Not signed in (Sign In)

Can Someone Help Me...: Mix of SSL and non-SSL sites on Apache 2.2

Bottom of Page

1 to 11 of 11

  1.  
    • CommentAuthorjoelmca
    • CommentTimeDec 5th 2008
     permalink
    Hello,

    I am pulling my hair out and was hoping you might be able to give me some guidance.

    I have set up Apache 2.2 on Ubuntu Hardy per the direction of the Slicehost tutorials. Here is a detailed summary:

    Apache2.conf had added to it by me:
    -------------------------------------------

    ServerName MyServerName

    NameVirtualHost *:80

    <IfModule mod_ssl.c>
    NameVirtualHost *:443
    </IfModule>

    Ports.conf is the default:
    -----------------------------

    Listen 80

    <IfModule mod_ssl.c>
    Listen 443
    </IfModule>



    Now, I have 3 sites running on my 1 IP address. They are, as listed in /etc/apache2/sites-available, called: 111-default, siteA.com, siteB.com.

    111-default is just the default page that gets installed with Apache where they browse directly to the IP address -- and I basically just changed it to say "Go away from here" :-). There is no <VirtualHost *:443> tag in the 111-default config file right now; only <VirtualHost *:80>.

    siteA.com is a site that also uses SSL, so both 80 and 443 are live and active. There are both <VirtualHost *:80> and <VirtualHost *.443> tags in siteA.com config.

    siteB.com is a site that is just static HTML on port 80. There is no <VirtualHost *:443> tag in the siteB.com config file right now; only <VirtualHost *:80>.


    OK. if someone goes to https://siteA.com -- fine. It all works. But, if someone goes to https://1.1.1.1 (my ip address) or https://siteB.com -- they get redirected to https://siteA.com (I am using a self-signed certificate, so the certificate warning comes up first before the redirection). I understand that with vhosts in Apache that they are followed in alphabetical order and in addition to where the first port is found. So I can see why this is happening because I only have one <VirtualHost *:443> tag in the siteB.com config file in /etc/apache2/sites-available.

    I don't want this to happen. What I want is if they go to https://1.1.1.1 or https://siteB.com -- I want an error page to be thrown up or at least redirected to the http:// versions of those sites. I am have been trying to follow this article (http://fob.po8.org/node/289) which seems like my best bet so far, but I am having trouble mapping the instructions to the files available to me in Apache.

    I tried following the instructions in that link above, but have been unable to map the instructions to the files in Apache that I am supposed to edit.

    I would appreciate any help. Thank you in advance.
  2.  permalink
    http://httpd.apache.org/docs/2.2/ssl/ssl_faq.html#vhosts2

    One error in the article you linked to is that its author assumes the Apache folks made an arbitrary decision not to accept multiple SSL setups per IP. As the linked-to FAQ explains, this takes place before the request gets to Apache, so there's nothing Apache can do about it. Apache only allows one virtual host per IP to server SSL traffic because it's a limit of the SSL libraries and really out of Apache's hands.

    In general, the site you want to make available via SSL should to be the first virtual host, which Apache will treat as the default. I'd offer specific suggestions on how to move things around but the path "/etc/apache2/sites-available" suggests you're using a different distro than I am (I'm on Fedora), so I don't know where to suggest making your changes.

    My generic suggestion: Get rid of your "111-default" virtual host. Is there any reason you really need it? I can only think of one—the Apache manual—and that's easy enough to get to online at Apache's site. You could also download the manual directory to your desktop machine and browse it locally if you want. But there's no real reason to keep in cluttering up your config file and disk space. Then make sure your "siteA.com" configuration is first in line of the virtual hosts. In my setup, I have separate config files for HTTP and HTTPS, so all the SSL-specific stuff is in one place. I usually extrapolate my site-specific stuff into separate files and use the Include directive to include those configurations wherever they need to go (for example, into both the HTTP and HTTPS configurations where appropriate).

