|
Home > Archive > Apache Server configuration support > July 2006 > SSL for a single subdomain
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
SSL for a single subdomain
|
|
| GrahamWilsonCA@yahoo.ca 2006-07-14, 1:23 am |
| Hi all,
I've been trying to sort this out all day and I'm wondering if someone
can explain why this isn't working. I have a single debian
(sarge-stable) server with a single IP address and apache (2.2.2)
serving 2 domains via name-based virtual hosts.
The relevant bits of httpd-vhosts.conf include:
NameVirtualHost 192.168.2.5:80
<VirtualHost *:80>
ServerName example1.com
ServerAlias www.example1.com *.example1.com
DocumentRoot "/home/www/example1"
</VirtualHost>
<VirtualHost *:80>
ServerName example2.com
ServerAlias www.example2.com *.example2.com
DocumentRoot "/home/www/example2"
</VirtualHost>
I've setup a svn repository that I would like to associate with a
subdomain of one of the virtual hosts (i.e. svn.example1.com) and I'd
like ssl authentication/encryption. The relevant bits of
httpd-ssl.conf read:
<VirtualHost 192.168.2.5:443>
ServerName svn.example1.com:443
DocumentRoot "/home/subversion"
SSLEngine on
... more SSL things here ...
</VirtualHost>
The problem is that the above does not seem to honour the ServerName
directive correctly. Basically, any of the addresses below (which my
DNS server resolves to the server IP) currently point to my subversion
tree:
https://svn.example1.com/ProjectA
https://example1.com/ProjectA
https://mail.example1.com/ProjectA
https://www.example1.com/ProjectA
https://example2.com/ProjectA
https://www.example2.com/ProjectA
...
Is there any way to restrict access such that only
'https://svn.example1.com/ProjectA' is resolved?
Many thanks!
Graham
| |
| Davide Bianchi 2006-07-14, 1:21 pm |
| On 2006-07-14, GrahamWilsonCA@yahoo.ca <GrahamWilsonCA@yahoo.ca> wrote:
> subdomain of one of the virtual hosts (i.e. svn.example1.com) and I'd
> like ssl authentication/encryption. The relevant bits of
> The problem is that the above does not seem to honour the ServerName
> directive correctly. Basically, any of the addresses below (which my
> DNS server resolves to the server IP) currently point to my subversion
> tree:
> https://svn.example1.com/ProjectA
> https://example1.com/ProjectA
> https://mail.example1.com/ProjectA
> https://www.example1.com/ProjectA
> https://example2.com/ProjectA
> https://www.example2.com/ProjectA
> ...
>
> Is there any way to restrict access such that only
> 'https://svn.example1.com/ProjectA' is resolved?
Unfortunately no. The point is that any of the url you mentioned are
arriving to your machine, but your machine doesn't know which URL you
want 'cause the request is encrypted, and he need to decrypt it before
doing anything. And the only way to decrypt it is to answer the request.
The only way to 'restrict' it, would be to use a dedicated IP address to
respond to a dedicated URL for your https site.
Davide
--
Starting your usenet experience with this group is like starting your
drug experiences with 500 mikes of acid with an amphetamine chaser.
--Rebecca Ore
| |
| Randall Skelton 2006-07-14, 1:21 pm |
| Thanks for your reply Davide! I wondered how this could possibly work
but there are many online references to using 'ServerName' in the SSL
vhost.
Davide Bianchi wrote:
> On 2006-07-14, GrahamWilsonCA@yahoo.ca <GrahamWilsonCA@yahoo.ca> wrote:
>
> Unfortunately no. The point is that any of the url you mentioned are
> arriving to your machine, but your machine doesn't know which URL you
> want 'cause the request is encrypted, and he need to decrypt it before
> doing anything. And the only way to decrypt it is to answer the request.
>
> The only way to 'restrict' it, would be to use a dedicated IP address to
> respond to a dedicated URL for your https site.
