Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Apache Name Virtual Host with SSL

I am attempting to setup our servers to allow traffic over SSL. I am aware that SSL does not work with Name Virtual Host, but we have all of our apache servers on virtual machines with dedicated private IPs. We have a primary virtual machine that has mod_proxy setup to route traffic to the appropriate vms.

However, in order to route https traffic we need to have the certificate installed on the proxy as well as the vms. We have a wildcard certificate that can be used across all of our hosts. Everything appears to work properly, but I receive the following in the apache logs for the proxy:

[warn] Init: SSL server IP/port conflict: host1.domain.com:443 (/etc/apache2/sites-enabled/host1:1) vs. host2.domain.com:443 (/etc/apache2/sites-enabled/host2:1)

There is one of these error message for each host we have setup on the proxy. Our Virtual Host setup for the proxy is posted below:

<VirtualHost ipaddress:443>     ServerName host1.domain.com     ProxyPreserveHost On     ProxyRequests Off     ProxyPass / https://privateip:443/     ProxyPassReverse / https://privateip:443/      SSLProxyEngine on     SSLEngine on     SSLCertificateFile /etc/ssl/certs/server.crt     SSLCertificateKeyFile /etc/ssl/private/server.key </VirtualHost> 

Is there any way that I can get this to work?

like image 528
JamesArmes Avatar asked Feb 05 '09 18:02

JamesArmes


People also ask

How do you name a virtual host?

To use name-based virtual hosting, you must designate the IP address (and possibly port) on the server that will be accepting requests for the hosts. This is configured using the NameVirtualHost directive.

Can you have 2 SSL certificates on one server?

A lot of people want to know whether you can install multiple SSL certificates on a single domain. The answer is yes.

Does Apache support SSL on name-based virtual hosts?

Apache doesn't support SSL on name-based virtual host, only on IP based Virtual Hosts. Source: Apache 2.2 SSL FAQ question Why is it not possible to use Name-Based Virtual Hosting to identify different SSL virtual hosts?

Where do I set up named virtualhosts in Apache2?

Now that Apache2 handles named based virtualhosts for both HTTP AND HTTPS I would recommend setting your domains up in their own config file. Just as Apache does now with it's "sites-available/sites-enabled" config directories.

What is hostname-based virtual hosting?

Name-based virtual hosting allows the server to rely on the client to report the hostname as part of the HTTP headers. Thus, using this technique, many different hosts can share the same IP address. Each virtual host is configured in a directory within DocumentRoot.

Does namevirtualhost * 443 work with SSL vhosts?

SSL vhosts are not NameVirtualHosts - they're IP-based vhosts. Remove the NameVirtualHost *:443 from your config. Show activity on this post. It doesn't make sense to activate the name based virtual hosting stuff of Apache for SSL/TLS connections or you'd like to use the SNI extension. Show activity on this post. Here is how I got it working.


1 Answers

It sounds like Apache is warning you that you have multiple <VirtualHost> sections with the same IP address and port... as far as getting it to work without warnings, I think you would need to use something like Server Name Indication (SNI), a way of identifying the hostname requested as part of the SSL handshake. Basically it lets you do name-based virtual hosting over SSL, but I'm not sure how well it's supported by browsers. Other than something like SNI, you're basically limited to one SSL-enabled domain name for each IP address you expose to the public internet.

Of course, if you are able to access the websites properly, you'll probably be fine ignoring the warnings. These particular ones aren't very serious - they're mainly an indication of what to look at if you are experiencing problems

like image 108
David Z Avatar answered Sep 29 '22 13:09

David Z