#1
  1. Confused badger
    Devshed Beginner (1000 - 1499 posts)

    Join Date
    Mar 2009
    Location
    West Yorkshire
    Posts
    1,112
    Rep Power
    487

    Apache 2 + SSL + vhosts


    Hello all
    I hope that someone can help me with my configuration!
    I have been asked to enable HTTPS on our web-server (Apache 2.2) and so I did the obvious thing and asked Google.
    The guides I found seemed pretty straight forward enough but seem to only show for when Apache is hosting a single website.

    Our server has about 10 or more sites on it, each site is saved in it's own folder under the web root directory "/srv/wwwroot". For example

    /srv/wwwroot/site1.com
    /srv/wwwroot/site2.com
    /srv/wwwroot/site3.com
    /srv/wwwroot/site4.com
    /srv/wwwroot/site5.com

    All the virtual sites have their own entry in a basic vhost configuration, again, an example is:

    <VirtualHost *:80>
    ServerName www.site1.com
    ServerAlias site1.com *.site1.com
    DocumentRoot "/srv/wwwroot/site1.com"
    CustomLog /var/log/apache2/site1.com.log combined
    </VirtualHost>

    <VirtualHost *:80>
    ServerName www.site2.com
    ServerAlias site2.com *.site2.com
    DocumentRoot "/srv/wwwroot/site2.com"
    CustomLog /var/log/apache2/site2.com.log combined
    </VirtualHost>

    ....

    <VirtualHost *:80>
    ServerName www.site5.com
    ServerAlias site5.com *.site5.com
    DocumentRoot "/srv/wwwroot/site5.com"
    CustomLog /var/log/apache2/site5.com.log combined
    </VirtualHost>
    At the moment, only certain sites need HTTPS access (say for example site1, site2 and site3) but I really don't know where to even begin!
    We are going to use for now self-signed certificates and we appreciate that external visitors will be hit with a security warning (in time we will pay for 'official' certificates), for now, this is not a problem.

    I need to know/understand if we need to create several certificates, one for each domain/website or if Apache would use a single certificate for all sites?
    I am totally confused and sorry that I don't even know where to begin!!
    Please help!
    Thank you
    "For if leisure and security were enjoyed by all alike, the great mass of human beings who are normally stupefied by poverty would become literate and would learn to think for themselves; and when once they had done this, they would sooner or later realise that the privileged minority had no function and they would sweep it away"
    - George Orwell, 1984
  2. #2
  3. Transforming Moderator
    Devshed Supreme Being (6500+ posts)

    Join Date
    Mar 2007
    Location
    Washington, USA
    Posts
    14,122
    Rep Power
    9398
    The problem with SSL is that the security stuff takes place before Apache is told which hostname the request is for. To address this there's SNI.

    Here is an Apache wiki page about doing it, but know that it requires a version of Apache which supports it, and more importantly a browser that supports SNI too (which recent versions do).

    Otherwise you're stuck with just one SSL site.
  4. #3
  5. No Profile Picture
    Lost in code
    Devshed Supreme Being (6500+ posts)

    Join Date
    Dec 2004
    Posts
    8,317
    Rep Power
    7170
    Otherwise you're stuck with just one SSL site.
    per IP address

    Or if all of your sites happen to be subdomains of the same domain you could use a wildcart cert, but that is still effectively using one cert for all sites.

    However, if you're already using a self-signed cert and are willing to live with the warnings it throws, then you'll probably be willing to live with the warnings that browsers throw if your certificate doesn't match the domain of the website too.

    Basically you just need to replicate what you already have for port 80 to port 443; a NameVirtualHost directive and a Listen directive.

    You also need
    Code:
    SSLEngine on
    SSLCertificateFile server.crt
    SSLCertificateKeyFile server.key
    PHP FAQ

    Originally Posted by Spad
    Ah USB, the only rectangular connector where you have to make 3 attempts before you get it the right way around
  6. #4
  7. Confused badger
    Devshed Beginner (1000 - 1499 posts)

    Join Date
    Mar 2009
    Location
    West Yorkshire
    Posts
    1,112
    Rep Power
    487
    Hi there
    Thank you for the replies, most appreciated ... again, please forgive my lack of understanding here but I would just like to clarify one further point if I may ...

    Our configuration has multiple websites (domains) which all use the same IP address, so for example the A record of ...
    site 1 is 123.456.789.000
    site 2 is 123.456.789.000
    site 3 is 123.456.789.000

    So because we run this configuration, we can only have a single certificate? If we did a self-sign for Site1.com, when a user visits Site2.com, they will get a security warning saying the publisher could not be verified and also, if anyone actually reads those warnings, they'd see that it was signed to site1.com?

