02-16-2011, 12:29 AM   #2
vishesh
Member
 
Registered: Feb 2008
Distribution: Fedora,RHEL,Ubuntu
Posts: 661

Rep: Reputation: 66
The problem is that in order to know from which virtual host to serve content a
webserver must inspect the "host" header. This is part of the http
request. However the SSL handshake takes place before any http request
is initiated. In order to complete the handshake the webserver needs
to know which SSL certificate to use. Since the websever can't yet
know which virtual host content is being requested from it uses the
certificate of the first host. It's really a limit of the protocol, not the server.

However the latest version of the HTTPS protocol includes SNI, which
permits a client to transmit to the host the name of the virtualhost
it wants to contact during the SSL handshake. So what you need to do
is make sure you have the very latest apache, compiled with the latest
openssl libraries, and use a recent webbrowser.

Thanks
 
Old 02-16-2011, 02:05 AM   #3
Rohit_4739
Member
 
Registered: Oct 2010
Distribution: Red Hat
Posts: 228

Original Poster
Rep: Reputation: 9
Quote:
Originally Posted by vishesh View Post
The problem is that in order to know from which virtual host to serve content a
webserver must inspect the "host" header. This is part of the http
request. However the SSL handshake takes place before any http request
is initiated. In order to complete the handshake the webserver needs
to know which SSL certificate to use. Since the websever can't yet
know which virtual host content is being requested from it uses the
certificate of the first host. It's really a limit of the protocol, not the server.

However the latest version of the HTTPS protocol includes SNI, which
permits a client to transmit to the host the name of the virtualhost
it wants to contact during the SSL handshake. So what you need to do
is make sure you have the very latest apache, compiled with the latest
openssl libraries, and use a recent webbrowser.

Thanks


I guess you didn't understood my exact query. Let me explain you again. Lets say i have my apache running on this IP 192.168.120.180 and i have generated a SSL cert and key file for the Server(lets say Server Name site1.myserve.mydomain) and self signed and it is running fine. Now i want to do the following things :

1. Now lets say i create a new IP based Vhost with IP 192.168.120.185 (Server Name site2.myserve.mydomain) and i want to generate SSL cert and key file for it and run it as a SSL site.

2. I create a new name based Vhost on the same default IP which is 192.168.120.180 with the Server Name site2.myserve.mydomain and I want to run it as a SSL site.

So how can i do the following.

TIA...
 
Old 02-16-2011, 11:02 AM   #4
vishesh
Member
 
Registered: Feb 2008
Distribution: Fedora,RHEL,Ubuntu
Posts: 661

Rep: Reputation: 66
Rohit i understood your problem completely. I elaborated limitation of https protocol. One thing you can do is start multiple instances of apache. Read my last post carefully and search google for "https SNI"

Thanks
 
Old 02-16-2011, 09:23 PM   #5
Rohit_4739
Member
 
Registered: Oct 2010
Distribution: Red Hat
Posts: 228

Original Poster
Rep: Reputation: 9
Quote:
Originally Posted by vishesh View Post
Rohit i understood your problem completely. I elaborated limitation of https protocol. One thing you can do is start multiple instances of apache. Read my last post carefully and search google for "https SNI"

Thanks
Hey Thanks a lot Vishesh. Now i understand what you were trying to say. Thanks for the info.
 
Old 02-17-2011, 12:15 AM   #6
Rohit_4739
Member
 
Registered: Oct 2010
Distribution: Red Hat
Posts: 228

Original Poster
Rep: Reputation: 9
Hey Vishesh,

I have one more issue, probably if you can help on that also it will be great. I have created multiple virtual hosts on a single IP address and however i have generated SSL certificate and key only for 1st named Vhost i.e. default Vhost.

It works perfectly fine when i'm opening the default named Vhost(site1.LinuxServ1.mydomain), the problem is it also keep on working for any other named Vhost also even if i haven't generated different key and cert file for it.

As to my knowledge it should work and shouldn't open via "Https", but it works and also serves the contents from the defualt server when opened via Https other shows its own index page when opened via Http.

Infact as many named Vhost i create without generating key and certs files keeps opening on a secure channel and contents keep getting served from default server.

So could you kindly explain on this.

I am pretty new to Linux so please ignore if have said something wrong but do correct me at that.

Thanks in advance..
 
