| Author |
setting up SSL on server containing virtualhosts
|
|
|
| What is the best way to implement an SSL site on a server already
containing HTTP virtualhosts? Do I need to run a separate Apache
instance?
Peter
| |
| MikeDawg 2006-10-17, 1:37 am |
| The best way: Have multiple IP addresses, and have each virtualhost on
a separate IP address.
Other possible ways: Have each virtual host on different ports.
Thanks
Mike
Peter wrote:
> What is the best way to implement an SSL site on a server already
> containing HTTP virtualhosts? Do I need to run a separate Apache
> instance?
>
> Peter
| |
| MikeDawg 2006-10-17, 1:37 am |
|
MikeDawg wrote:[vbcol=seagreen]
> The best way: Have multiple IP addresses, and have each virtualhost on
> a separate IP address.
>
> Other possible ways: Have each virtual host on different ports.
>
> Thanks
>
> Mike
>
> Peter wrote:
Sorry for the top post on that one.
| |
| Davide Bianchi 2006-10-17, 1:37 am |
| On 2006-10-16, Peter <pmatulis@gmail.com> wrote:
> What is the best way to implement an SSL site on a server already
> containing HTTP virtualhosts?
Just add one VHost on port 443 and run SSL on that. You don't need
separate instances of Apache.
Davide
--
How dare the government intervene to stifle innovation in the computer
industry! That's Microsoft's job, dammit!
| |
|
|
MikeDawg wrote:[vbcol=seagreen]
> The best way: Have multiple IP addresses, and have each virtualhost on
> a separate IP address.
>
> Other possible ways: Have each virtual host on different ports.
>
> Thanks
>
> Mike
>
> Peter wrote:
I thought you could not have a name-based SSL virtualhost? See here:
http://httpd.apache.org/docs/1.3/vhosts/name-based.html
| |
| Davide Bianchi 2006-10-17, 1:37 am |
| On 2006-10-16, Peter <pmatulis@gmail.com> wrote:
> I thought you could not have a name-based SSL virtualhost?
Sure you can have a name-based SSL vhost, you can even have more than one,
as long as you don't care about the fact that all of them will use the same
certificate.
Davide
--
I'm locked in a maze of little projects, all of which suck.
-- Chris "Saundo" Saunderson on alt.sysadmin.recovery
| |
|
|
Davide Bianchi wrote:
> On 2006-10-16, Peter <pmatulis@gmail.com> wrote:
>
> Sure you can have a name-based SSL vhost, you can even have more than one,
> as long as you don't care about the fact that all of them will use the same
> certificate.
I can have port 80 vhosts as well as port 443 vhosts?
| |
| Davide Bianchi 2006-10-17, 1:37 am |
| On 2006-10-16, Peter <pmatulis@gmail.com> wrote:
> I can have port 80 vhosts as well as port 443 vhosts?
Yup. The default configuration when you use SSL "out of the box" is to
have one VHost handling port 80 and one handling port 443. As a matter
of fact you can have as many VHosts as you want listening on wathever
port(s) you want.
The problem in having multiple vhosts on https is that Apache can
discern which vhost you want only *after* the request has been decrypted,
so *after* the certificate has been used, and this means that all the
ssl-enabled vhost will use the same certificate.
Davide
--
Windows NT source code now available... download WIN2000.BAS now!
-- From a Slashdot.org post
| |
|
|
Davide Bianchi wrote:
> On 2006-10-16, Peter <pmatulis@gmail.com> wrote:
>
> Yup. The default configuration when you use SSL "out of the box" is to
> have one VHost handling port 80 and one handling port 443. As a matter
> of fact you can have as many VHosts as you want listening on wathever
> port(s) you want.
>
> The problem in having multiple vhosts on https is that Apache can
> discern which vhost you want only *after* the request has been decrypted,
> so *after* the certificate has been used, and this means that all the
> ssl-enabled vhost will use the same certificate.
Why do the Apache docs say this:
Name-based virtual hosting cannot be used with SSL secure servers
because of the nature of the SSL protocol.
| |
| Davide Bianchi 2006-10-17, 1:27 pm |
| On 2006-10-17, Peter <pmatulis@gmail.com> wrote:
> Why do the Apache docs say this:
Because of what I said before, or better;
http://httpd.apache.org/docs/trunk/...faq.html#vhosts
To be precise, is not 'impossible', is very possible *as long as
you don't care about all the VHosts using the same certificate*
(aka: it works for encryption not really for authentication).
Davide
--
If Windows sucked it would be good for something.
|
|
|
|