    As for the error messages on the IP and "siteB.com"... I don't think that's possible. On my sites, if I try to use HTTPS to access one of my HTTP-only domains, I get a "bad certificate for this domain" error because the certificate is tied to the HTTPS-enabled domain. Since the SSL negotiation takes place before the request reaches Apache, there's no way to intercept it to throw the error page.

    Hope this helps (and that someone can correct me if I'm wrong)...
    • CommentAuthordiazona
    • CommentTimeDec 5th 2008
     permalink
    I was always under the impression that, as jtdarlington said, it's not possible to do name-based virtual hosting with multiple domains on a single port with SSL. This is what the Apache docs say, and it makes sense, based on the way SSL works, that Apache shouldn't be able to do it - the server needs to use a certificate to create the SSL connection, but at the time of the SSL handshake, it doesn't know which virtual host is going to be requested, and therefore it doesn't know which vhost to take the certificate from.

    But I just did a test with Apache 2.2 on my laptop, and believe it or not, it actually does work . . . Apache will display different pages depending on whether I access https://localhost vs. https://www.ellipsix.localhost. Apparently, in practice, the server will just use the certificate out of the first virtual host it finds in its configuration (by the way, Apache checks vhosts in the order they're defined in its configuration, not in alphabetical order), but it is smart enough to switch to another vhost if necessary to handle the actual HTTP request. So in principle, the article you've been looking at is correct in that you can set up multiple SSL virtual hosts on a single IP address and port, but Apache will only ever use the certificate from the first of these vhosts, so visitors to your site for any vhost except the first will get warnings about the certificate having been issued for a different site.

    Now, I have found a web page that gives instructions for adding multiple hostnames to a single certificate using the subjectAltName field. If this works, it will be possible to make one certificate that you can use for all the virtual hosts you have on port 443, so in that case the users' browsers would not display the certificate warning (assuming that the browsers also recognize the subjectAltName field of the certificate). I have not tried it, nor have I ever heard of it working, but I will definitely do a test sometime soon. (Or if you decide to go that route, I would love to hear how it works out)

    If the subjectAltName approach doesn't work or you don't want to use it, there is an experimental bit of technology in the works called SNI (server name identification), that would allow a browser to send the hostname as part of the SSL handshake, so Apache would then know which virtual host to take the certificate from. This would be the "proper" way to do what you're trying to do, namely get rid of the certificate warnings for users who access your IP address or siteB.com. From what I've heard, it is implemented by an Apache module called mod_gnutls, and it is also being incorporated into Apache's own mod_ssl. Again, I would be interested to hear if you get this working.

    :) David
    • CommentAuthorjoelmca
    • CommentTimeDec 5th 2008
     permalink
    JT, David,

    Thank you so much for your extensive replies. I need to take some time to fully understand them, but I did want to say one thing that I may have forgotten to mention.

    The certificate I am using is just a local, self-signed certificate. In reality, the only one who should be accessing the SSL site on siteB.com is me, but I wanted it to be a secure interaction.

    I am not sure if the certificate being local to the host and self-signed makes any difference in your responses above; I just wanted to throw that out there.

    Thanks again!
    • CommentAuthordiazona
    • CommentTimeDec 5th 2008
     permalink
    Hmm . . . so I think you have me a little confused now (sorry :-P) How exactly do you want these sites to be set up, in terms of what happens when you go to 1.1.1.1, siteA, and siteB with and without HTTPS?

    The only difference with self-signed certificates that I would point out is that browsers will already throw up a warning just because the certificate is self-signed. So in practice you wouldn't care that much about the certificates having the proper hostname, since that notice just gets added to the existing dialog box.

    :) David
    • CommentAuthorpgson
    • CommentTimeDec 5th 2008
     permalink
    We have a wildcard cert for our domain, and we are able to use it with a single port/ip address and different subdomains. Apache is not happy about it and tells us all the time in the error logs:

    [warn] Init: SSL server IP/port conflict: x.y.com:443 (/etc/httpd/x.conf:8) vs. z.y.com:443 (/etc/httpd/z.conf:8)
    [warn] Init: You should not use name-based virtual hosts in conjunction with SSL!!