Old 02-17-2011, 06:31 AM   #7
vishesh
Member
 
Registered: Feb 2008
Distribution: Fedora,RHEL,Ubuntu
Posts: 661

Rep: Reputation: 66
Dear rohit,
When you use SSL , keep in mind that you doesn't access your vhost , but you access server securely. SSL certificate used for server can't for virtual host. One workaround could be specify port number for virtual hosts
<VirtualHost x.x.x.x:80>
Instead of
<VirtualHost x.x.x.x:*>

Thanks
 
Old 02-17-2011, 08:17 AM   #8
Rohit_4739
Member
 
Registered: Oct 2010
Distribution: Red Hat
Posts: 228

Original Poster
Rep: Reputation: 9
Quote:
Originally Posted by vishesh View Post
Dear rohit,
When you use SSL , keep in mind that you doesn't access your vhost , but you access server securely. SSL certificate used for server can't for virtual host. One workaround could be specify port number for virtual hosts
<VirtualHost x.x.x.x:80>
Instead of
<VirtualHost x.x.x.x:*>

Thanks
I am not using it, it is by default using the certificate of default vhost for all the virtual vhosts. It is really driving me nuts. And by the way i am using the latest Apache 2.2.3 so version isn't the issue. I will post the httpd.conf file along with some snap shots from browser about whats happening. See if you can help.

Thanks
 
Old 02-17-2011, 08:40 AM   #9
Rohit_4739
Member
 
Registered: Oct 2010
Distribution: Red Hat
Posts: 228

Original Poster
Rep: Reputation: 9
And one more thing then as you said, does that mean we can host multiple domains securely over one IP ??
 
Old 02-17-2011, 11:26 PM   #10
vishesh
Member
 
Registered: Feb 2008
Distribution: Fedora,RHEL,Ubuntu
Posts: 661

Rep: Reputation: 66
We can host multiple vhost over one ip , but all will use same SSL Certificate .
Thanks
 
Old 02-18-2011, 10:28 AM   #11
Rohit_4739
Member
 
Registered: Oct 2010
Distribution: Red Hat
Posts: 228

Original Poster
Rep: Reputation: 9
Quote:
Originally Posted by vishesh View Post
We can host multiple vhost over one ip , but all will use same SSL Certificate .
Thanks
Thats the main issue.. Isnt there any way to overcome it ? That means if v are hosting multiple domains per IP then all will use the certificate of the default vhost n once that site will be accessed securely it ll serve contents of default vhost which is wrong n hence we can never serve contents of other domains securely ?? AM i right ?
 
Old 02-28-2011, 09:28 AM   #12
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Gentoo
Posts: 2,125

Rep: Reputation: 781Reputation: 781Reputation: 781Reputation: 781Reputation: 781Reputation: 781Reputation: 781
As Vishesh was trying to explain to you, SSL web pages are identified by IP address, not host name. The secure connection is established BEFORE the requested host name. Consequently, using the standard SSL protocols, there is no way to distinguish which host is being requested. There is an alternate protocol called SNI, which stands for Server Name Indication. As far as I know, this protocol is still not supported in the standard SSL or in Apache, though because of the large demand it is (or was) planned for inclusion at a future date. There are some alternate protocols, such as GNU-TLS which does support SNI. You can configure Apache to use it, but you must also patch and compile it. Here is a link on another forum where I reference the process I used to successfully accomplish this: link. The links in that thread should give you enough information to incorporate this feature, if you wish. In addition to supporting it on the server side, it has been my experience that browsers need to support it too. At the time when I worked on this, Firefox supported it just fine, but IE-7 did not.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
NameVirtualHost *:80 has no virtual hosts apache2 hosting multiple sites without DNS tkmsr Linux - Server 9 06-21-2010 11:27 AM
Multiple SSL Virtual Hosts with Apache/mod_ssl/SNI ddenton Linux - Server 3 12-03-2008 03:20 AM
Problem setting up multiple name based virtual hosts on SiSE 10 baldur2630 Linux - Server 0 10-26-2008 07:07 AM
redirecting to multiple hosts based on url wolfipa Linux - Server 4 08-11-2008 10:24 AM
LXer: SSL-enabled Name-based Apache Virtual Hosts with mod_gnutls LXer Syndicated Linux News 0 08-10-2007 06:46 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 06:00 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration