LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices

Reply
 
Search this Thread
Old 08-21-2013, 03:02 AM   #1
kikinovak
Senior Member
 
Registered: Jun 2011
Location: Montpezat (South France)
Distribution: Slackware, Slackware64
Posts: 1,489

Rep: Reputation: 662Reputation: 662Reputation: 662Reputation: 662Reputation: 662Reputation: 662
Apache + HTTPS problem


Hi,

I have a public server running Slackware64 14.0 with the following services:
  • Bind
  • Apache/PHP/MySQL
  • Postfix/Dovecot/Postgrey
  • VSFTPD
  • Icecast/MPD

The LAMP server is hosting multi-domain websites using Apache's Virtual Hosts functionality. Here's a part of /etc/httpd/extra/httpd-vhosts.conf, to have an idea:

Code:
# caviste-gard.fr
<VirtualHost *:80>
    ServerAdmin info@microlinux.fr
    DocumentRoot "/srv/httpd/vhosts/caviste-gard/htdocs"
    ServerName caviste-gard.fr
    ServerAlias www.caviste-gard.fr
    ErrorLog "/var/log/httpd/caviste-gard.fr-error_log"
    CustomLog "/var/log/httpd/caviste-gard.fr-access_log" common
</VirtualHost>

# fuckmicrosoft.fr --> I know, private joke :o)
<VirtualHost *:80>
    ServerAdmin info@microlinux.fr
    DocumentRoot "/srv/httpd/vhosts/fuckmicrosoft/htdocs"
    ServerName fuckmicrosoft.fr
    ServerAlias www.fuckmicrosoft.fr
    ErrorLog "/var/log/httpd/fuckmicrosoft.fr-error_log"
    CustomLog "/var/log/httpd/fuckmicrosoft.fr-access_log" common
</VirtualHost>

# osteo-montpellier.net
<VirtualHost *:80>
    ServerAdmin info@microlinux.fr
    DocumentRoot "/srv/httpd/vhosts/osteo-montpellier/htdocs"
    ServerName osteo-montpellier.net
    ServerAlias www.osteo-montpellier.net
    ErrorLog "/var/log/httpd/osteo-montpellier.net-error_log"
    CustomLog "/var/log/httpd/osteo-montpellier.net-access_log" common
</VirtualHost>

# osteo-sommieres.fr
<VirtualHost *:80>
    ServerAdmin info@microlinux.fr
    DocumentRoot "/srv/httpd/vhosts/osteo-sommieres/htdocs"
    ServerName osteo-sommieres.fr
    ServerAlias www.osteo-sommieres.fr
    ErrorLog "/var/log/httpd/osteo-sommieres.fr-error_log"
    CustomLog "/var/log/httpd/osteo-sommieres.fr-access_log" common
</VirtualHost>

# radionovak.com
<VirtualHost *:80>
    ServerAdmin info@microlinux.fr
    DocumentRoot "/srv/httpd/vhosts/radionovak/htdocs"
    ServerName radionovak.com
    ServerAlias www.radionovak.com
    ErrorLog "/var/log/httpd/radionovak.com-error_log"
    CustomLog "/var/log/httpd/radionovak.com-access_log" common
</VirtualHost>

# scholae.fr
<VirtualHost *:80>
    ServerAdmin info@microlinux.fr
    DocumentRoot "/srv/httpd/vhosts/scholae/htdocs"
    ServerName scholae.fr
    ServerAlias www.scholae.fr
    ErrorLog "/var/log/httpd/scholae.fr-error_log"
    CustomLog "/var/log/httpd/scholae.fr-access_log" common
</VirtualHost>

# sd-25854.dedibox.fr
<VirtualHost *:80>
    ServerAdmin info@microlinux.fr
    DocumentRoot "/srv/httpd/vhosts/default/htdocs"
    ServerName sd-25854.dedibox.fr
    ServerAlias sd-25854
    ErrorLog "/var/log/httpd/sd-25854.dedibox.fr-error_log"
    CustomLog "/var/log/httpd/sd-25854.dedibox.fr-access_log" common
</VirtualHost>
The server is also running Postfix and Dovecot, and the latter uses a self-signed certificate:

Code:
# openssl x509 -text -in /etc/ssl/certs/dovecot.pem 
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: XXXXXXXXXXXX (XXXXXXXXXXXXXX)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=FR, ST=Gard, L=Montpezat, O=Microlinux, OU=Serveur IMAP, CN=sd-25854.dedibox.fr/emailAddress=info@microlinux.fr
        Validity
            Not Before: Jul  9 09:09:31 2013 GMT
            Not After : Jul  7 09:09:31 2023 GMT
Now here's the problem for which I have to find a solution. The server is hosting the local school's website at http://www.scholae.fr. Besides that, the school would like to host the school management software GEPI (http://gepi.mutualibre.org/fr/main). It's basically free software, written in PHP, to be hosted on a LAMP server.