    This is what our .conf looks like:
    Listen 0.0.0.0:80
    Listen 0.0.0.0:443
    NameVirtualHost IP:80
    NameVirtualHost IP:443
    <VirtualHost IP:80>
    ServerAlias x.y.com
    </VirtualHost>
    <VirtualHost IP:443>
    UseCanonicalName off
    ServerAlias x.y.com
    </VirtualHost>
    <VirtualHost IP:80>
    ServerAlias z.y.com
    </VirtualHost>
    <VirtualHost IP:443>
    UseCanonicalName off
    ServerAlias z.y.com
    </VirtualHost>

    I don't much about the implementations of other modules that truly allow this for seperate domains but this is how we use it.

    The self signed cert shouldn't make any difference, they will work just fine except blowing with security warnings in modern browsers

    I don't know if this helps since it involves the same TLD but maybe it will help.
    • CommentAuthorjoelmca
    • CommentTimeDec 5th 2008 edited
     permalink
    Hi David,

    Yeah -- sorry to be confusing.

    The scenario ideally that I want is:

    1.1.1.1 (111-default) - Http works fine, https error (or redirect back to http)
    siteA.com - http works fine, https works fine
    siteB.com - http works fine, https error (or redirect back to http)

    I have one certificate, self-signed that I am seeing as shared amongst all these, even though I only need it for one site.

    But as JT said above, I can probably do without the default site if that helps any.
    • CommentAuthordiazona
    • CommentTimeDec 5th 2008
     permalink
    Well, I would also suggest getting rid of the default site, since there's really no point in having a page that just says "don't go here" ;-) If you're not worried about certificate warnings in people's browsers, I think this is one way to do it:
    NameVirtualHost *:80
    NameVirtualHost *:443
    <VirtualHost *:80>
    ServerName siteA.com
    # your http://siteA.com configuration
    </VirtualHost>
    <VirtualHost *:443>
    ServerName siteA.com
    # your https://siteA.com configuration
    </VirtualHost>
    <VirtualHost *:80>
    ServerName siteB.com
    # your http://siteB.com configuration
    </VirtualHost>
    <VirtualHost *:443>
    ServerName siteB.com
    ServerAlias 1.1.1.1
    RewriteEngine on
    RewriteRule (.*) http://%{HTTP_HOST}/$1 [L,R=permanent]
    </VirtualHost>
    This would do what you want, except that people accessing your server by IP (http://1.1.1.1) would be sent to siteA.com - since that's the site you want the public to use, I would presume it's a reasonable default. If you really want to put up an error page or something for that sort of access, just add another <VirtualHost *:80> section with ServerName 1.1.1.1 and put the desired configuration in there.

    By the way, you can split that up into separate files if you like, just make sure they get put together in the right order. I think you can check your vhost config by running
    apache2 -S

    :) David
    Thankful People: joelmca
    • CommentAuthorjoelmca
    • CommentTimeDec 5th 2008
     permalink
    David,

    Thanks a lot. I will give that a try and let you know what happens. It looks promising! :-)

    And, the command, I think is

    sudo apache2ctl -S
    • CommentAuthorjoelmca
    • CommentTimeDec 5th 2008
     permalink
    David,

    I think you have solved it for me. Thank you SO much!

    The certificate warnings are just fine with me because people shouldn't be going to those sites anyway.

    This is wonderful. A little more testing, but things are looking good!
    • CommentAuthordiazona
    • CommentTimeDec 5th 2008
     permalink
    Cool, glad I could help ;-) I'm trying to set up something similar for my own website(s) so the research I did answering your question is going to come in handy for me too . . .

    :) David

1 to 11 of 11

  1.