[LUNI] SSL virtual hosts on Apache

matt at abernackie.com matt at abernackie.com
Mon Aug 12 15:53:02 CDT 2002 

Hey, he's right, you can only run one SSL host per IP addy.

However a way around this is to just setup some ipaliases:

/sbin/ifconfig eth0:0 192.168.1.11 netmask 255.255.255.0
/sbin/ifconfig eth0:1 192.168.1.10 netmask 255.255.255.0

Then change the ip in the second VHost entry to match one of the ipaliases
that you created above.  I believe that you have to be running a nameserver
on the same machine for this to work...

IE:

domainone.com resolves to 192.168.0.11
domaintwo.com resolved to 192.168.0.10

etc etc etc...

If you have a firewall/nameserver as a gateway, then the zone file would want
to reflect the correct ip address for the domain, and have firewall rules
redirect all traffic to the specified host based on the real (192.168.0.x)'s
device for the host.  DNS and apache should handle sending and acknowledging 
the request to the proper IP(alias) on the server.

If you have an external nameserver, then just make sure the iptables NAT
rules are setup properly, and ensure that 127.0.0.1 is the ip the nameserver
in your /etc/resolv.conf file.  ( or the ips of one of the aliases that you 
created for running multiple nameservers on one box ).

This is what allows you to host 500 domains each w/a unique ip on one box!!
Of course this is a little easier w/real routable ips. 


GL,





On Mon, Aug 12, 2002 at 09:14:55AM -0500, Keith T. Garner wrote:
> On Sat, Aug 10, 2002 at 12:13:56, Lance Spitzner said:
> > I've setup virtual hosts many times on Apache, however this
> > is my first crack at doing it with SSL.  SSL is working fine
> > on my system, but I can't get virtual SSL hosts to work.  Below
> > is the SSL Virtual host config file.  However, when I connect
> > to port 443, I get a 501 Error message, method not supported.
> > The client is attempting to make an SSL connection to port 443,
> > but appears that when apapche responds, it does not realize the
> > connection is SSL, and is attempting cleartext connection, thus
> > the 501 Not Supported error.
> > 
> > Words of wisdom?
> 
> Unfortunately, what you are trying to do won't work.  (I know, I've
> tried before I understood all that was going on.)  The other mail that
> said you had the SSLEngine was correct, but that's not the entire
> story.
> 
> To fully understand this, we need to look at how name-based virtual
> hosts work and how SSL works.
> 
> The name based virtual host part is easy, so I'll take care of that
> first.  Part of HTTP/1.1 allows you to pass a Host header as part of
> the header block.  Apache uses this header to "pass" the request on to
> the proper virtual host.
> 
> Example (stripped down but still valid) http request:
>      HEAD / HTTP/1.1
>      Host: www.kgarner.com
> 
> Now that we understand the http part, lets look at the SSL part.  SSL
> sits on top of TCP but (more or less) below the application layer of
> http.  So, when you make a connection to port 443, the SSL layer gets
> established, and then the HTTP layer after SSL is done.  By the time
> you could tell the server that you'd like to go to a certain virtual
> host its too late.
> 
> Is there a way around this?  Other then running multiple servers on 443
> on multiple IPs, no.  However, you can do some creative work-arounds.
> For example, a friend of mine set up https://secure.hisdomain.com/ and
> when someone connections to http://www.otherdomain.com/ it redirects
> them to https://secure.hisdomain.com/otherdomain/
> 
> In the long run, I'd like to see something like a STARTTLS command
> similar to that which ESMTP and IMAP have.  With those, you connect as
> plain text and then ask to switch to SSL via the STARTTLS command.
> Ideally, what I'd like to see for name-based http would be you
> connect, specify which host you'd like to talk to and STARTTLS and
> then, once SSL is established, then the client sends its GET, HEAD or
> POST.
> 
> This was my first post of the day and it was while I was drinking my
> first coffee, so if I sound like a lunatic, I apologize.
> 
> Keith
> 
> -- 
>    Keith T. Garner                                        kgarner at kgarner.com
>    The whole problem with the world is that fools and fanatics are always so
>  certain of themselves, and wiser people so full of doubts.  --Bertrand Russell
> ______________________________________________________________________
> Linux Users Of Northern Illinois - Technical Discussion 
> luni at luni.org
> http://luni.org/mailman/listinfo/luni

More information about the luni mailing list