I gave this software a spin on my local LAMP server (also running Slackware64 14.0), and it installs and runs fine. The only requirement it has is the HTTPS protocol for connecting. When you run it on a simple HTTP connection, there's a big fat red security warning on every page. So HTTPS it is.

I've never setup HTTPS before, so I spent a few hours reading a bit more about self-signing certificates, Apache and mod_ssl, and now I have a few questions I can't answer myself.

1. As far as I understand, I can't have HTTPS for multiple domains with Virtual Hosts (correct me if I'm wrong). So if I understand this correctly, I can still choose one "privileged" domain (scholae.fr in this case) and configure an HTTPS hosting for it. Right?

2. If the answer to the previous question is "yes", can I configure this HTTPS access in a Virtual Host in order to get the following result:

3. Now if all this is still possible in theory, how do I go about the self-signed certificate? Well, I know how to create one, but the question is: I already have one for Dovecot, so do I configure Apache to use this one (e. g. /etc/ssl/certs/dovecot.pem)? Or do I have to create a new one for Apache?

I'm grateful for any suggestions.

Cheers,

Niki
 
Old 08-21-2013, 03:58 AM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,374

Rep: Reputation: 1962Reputation: 1962Reputation: 1962Reputation: 1962Reputation: 1962Reputation: 1962Reputation: 1962Reputation: 1962Reputation: 1962Reputation: 1962Reputation: 1962
If you're self signing certificates, then the cert name is likely to be irrelevant anyway, as it'll never pass the security tests on a standard users browser on either count - failing for one reason looks identical to failing for two reasons. But you CAN have a certificate with multiple names (SANs - Subject Alternative Names) Also you could use newer SNI extensions http://en.wikipedia.org/wiki/Server_Name_Indication to allow mutliple cerst to operate exactly as you probaly initially thought they would.

You wouldn't share the certificate with dovecot though, you'd really want to be going and buying a brand new one. If you're determined to self sign (which could make sense based on your overall solution I guess) then there are a myrid of docs out there on how to create one "apache self signed ssl" will get you thousands of hits.
 
Old 08-21-2013, 04:54 AM   #3
kikinovak
Senior Member
 
Registered: Jun 2011
Location: Montpezat (South France)
Distribution: Slackware, Slackware64
Posts: 1,489

Original Poster
Rep: Reputation: 662Reputation: 662Reputation: 662Reputation: 662Reputation: 662Reputation: 662
Quote:
Originally Posted by acid_kewpie View Post
You wouldn't share the certificate with dovecot though, you'd really want to be going and buying a brand new one. If you're determined to self sign (which could make sense based on your overall solution I guess) then there are a myrid of docs out there on how to create one "apache self signed ssl" will get you thousands of hits.
You provided two answers to two questions I didn't ask. I never stated I wanted to buy a certificate. Neither did I want to learn how to create a self-signed certificate, since I already know how to do that (as I explicitly stated in my post).
 
Old 08-21-2013, 05:10 AM   #4
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,374

Rep: Reputation: 1962Reputation: 1962Reputation: 1962Reputation: 1962Reputation: 1962Reputation: 1962Reputation: 1962Reputation: 1962Reputation: 1962Reputation: 1962Reputation: 1962
OK. I won't bother trying to help you again then.
 
Old 08-21-2013, 05:30 AM   #5
kikinovak
Senior Member
 
Registered: Jun 2011
Location: Montpezat (South France)
Distribution: Slackware, Slackware64
Posts: 1,489

Original Poster
Rep: Reputation: 662Reputation: 662Reputation: 662Reputation: 662Reputation: 662Reputation: 662
Quote:
Originally Posted by acid_kewpie View Post
OK. I won't bother trying to help you again then.
I'm sorry if we got off on the wrong foot. It's really my fault, because I answered to your second paragraph... then I've been interrupted in my task, and sent the message without thanking you for the valuable information provided in the first paragraph.

