[vox-tech] Setting up VirtualHosts

Jay Strauss vox-tech@lists.lugod.org
Thu, 15 May 2003 15:42:29 -0500 

Thanks Ricardo,

I'd basically came to the same configuration, except I'm still using name
based vhosts as opposed to IP.
I've got 2 non-ssl and one ssl on the same box (I guess I'll make do).

Jay
----- Original Message ----- 
From: "Ricardo Anguiano" <anguiano@codesourcery.com>
To: <vox-tech@lists.lugod.org>
Sent: Thursday, May 15, 2003 3:40 AM
Subject: Re: [vox-tech] Setting up VirtualHosts


> "Jay Strauss" <me@heyjay.com> writes:
>
> > what I'm trying to do is impossible,
> >
> > http://httpd.apache.org/docs-2.0/ssl/ssl_faq.html#vhosts
> >
> > I'm using apache1 but I'm sure it applies
>
> Hello Jay,
>
> Comments below.
>
> >> I'm googling all over, trying everything, and can't get this to
> >> work.  My server works both ssl/clear text (from before I started
> >> messing with
> > this).
> >>
> >> I want my server to respond to:
> >>     testwww.heyjay.com
> >>     www.heyjay.com
> >>     testssl.heyjay.com
> >>     ssl.heyjay.com
>
> Each of the ssl servers are going to need their own IP address.
> apache+mod_ssl just doesn't work any other way (well ok, different
> ports work too).  This is in the faq for apache+mod_ssl.
>
>      "Why is it not possible to use Name-Based Virtual Hosting to
>      identify different SSL virtual hosts?"
>
>      http://httpd.apache.org/docs-2.0/ssl/ssl_faq.html#vhosts2
>
> >>
> >> NameVirtualHost *
> ^^^^^^^^^^^^^^^^^^^^ You need more of these. Let's start with ip
> addresses.  I will use 10.0.0/8 addresses in this example.  You will
> need something like this:
>
>      DNS settings:
>      testwww.heyjay.com   10.0.0.1
>      www.heyjay.com       10.0.0.1
>      testssl.heyjay.com   10.0.0.1
>      ssl.heyjay.com       10.0.0.2
>
> You can put the non-ssl servers all on the same ip, even one that
> serves ssl traffic too.  One ssl server per ip address though, or at
> least put each of them on distinct weird non standard port.  This
> example puts each ssl server on a distinct ip address.
>
> Get apache to listen on the right ip addresses and ports.
>
>      listen 10.0.0.1:80
>      listen 10.0.0.1:443
>      listen 10.0.0.2:443
>
> Setup the NameVirtualHosts directives.  These should match your listen
> statements.  Once you put ip/port combinations in NameVirtualHost
> directives, you can't use wildcard NameVirtualHost directives (like
> you have above), or wildcard VirtualHost directives.
>
>      NameVirtualHost 10.0.0.1:80
>      NameVirtualHost 10.0.0.1:443
>      NameVirtualHost 10.0.0.2:443
>
> Now the VirtualHost sections:
>
> >> <VirtualHost testwww.heyjay.com:80>
>
> Change the line above to:
> <VirtualHost 10.0.0.1:80>
>
> >>    ServerName  testwww.heyjay.com
> >>    SSLEngine off
> >>    DocumentRoot /var/www/heyjay/testwww
> >> </VirtualHost>
> >>
> >> <VirtualHost www.heyjay.com:80>
>
> Change the line above to:
> <VirtualHost 10.0.0.1:80>
>
> >>    ServerName  www.heyjay.com
> >>    SSLEngine off
> >>    DocumentRoot /var/www/heyjay/www
> >> </VirtualHost>
> >>
> >> <VirtualHost testssl:443>
>
> Change the line above to:
> <VirtualHost 10.0.0.1:443>
>
> >>    ServerName  testssl.heyjay.com
> >>    DocumentRoot /var/www/heyjay/testssl
> >>    SSLEngine on
> >>    SSLCertificateFile server.crt
> >>    SSLCertificateKeyFile server.key
> >>    SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
> >> </VirtualHost>
> >>
> >> <VirtualHost ssl.heyjay.com:443>
>
> Change the line above to:
> <VirtualHost 10.0.0.2:443>
>
> >>    ServerName  ssl.heyjay.com
> >>    DocumentRoot /var/www/heyjay/ssl
> >>    SSLEngine on
> >>    SSLCertificateFile server.crt
> >>    SSLCertificateKeyFile server.key
> >>    SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
> >> </VirtualHost>
>
> Both your ssl vhost sections above refer to the same cert.  Use one
> certificate for each SSL server.  This way you can give users the
> option of telling their browsers to remember your cert and not bug the
> user next time they load the page.
>
> I like to strip the passphrase from my certs because I don't like to
> enter a passphrase each time I restart the server, reboot or
> otherwise.  <disclamer>I am aware of the risks of doing this.  You
> should decide if you are ok with those risks before stripping the
> passphrase from your certs. This setup works for me, make sure it
> works for you.</disclamer>
>
> #apache on freenode is a good irc channel for this sort of thing on a
> real time basis.
>
> Hope that helps.  Good luck.
>
> -- 
> Ricardo Anguiano
> http://www.codesourcery.com
> _______________________________________________
> vox-tech mailing list
> vox-tech@lists.lugod.org
> http://lists.lugod.org/mailman/listinfo/vox-tech
>
>