|
Home > Archive > Apache Server configuration support > November 2006 > SSL only machine
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
|
|
| devon_banks@comcast.net 2006-11-28, 7:28 pm |
| I have a 3 sub-domains which I need to make sure are only accessed via
SSL on one machine, I've never set up multiple SSL domains on one
machine or a strictly SSL machine.
Do I copy the Virtual Host settings in the ssl.conf and make changes
to the directory to which they point?
Can I use different certificates for the different virtual hosts? it's
not really that important for this setup since they are subdomains, but
I was under the impression that apache can only use one certificate
and curious whether this was just some bad information I had floating
in my head.
What changes do I make to http.conf do I make to prevent connection to
port 80, or would I be better off just blocking port 80 with a
firewall (might as well now that I think about it).
| |
| Jim Hayter 2006-11-29, 1:19 pm |
| devon_banks@comcast.net wrote:
> I have a 3 sub-domains which I need to make sure are only accessed via
> SSL on one machine, I've never set up multiple SSL domains on one
> machine or a strictly SSL machine.
>
> Do I copy the Virtual Host settings in the ssl.conf and make changes
> to the directory to which they point?
>
> Can I use different certificates for the different virtual hosts? it's
> not really that important for this setup since they are subdomains, but
> I was under the impression that apache can only use one certificate
> and curious whether this was just some bad information I had floating
> in my head.
>
Because SSL handshake takes place first, whatever certificate is
specified for the default virtual host at IP:port will be used. There
are ways to deal with this:
1) if all the virtual hosts are subdomains, you can use a wildcard
certificate.
2) put each virtual host on its own port for SSL traffic and route
traffic for each host to its port. I use multiple VIPs in my load
balancers to segregate the traffic for this purpose.
3) use multiple IP addresses and have each virtual host listen to its
own address on port 443.
There may be other options.
>
> What changes do I make to http.conf do I make to prevent connection to
> port 80, or would I be better off just blocking port 80 with a
> firewall (might as well now that I think about it).
>
You could just have virtual hosts on port 80 that redirect all traffic
to the appropriate https://... URL for that host.
HTH,
Jim
|
|
|
|
|