>
> Davide
>
> --
> Starting your usenet experience with this group is like starting your
> drug experiences with 500 mikes of acid with an amphetamine chaser.
> --Rebecca Ore
| |
| Davide Bianchi 2006-07-14, 1:21 pm |
| On 2006-07-14, Randall Skelton <randall.skelton@gmail.com> wrote:
> Thanks for your reply Davide! I wondered how this could possibly work
> but there are many online references to using 'ServerName' in the SSL
> vhost.
Yes, the problem is the server name is only looked up *after* the request
have been answered.
Davide
--
Another name for a Windows tutorial is "crash course".
| |
| bobmct 2006-07-14, 1:21 pm |
| GrahamWilsonCA@yahoo.ca wrote:
> Hi all,
>
> I've been trying to sort this out all day and I'm wondering if someone
> can explain why this isn't working. I have a single debian
> (sarge-stable) server with a single IP address and apache (2.2.2)
> serving 2 domains via name-based virtual hosts.
>
> The relevant bits of httpd-vhosts.conf include:
>
> NameVirtualHost 192.168.2.5:80
>
> <VirtualHost *:80>
> ServerName example1.com
> ServerAlias www.example1.com *.example1.com
> DocumentRoot "/home/www/example1"
> </VirtualHost>
>
> <VirtualHost *:80>
> ServerName example2.com
> ServerAlias www.example2.com *.example2.com
> DocumentRoot "/home/www/example2"
> </VirtualHost>
>
> I've setup a svn repository that I would like to associate with a
> subdomain of one of the virtual hosts (i.e. svn.example1.com) and I'd
> like ssl authentication/encryption. The relevant bits of
> httpd-ssl.conf read:
>
> <VirtualHost 192.168.2.5:443>
> ServerName svn.example1.com:443
> DocumentRoot "/home/subversion"
> SSLEngine on
> ... more SSL things here ...
> </VirtualHost>
>
> The problem is that the above does not seem to honour the ServerName
> directive correctly. Basically, any of the addresses below (which my
> DNS server resolves to the server IP) currently point to my subversion
> tree:
> https://svn.example1.com/ProjectA
> https://example1.com/ProjectA
> https://mail.example1.com/ProjectA
> https://www.example1.com/ProjectA
> https://example2.com/ProjectA
> https://www.example2.com/ProjectA
> ...
>
> Is there any way to restrict access such that only
> 'https://svn.example1.com/ProjectA' is resolved?
>
> Many thanks!
> Graham
Graham;
As Davide stated, the SSL part takes place BEFORE the virtual server part.
I believe that's why there can be only ONE SSL site on a given IP.
As I am doing something very similar to you, I defined all my virtual
servers as *:80 with appropriate ServerName's but my SSL is defined as
*:443 which is the "default" SSL server and this seem to work. However, I
rely on other mechanisms to keep unauthorized out.
Good luck, please post your resolution?
Bob
| |
| GrahamWilsonCA@yahoo.ca 2006-07-14, 7:21 pm |
| It is nice to hear that I wasn't alone in this misconception. My
'solution' is to simply use rewrite rules to make sure that anyone
connecting on 443 is redirected to the subdomain where my self-signed
cert is correct.
RewriteEngine on
RewriteCond %{SERVER_PORT} ^443
RewriteCond %{HTTP_HOST} !^svn\.example1\.com$
RewriteRule (.*) https://svn.example1.com/$1 [R=permanent]
I'm really only using https to avoid sending plain-text passwords
around.
Graham
bobmct wrote:
> Graham;
>
> As Davide stated, the SSL part takes place BEFORE the virtual server part.
> I believe that's why there can be only ONE SSL site on a given IP.
>
> As I am doing something very similar to you, I defined all my virtual
> servers as *:80 with appropriate ServerName's but my SSL is defined as
> *:443 which is the "default" SSL server and this seem to work. However, I
> rely on other mechanisms to keep unauthorized out.
>
> Good luck, please post your resolution?
>
> Bob
|
|
|
|
|