LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (https://www.linuxquestions.org/questions/linux-server-73/)
-   -   Juggling HTTP and HTTPS content for multiple virtual hosts. (https://www.linuxquestions.org/questions/linux-server-73/juggling-http-and-https-content-for-multiple-virtual-hosts-755949/)

vesperto 09-17-2009 11:10 AM
Juggling HTTP and HTTPS content for multiple virtual hosts.
 
(i couldn't find similar posts 'cos my browser kept on wanting to download the php file, hmm...)

I have multiple virtual hosts with their domains all under the same IP. Recently i decided to venture into SSL.

All the 4 vhosts are served through HTTP. For two of them, i want HTTPS. This poses an immediate chicken-n-egg problem as one can't have two SSL vhosts under the same ip/port. I won't bring SNI into the subject since that doesn't seem to be mature yet.

I guess i'll hav'em under different ports then, which poses another problem, easier to solve i think, although not elegant. I'd have to direct requests to https://domain.com:unusualPort

Could i have the firewall - i'm using shorewall, so by fw i mean the kernel's pf - to the de/cryption? In that case from the fw to the server the requests could be already in plain text. Just a wild thought.

I've found some links on how to be your own CA and that's what i'll use since these sites aren't (very) commercial. I won't mind about the popup as most users just ignore it anyway.

One issue i stumble upon is content organization. Should i have one single site with regular http content and some other content that's only available though https? It's fairily ok if i'm only filtering with scripting+db, but throwing https into the mix kinda makes things messy if i keep using the same pages for different access levels.

Or should i have the public site - login - the private site? Seems more clean.

What about the files themselves, on the server, should i keep the http site under /whatever/site/ and the https content under /whatever/site/ssl/ ? Or /whatever/site_ssl/ ?

How about the transition? There'll be a login form, of course (and its handling something i should look into better), but should it be served as http and have its action point to https or be served as https directly? Maybe the latter.

I'm mostly sure of the answers, as well as the work it'll imply after work already done. I'd like to hear some opinions though, especially from those who have experience.

I'm using X/HTML, CSS and PHP (5.2.10), maybe some XSLT (much) later. I'm running debian unstable with nginx 8.10 +FastCGI and MySQL 5.1.37. All in UTF-8. I'm not using a CMS but rather doing it almost from scratch (the login system i got elsewhere), since this is academic/hobby work and i want to learn.

Any rtfm links are more than welcome.

TIA,
Nuno

jhwilliams 09-18-2009 07:50 PM
Quote:
Originally Posted by vesperto (Post 3687162)
This poses an immediate chicken-n-egg problem as one can't have two SSL vhosts under the same ip/port.
But Sir, O, how you can!

Apache would kind of blow, if you couldn't. Here's what I do:

Code:
NameVirtualHost *:80
NameVirtualHost *:443

<VirtualHost *:80>
  ServerName MyReallyFunHost.FunTLD
  # other stuff...
</VirtualHost>

<VirtualHost *:443>
  ServerName ReallyFunSecureHost.FunTLD
  # ... other immportant stuffz?
</VirtualHost>

<VirtualHost *:443>
  ServerName TotallyDifferentButAlsoReallyFunSecureHost.FunTLD
  # .. other important stuff ... ?
</VirtualHost>

vesperto 09-20-2009 08:02 AM
But... AFAIK SSL encrypts the http header, including the Host:, so you can't know which vhost it belongs to until you decrypt - and you need the vhost's key for that.. 'sides, i'm not using apache, but thanks.

jhwilliams 09-20-2009 06:52 PM
Quote:
Originally Posted by vesperto (Post 3690529)
But... AFAIK SSL encrypts the http header, including the Host:, so you can't know which vhost it belongs to until you decrypt - and you need the vhost's key for that..
Hm, that does sound like a reasonable explanation of why it shouldn't work. However, lo-and-behold, I run multiple secure vhosts on my box and it Just Works (tm)

Quote:
Originally Posted by vesperto (Post 3690529)
'sides, i'm not using apache, but thanks.
That's too damn bad.

What are you using though?

AlucardZero 09-20-2009 07:29 PM
Quote:
However, lo-and-behold, I run multiple secure vhosts on my box and it Just Works (tm)
How many SSL certs do you have? Do you have a wildcard?

jhwilliams 09-20-2009 08:45 PM
Quote:
Originally Posted by AlucardZero (Post 3691048)
How many SSL certs do you have? Do you have a wildcard?
It is true that they use the same certificate. And yes, I use the wildcard setup described above.

vesperto 09-21-2009 04:41 AM
Well if it's the same certificate it makes sense :)
I'm using nginx.

How do you separate public content (http) from private (https)? I.e. how's your login form like? Straight https or the action="" is https?

jhwilliams 09-21-2009 06:49 AM
Quote:
Originally Posted by vesperto (Post 3691402)
Well if it's the same certificate it makes sense :)
I'm using nginx.

How do you separate public content (http) from private (https)? I.e. how's your login form like? Straight https or the action="" is https?
I hadn't heard of nginx before -- do you prefer it? What do you like about it?

As for the http/https separation: for certain <Location>'s of my site, I have a redirect like this:

Code:
    RewriteCond %{HTTPS} !=on
    RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI} [QSA,L,R=permanent]
However, since my vhosts are necessarily bound to either :80 or :443, for "important" stuff (webmail) I just simply dont setup a corresponding HTTP host (which would otherwise serve the same content, unencrypted.)

vesperto 09-22-2009 04:28 AM
Quote:
Originally Posted by jhwilliams (Post 3691514)
I hadn't heard of nginx before -- do you prefer it? What do you like about it?
I haven't used apache extensively so i can't compare them both, however, i am a bit 'allergic' to apache's ubiquity. Not that it's the most widely used - i think that's great for the OS world -, but that everyone in linux assumes you're using it. I also don't like huge applications and apache is pretty big. Silly rant, i know.

From what i've searched around, nginx is much faster and light than apache (although with correct versions and modules apache can become almost as fast as nginx), and doesn't have the memory-leak problems lighty has/had. Like i said, this is all hearsay, i haven't personally benchmarked them both, but 99% of the reviews out there praise nginx when compared to apache, as well as with others.

A common approach for big sites is to have nginx as a front end load-balancer and an apache farm in the back end.

For me i like the syntax of the .conf files, the extra modules it has and the very active community.

For you... dunno, try it out :)

vesperto 10-12-2009 09:45 AM
Btw,

From what i've seen so far, you either use different ports for the same IP, or use SNI. The downside is that server and browser compatiblity with SNI isn't all that great yet.

anomie 10-12-2009 10:34 AM
@vesperto: Not sure if you're still reading this thread (almost a month later), but here are some ideas anyway...

Quote:
Originally Posted by vesperto
I have multiple virtual hosts with their domains all under the same IP. Recently i decided to venture into SSL.

All the 4 vhosts are served through HTTP. For two of them, i want HTTPS. This poses an immediate chicken-n-egg problem as one can't have two SSL vhosts under the same ip/port. I won't bring SNI into the subject since that doesn't seem to be mature yet.
Since we're brainstorming, one option that comes to mind is adding two more http namevirtualhosts that redirect to your https content. i.e.: Requests to http/foo.your.host would be redirected to https/your.host/foo, and requests to http/bar.your.host would be redirected to https/your.host/bar.

I haven't tested this out. Just a thought.


All times are GMT -5. The time now is 07:53 PM.