My bad, sorry. And thank you.
 
Old 08-21-2013, 07:31 AM   #6
gezley
Member
 
Registered: Sep 2009
Location: Ireland
Distribution: Slackware64, NetBSD
Posts: 490

Rep: Reputation: 207Reputation: 207Reputation: 207
Quote:
Originally Posted by kikinovak View Post
As far as I understand, I can't have HTTPS for multiple domains with Virtual Hosts (correct me if I'm wrong). So if I understand this correctly, I can still choose one "privileged" domain (scholae.fr in this case) and configure an HTTPS hosting for it. Right?
Have you considered the Hiawatha web server instead? It is fast, secure, and easy to configure. It also allows you to serve multiple SSL websites using one IP address (SNI). I don't think Apache allows you to do this.

http://www.hiawatha-webserver.org/howto/bindings

Edit - correction: I missed Acid Kewpie's post earlier where he suggests SNI is possible with Apache.

Last edited by gezley; 08-21-2013 at 11:34 AM.
 
Old 08-21-2013, 09:06 AM   #7
kikinovak
Senior Member
 
Registered: Jun 2011
Location: Montpezat (South France)
Distribution: Slackware, Slackware64
Posts: 1,489

Original Poster
Rep: Reputation: 662Reputation: 662Reputation: 662Reputation: 662Reputation: 662Reputation: 662
Quote:
Originally Posted by gezley View Post
Have you considered the Hiawatha web server instead? It is fast, secure, and easy to configure. It also allows you to serve multiple SSL websites using one IP address. I don't think Apache allows you to do this.

http://www.hiawatha-webserver.org/howto/bindings
This looks interesting. Although I cringe at the thought of switching to another server software on a production machine just because of one configuration detail.
 
1 members found this post helpful.
Old 08-21-2013, 11:13 AM   #8
Slax-Dude
Member
 
Registered: Mar 2006
Location: Valadares, Portugal
Distribution: Slackware
Posts: 232

Rep: Reputation: 58
As acid_kewpie suggested, this should work.

Last edited by Slax-Dude; 08-21-2013 at 11:15 AM.
 
1 members found this post helpful.
Old 08-21-2013, 11:19 AM   #9
szboardstretcher
Senior Member
 
Registered: Aug 2006
Location: Detroit, MI
Distribution: GNU/Linux
Posts: 2,766
Blog Entries: 1

Rep: Reputation: 872Reputation: 872Reputation: 872Reputation: 872Reputation: 872Reputation: 872Reputation: 872
Quote:
Originally Posted by kikinovak View Post
I'm sorry if we got off on the wrong foot. It's really my fault, because I answered to your second paragraph... then I've been interrupted in my task, and sent the message without thanking you for the valuable information provided in the first paragraph.

My bad, sorry. And thank you.
This is why you shouldn't take time out of your day to berate people. If you perceive that they are not helping you, then ignore them. If they ARE helping you, then a 'thank you' is in order.
 
Old 08-22-2013, 04:26 AM   #10
kikinovak
Senior Member
 
Registered: Jun 2011
Location: Montpezat (South France)
Distribution: Slackware, Slackware64
Posts: 1,489

Original Poster
Rep: Reputation: 662Reputation: 662Reputation: 662Reputation: 662Reputation: 662Reputation: 662
Thanks for all your suggestions. This is beginning to work quite well. One detail remains unclear though.

When creating the certificate, I'm not exactly sure about the "Common Name" field:

Code:
# openssl req -new -key server.key -out server.csr
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:FR
State or Province Name (full name) [Some-State]:Gard
Locality Name (eg, city) []:Montpezat
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Microlinux
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:see below
Email Address []:info@microlinux.fr
The HTTPS site's address will be https://gestion.scholae.fr. The school's main site (with information pages) is http://www.scholae.fr.

Now some documentation states (as the dialog above) to merely fill in the server's FQDN in the "Common Name" field, which would be "sd-25854.dedibox.fr". Other docs (like two different print books about Linux I have here) state that the "Common Name" field should contain the secure site's exact URL, which would be "gestion.scholae.fr".

Which one is the "right" one?
 
