Difference between revisions of "Apache2 mod vhost alias ssl"
Line 1: | Line 1: | ||
[[Category:Engineering]] | [[Category:Engineering]] | ||
[[Category:SSL]] | [[Category:SSL]] | ||
+ | |||
+ | == It can be done == | ||
+ | |||
+ | Marcel Hellig sent me this information. I have not tested this. What I originally wrote in my article wasn't right, or wasn't 100% right. It's possible to have multiple ssl certs and to configure apache(2) to use them right. What you have to do is make VirtualHost directives. For example: | ||
+ | |||
+ | <pre> | ||
+ | <VirtualHost *:443> | ||
+ | ServerName www.cookiesoft.de | ||
+ | ServerAlias cookiesoft.de | ||
+ | ServerAdmin admin@cookiesoft.de | ||
+ | DocumentRoot /var/www/ | ||
+ | ErrorLog /var/log/apache2/ssl_error.log | ||
+ | TransferLog /var/log/apache2/ssl_access.log | ||
+ | SSLEngine on | ||
+ | SSLProtocol all -SSLv2 | ||
+ | SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM | ||
+ | SSLCertificateFile /etc/ssl/private/ssl_cookiesoft.crt | ||
+ | SSLCertificateKeyFile /etc/ssl/private/ssl_cookiesoft.key | ||
+ | SSLCertificateChainFile /etc/ssl/private/sub.class1.server.ca.pem | ||
+ | SSLCACertificateFile /etc/ssl/private/ca.pem | ||
+ | ServerSignature On | ||
+ | </VirtualHost> | ||
+ | |||
+ | <VirtualHost *:443> | ||
+ | ServerName www.punkkeks.de | ||
+ | ServerAlias punkkeks.de | ||
+ | ServerAdmin admin@punkkeks.de | ||
+ | DocumentRoot /var/www/ | ||
+ | ErrorLog /var/log/apache2/ssl_error.log | ||
+ | TransferLog /var/log/apache2/ssl_access.log | ||
+ | SSLEngine on | ||
+ | SSLProtocol all -SSLv2 | ||
+ | SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM | ||
+ | SSLCertificateFile /etc/ssl/private/ssl_punkkeks.crt | ||
+ | SSLCertificateKeyFile /etc/ssl/private/ssl_punkkeks.key | ||
+ | SSLCertificateChainFile /etc/ssl/private/sub.class1.server.ca.pem | ||
+ | SSLCACertificateFile /etc/ssl/private/ca.pem | ||
+ | ServerSignature On | ||
+ | </VirtualHost> | ||
+ | </pre> | ||
+ | |||
+ | == Old, Obsolete, or Incorrect == | ||
Technically an SSL certificate is <em>not</em> tied to an IP address (it is tied to a Fully Qualified Domain Name), but a design limitation makes it effectively impossible to do Name Based Virtual Hosting with SSL. In other words, an SSL cert may not be tied to a single IP address, but a server on a single IP address cannot support more than one SLL Cert. | Technically an SSL certificate is <em>not</em> tied to an IP address (it is tied to a Fully Qualified Domain Name), but a design limitation makes it effectively impossible to do Name Based Virtual Hosting with SSL. In other words, an SSL cert may not be tied to a single IP address, but a server on a single IP address cannot support more than one SLL Cert. |
Latest revision as of 13:38, 27 April 2011
It can be done
Marcel Hellig sent me this information. I have not tested this. What I originally wrote in my article wasn't right, or wasn't 100% right. It's possible to have multiple ssl certs and to configure apache(2) to use them right. What you have to do is make VirtualHost directives. For example:
<VirtualHost *:443> ServerName www.cookiesoft.de ServerAlias cookiesoft.de ServerAdmin admin@cookiesoft.de DocumentRoot /var/www/ ErrorLog /var/log/apache2/ssl_error.log TransferLog /var/log/apache2/ssl_access.log SSLEngine on SSLProtocol all -SSLv2 SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM SSLCertificateFile /etc/ssl/private/ssl_cookiesoft.crt SSLCertificateKeyFile /etc/ssl/private/ssl_cookiesoft.key SSLCertificateChainFile /etc/ssl/private/sub.class1.server.ca.pem SSLCACertificateFile /etc/ssl/private/ca.pem ServerSignature On </VirtualHost> <VirtualHost *:443> ServerName www.punkkeks.de ServerAlias punkkeks.de ServerAdmin admin@punkkeks.de DocumentRoot /var/www/ ErrorLog /var/log/apache2/ssl_error.log TransferLog /var/log/apache2/ssl_access.log SSLEngine on SSLProtocol all -SSLv2 SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM SSLCertificateFile /etc/ssl/private/ssl_punkkeks.crt SSLCertificateKeyFile /etc/ssl/private/ssl_punkkeks.key SSLCertificateChainFile /etc/ssl/private/sub.class1.server.ca.pem SSLCACertificateFile /etc/ssl/private/ca.pem ServerSignature On </VirtualHost>
Old, Obsolete, or Incorrect
Technically an SSL certificate is not tied to an IP address (it is tied to a Fully Qualified Domain Name), but a design limitation makes it effectively impossible to do Name Based Virtual Hosting with SSL. In other words, an SSL cert may not be tied to a single IP address, but a server on a single IP address cannot support more than one SLL Cert.
When a browser connects it negotiates the SSL before it makes an HTTP request. Apache can't know which virtual domain to serve until it gets the HTTP request, but it needs to know which virtual domain in order to select the correct SSL certificate to negotiate the SSL.
The solution is to use IP based virtual hosting. Sorry. So your single server will have to be configured with an additional IP address for each virtual host that needs SSL.