[WBEL-users] Apache SSL and virtualhost

John Hinton webmaster@ew3d.com
Wed, 08 Dec 2004 18:51:30 -0500 

Kirby C. Bohling wrote:

>On Wed, Dec 08, 2004 at 04:46:24PM -0500, John Hinton wrote:
>  
>
>>Did I read on here somewhere that you must now have an individual IP for 
>>every SSL virtualhost? Seems I keep running in circles adding a second 
>>SSL domain. :(
>>
>>I checked the achives, but couldn't seem to find the post. Sure would be 
>>nice if those archives were seachable. Complain, complain, complain. LOL!
>>    
>>
>
>Yes you did remember that correctly.  The person who if I remember
>correctly explained it best was Johnny Hughes.  Essentially if I
>remember the problem correctly, it is a chicken and the egg problem.
>
>  
>
OK.. I searched and searched and never found a snippit about this 
through all my googling. Then again, a topic like SSL is hard to get a 
good return on.

But, I was successful.

My first SSL cert runs on the shared IP of the server.

I created another IP on the same eth0 interface using eth0:1 and ifconfig.

In my /etc/httpd/conf.d/ssl.conf I added the second NameVirtualHost so 
it now looks like

NameVirtualHost 64.555.555.5:443          (the IPs have been changed to 
protect the innocent)
NameVirtualHost 64.555.555.30:443

I then added the vhost entry which looks like

<VirtualHost 64.555.555.30:443>
DocumentRoot /var/www/somedirectory/public_html
ServerAdmin webmaster@yourdomain.com
ServerName www.yourdomain.com
ErrorLog /var/www/somedirectory/logs/secure_error_log
TransferLog /var/www/somedirectory/logs/secure_access_log
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
SSLCertificateFile /etc/httpd/conf/somedirectory/cert.pem
SSLCertificateKeyFile /etc/httpd/conf/somedirectory/key.pem
SSLCertificateChainFile /etc/httpd/conf/somedirectory/csr.pem
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
    SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
    SSLOptions +StdEnvVars
</Directory>
SetEnvIf User-Agent ".*MSIE.*" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0
CustomLog /var/www/somedirectory/logs/ssl_request_log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>

Reset my bind records to look to this IP on this domain. I would suggest 
registering a secure site with something like secure.somedomain.com 
instead of www.somedomain.com, as I then had to go to the port 80 vhost 
section and add the NameVirtualHost as above, only on port 80, and edit 
the virtualhost container to show the new IP. I inherited this setup, so 
I followed what I had in this case.

Anyway, this worked, and I don't think I left anything out... other than 
all my round and rounds getting to this end.

Best,
John Hinton
(Johnny Hughes: feel free to grab this to create a howto if you like! 
edit as you see fit.)