Old 08-22-2013, 05:17 AM   #11
ponce
Senior Member
 
Registered: Aug 2004
Location: Pisa, Italy
Distribution: Slackware
Posts: 2,380

Rep: Reputation: 840Reputation: 840Reputation: 840Reputation: 840Reputation: 840Reputation: 840Reputation: 840
the secure site exact URL.
 
1 members found this post helpful.
Old 08-22-2013, 05:30 AM   #12
kikinovak
Senior Member
 
Registered: Jun 2011
Location: Montpezat (South France)
Distribution: Slackware, Slackware64
Posts: 1,489

Original Poster
Rep: Reputation: 662Reputation: 662Reputation: 662Reputation: 662Reputation: 662Reputation: 662
Quote:
Originally Posted by ponce View Post
the secure site exact URL.
Thanks !
 
Old 08-22-2013, 09:23 AM   #13
yenn
Member
 
Registered: Jan 2011
Location: Czech Republic
Distribution: Slackware, Gentoo
Posts: 152

Rep: Reputation: 21
Quote:
Originally Posted by kikinovak View Post
The HTTPS site's address will be https://gestion.scholae.fr. The school's main site (with information pages) is http://www.scholae.fr.

Now some documentation states (as the dialog above) to merely fill in the server's FQDN in the "Common Name" field, which would be "sd-25854.dedibox.fr". Other docs (like two different print books about Linux I have here) state that the "Common Name" field should contain the secure site's exact URL, which would be "gestion.scholae.fr".

Which one is the "right" one?
In that particular case you could create Common Name with wildcard "*.scholae.fm". Since it's already self-signed, it won't make certificate less secure from browser point of view. On one domain I take care of, I use one certificate for every subdomain we have there. Maybe even for postfix, although I'm not sure right now.

Note that this works with Lighttpd, I don't know how Apache handles virtual hosts and certificates, but it should work the same way.

Last edited by yenn; 08-22-2013 at 09:35 AM. Reason: typo
 
1 members found this post helpful.
Old 08-22-2013, 09:36 AM   #14
Alien Bob
Slackware Contributor
 
Registered: Sep 2005
Location: Eindhoven, The Netherlands
Distribution: Slackware
Posts: 5,184

Rep: Reputation: Disabled
Quote:
Originally Posted by Slax-Dude View Post
As acid_kewpie suggested, this should work.
Indeed this will work. It is how I have configured my own secure apache server at home - I have only one IP address but multiple secure sites.

When I start my apache server, the first it tells me is this:
Code:
[Thu Aug 22 16:32:28 2013] [warn] RSA server certificate wildcard CommonName (CN) `*.alienbase.nl' does NOT match server name!?
[Thu Aug 22 16:32:28 2013] [warn] Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)
[Thu Aug 22 16:32:28 2013] [notice] Digest: generating secret for digest authentication ...
[Thu Aug 22 16:32:28 2013] [notice] Digest: done
[Thu Aug 22 16:32:29 2013] [warn] RSA server certificate wildcard CommonName (CN) `*.alienbase.nl' does NOT match server name!?
[Thu Aug 22 16:32:29 2013] [warn] Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)
In http://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI you'll see that these messages are indication that NameBased Vhost with SSL using SNI is going to work for you.

Erio
 
Old 08-22-2013, 10:34 AM   #15
kikinovak
Senior Member
 
Registered: Jun 2011
Location: Montpezat (South France)
Distribution: Slackware, Slackware64
Posts: 1,489

Original Poster
Rep: Reputation: 662Reputation: 662Reputation: 662Reputation: 662Reputation: 662Reputation: 662
Thanks again everybody. After much more experimenting, I have now multiple HTTPS sites running on a single machine. Phew. I'll mark this thread as solved.
 
  


Reply

Tags
https


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
apache 2.0 https to https redirect struct Linux - Software 1 04-22-2011 05:43 PM
Redirect https apache requests to folder not in apache root bax Linux - Enterprise 4 04-12-2010 01:16 PM
Trying to using HTTPS in Apache 2.0.54-10.1 Wimpie22 Linux - Software 1 08-24-2005 03:37 PM
apache and https? xviddivxoggmp3 Linux - Software 3 04-15-2004 11:22 PM
Apache https DavidPhillips Linux - General 3 03-11-2002 01:14 AM


All times are GMT -5. The time now is 06:00 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration