[WBEL-users] Apache SSL and virtualhost
John Hinton
webmaster@ew3d.com
Wed, 08 Dec 2004 18:51:30 -0500
Kirby C. Bohling wrote:
>On Wed, Dec 08, 2004 at 04:46:24PM -0500, John Hinton wrote:
>
>
>>Did I read on here somewhere that you must now have an individual IP for
>>every SSL virtualhost? Seems I keep running in circles adding a second
>>SSL domain. :(
>>
>>I checked the achives, but couldn't seem to find the post. Sure would be
>>nice if those archives were seachable. Complain, complain, complain. LOL!
>>
>>
>
>Yes you did remember that correctly. The person who if I remember
>correctly explained it best was Johnny Hughes. Essentially if I
>remember the problem correctly, it is a chicken and the egg problem.
>
>
>
OK.. I searched and searched and never found a snippit about this
through all my googling. Then again, a topic like SSL is hard to get a
good return on.
But, I was successful.
My first SSL cert runs on the shared IP of the server.
I created another IP on the same eth0 interface using eth0:1 and ifconfig.
In my /etc/httpd/conf.d/ssl.conf I added the second NameVirtualHost so
it now looks like
NameVirtualHost 64.555.555.5:443 (the IPs have been changed to
protect the innocent)
NameVirtualHost 64.555.555.30:443
I then added the vhost entry which looks like
<VirtualHost 64.555.555.30:443>
DocumentRoot /var/www/somedirectory/public_html
ServerAdmin webmaster@yourdomain.com
ServerName www.yourdomain.com
ErrorLog /var/www/somedirectory/logs/secure_error_log
TransferLog /var/www/somedirectory/logs/secure_access_log
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
SSLCertificateFile /etc/httpd/conf/somedirectory/cert.pem
SSLCertificateKeyFile /etc/httpd/conf/somedirectory/key.pem
SSLCertificateChainFile /etc/httpd/conf/somedirectory/csr.pem
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog /var/www/somedirectory/logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
Reset my bind records to look to this IP on this domain. I would suggest
registering a secure site with something like secure.somedomain.com
instead of www.somedomain.com, as I then had to go to the port 80 vhost
section and add the NameVirtualHost as above, only on port 80, and edit
the virtualhost container to show the new IP. I inherited this setup, so
I followed what I had in this case.
Anyway, this worked, and I don't think I left anything out... other than
all my round and rounds getting to this end.
Best,
John Hinton
(Johnny Hughes: feel free to grab this to create a howto if you like!
edit as you see fit.)