[vox-tech] Setting up VirtualHosts

Ricardo Anguiano vox-tech@lists.lugod.org
Thu, 15 May 2003 01:40:36 -0700 

"Jay Strauss" <me@heyjay.com> writes:

> what I'm trying to do is impossible,
>
> http://httpd.apache.org/docs-2.0/ssl/ssl_faq.html#vhosts
>
> I'm using apache1 but I'm sure it applies

Hello Jay,

Comments below.

>> I'm googling all over, trying everything, and can't get this to
>> work.  My server works both ssl/clear text (from before I started
>> messing with
> this).
>>
>> I want my server to respond to:
>>     testwww.heyjay.com
>>     www.heyjay.com
>>     testssl.heyjay.com
>>     ssl.heyjay.com

Each of the ssl servers are going to need their own IP address.
apache+mod_ssl just doesn't work any other way (well ok, different
ports work too).  This is in the faq for apache+mod_ssl.

     "Why is it not possible to use Name-Based Virtual Hosting to
     identify different SSL virtual hosts?"

     http://httpd.apache.org/docs-2.0/ssl/ssl_faq.html#vhosts2

>>
>> NameVirtualHost *
^^^^^^^^^^^^^^^^^^^^ You need more of these. Let's start with ip
addresses.  I will use 10.0.0/8 addresses in this example.  You will
need something like this:

     DNS settings:
     testwww.heyjay.com   10.0.0.1
     www.heyjay.com       10.0.0.1
     testssl.heyjay.com   10.0.0.1
     ssl.heyjay.com       10.0.0.2

You can put the non-ssl servers all on the same ip, even one that
serves ssl traffic too.  One ssl server per ip address though, or at
least put each of them on distinct weird non standard port.  This
example puts each ssl server on a distinct ip address.

Get apache to listen on the right ip addresses and ports.

     listen 10.0.0.1:80
     listen 10.0.0.1:443
     listen 10.0.0.2:443

Setup the NameVirtualHosts directives.  These should match your listen
statements.  Once you put ip/port combinations in NameVirtualHost
directives, you can't use wildcard NameVirtualHost directives (like
you have above), or wildcard VirtualHost directives.

     NameVirtualHost 10.0.0.1:80
     NameVirtualHost 10.0.0.1:443
     NameVirtualHost 10.0.0.2:443

Now the VirtualHost sections:

>> <VirtualHost testwww.heyjay.com:80>

Change the line above to:
<VirtualHost 10.0.0.1:80>

>>    ServerName  testwww.heyjay.com
>>    SSLEngine off
>>    DocumentRoot /var/www/heyjay/testwww
>> </VirtualHost>
>>
>> <VirtualHost www.heyjay.com:80>

Change the line above to:
<VirtualHost 10.0.0.1:80>

>>    ServerName  www.heyjay.com
>>    SSLEngine off
>>    DocumentRoot /var/www/heyjay/www
>> </VirtualHost>
>>
>> <VirtualHost testssl:443>

Change the line above to:
<VirtualHost 10.0.0.1:443>

>>    ServerName  testssl.heyjay.com
>>    DocumentRoot /var/www/heyjay/testssl
>>    SSLEngine on
>>    SSLCertificateFile server.crt
>>    SSLCertificateKeyFile server.key
>>    SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
>> </VirtualHost>
>>
>> <VirtualHost ssl.heyjay.com:443>

Change the line above to:
<VirtualHost 10.0.0.2:443>

>>    ServerName  ssl.heyjay.com
>>    DocumentRoot /var/www/heyjay/ssl
>>    SSLEngine on
>>    SSLCertificateFile server.crt
>>    SSLCertificateKeyFile server.key
>>    SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
>> </VirtualHost>

Both your ssl vhost sections above refer to the same cert.  Use one
certificate for each SSL server.  This way you can give users the
option of telling their browsers to remember your cert and not bug the
user next time they load the page.

I like to strip the passphrase from my certs because I don't like to
enter a passphrase each time I restart the server, reboot or
otherwise.  <disclamer>I am aware of the risks of doing this.  You
should decide if you are ok with those risks before stripping the
passphrase from your certs. This setup works for me, make sure it
works for you.</disclamer>

#apache on freenode is a good irc channel for this sort of thing on a
real time basis.

Hope that helps.  Good luck.

-- 
Ricardo Anguiano
http://www.codesourcery.com