    The sites we host currently may not appreciate being attached to other sites like this, what other options do we have please? How would a hosting company do something like this (I will admit now that we're not a dedicated hosting company, we just happen to have spare bandwidth and hardware!)?
    "For if leisure and security were enjoyed by all alike, the great mass of human beings who are normally stupefied by poverty would become literate and would learn to think for themselves; and when once they had done this, they would sooner or later realise that the privileged minority had no function and they would sweep it away"
    - George Orwell, 1984
  8. #5
  9. No Profile Picture
    Lost in code
    Devshed Supreme Being (6500+ posts)

    Join Date
    Dec 2004
    Posts
    8,317
    Rep Power
    7170
    So because we run this configuration, we can only have a single certificate?
    Correct, unless you rely on SNI like requinix mentioned. Unfortunately there are still some significant gaps in support for SNI, such as all versions of IE and Safari on Windows XP, and the Android 2 browser.

    If we did a self-sign for Site1.com, when a user visits Site2.com, they will get a security warning saying the publisher could not be verified and also, if anyone actually reads those warnings, they'd see that it was signed to site1.com?
    Yes

    The sites we host currently may not appreciate being attached to other sites like this, what other options do we have please? How would a hosting company do something like this (I will admit now that we're not a dedicated hosting company, we just happen to have spare bandwidth and hardware!)?
    Shared hosting companies usually offer two options: most offer a shared SSL domain, like secure.hostingcompany.com/~yourusername, that can be used to access your site over SSL at no additional cost. They also usually offer a paid option that lets you use your own domain, which they do by giving your site a dedicated IP address.
    PHP FAQ

    Originally Posted by Spad
    Ah USB, the only rectangular connector where you have to make 3 attempts before you get it the right way around
  10. #6
  11. Confused badger
    Devshed Beginner (1000 - 1499 posts)

    Join Date
    Mar 2009
    Location
    West Yorkshire
    Posts
    1,112
    Rep Power
    487
    E-Oreo, thanks as always for your kind help and your time!
    I have performed the following:

    1. On my webserver, issued the command:
    openssl req -new -x509 -days 365 -sha1 -newkey rsa:1024 -nodes -keyout server.key -out server.crt -subj '/O=MyCo/OU=IT/CN=www.maindomain.com'
    This generated two files in the current directory : "server.key" and "server.crt".
    I moved these files into the Apache configuration folder (on my setup - Opensuse12.1 - it's /etc/apache2/ssl.key and /etc/apache2/ssl.crt) and then chmod'd server.crt to 644 and server.key to 400.

    My vhost.config file looks like this now :

    Listen 443

    NameVirtualHost *:80
    NameVirtualHost *:443

    SSLCertificateFile /etc/apache2/ssl.crt/server.crt
    SSLCertificateKeyFile /etc/apache2/ssl.key/server.key

    <VirtualHost *:80>
    ServerName www.maindomain.com
    DocumentRoot "/srv/wwwroot/defaultsite/"
    </VirtualHost>

    <VirtualHost *:80>
    DocumentRoot "/srv/wwwroot/site1.com"
    ServerName www.site1.com
    CustomLog /var/log/apache2/site1.com combined
    </VirtualHost>
    Note : If I add "SSLEngine on" to the vhosts, Apache refuses to start up so I suspect that it's in another configuration file already.

    I then restart Apache and it does so without error but when browsing to https://www.site1.com, I get an error:-

    Secure Connection Failed

    An error occurred during a connection to www.site1.com.

    SSL received a record that exceeded the maximum permissible length.

    (Error code: ssl_error_rx_record_too_long)

    The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
    Please contact the web site owners to inform them of this problem. Alternatively, use the command found in the help menu to report this broken site.

    Have I missed something or just done it totally wrong?!
    Please help!! Thanks a million!!!
    "For if leisure and security were enjoyed by all alike, the great mass of human beings who are normally stupefied by poverty would become literate and would learn to think for themselves; and when once they had done this, they would sooner or later realise that the privileged minority had no function and they would sweep it away"
    - George Orwell, 1984
  12. #7
  13. Confused badger
    Devshed Beginner (1000 - 1499 posts)

    Join Date
    Mar 2009
    Location
    West Yorkshire
    Posts
    1,112
    Rep Power
    487
    Originally Posted by badger_fruit
    Have I missed something or just done it totally wrong?!
    Please help!! Thanks a million!!!
    Sorry for the self-quote but I did miss something, I needed the following lines in my vhost configuration:-

    <VirtualHost *:443>
    DocumentRoot "/srv/wwwroot/site1.com"
    ServerName www.site1.com
    CustomLog /var/log/apache2/site1.com combined
    SSLEngine on
    SSLProtocol all -SSLv2
    SSLVerifyClient optional
    SSLVerifyDepth 10
    SSLCACertificateFile /path/to/crt/server.crt
    </VirtualHost>
    Adding those and restarting Apache now seems to have allowed my site1.com to use HTTPS!
    "For if leisure and security were enjoyed by all alike, the great mass of human beings who are normally stupefied by poverty would become literate and would learn to think for themselves; and when once they had done this, they would sooner or later realise that the privileged minority had no function and they would sweep it away"
    - George Orwell, 1984

IMN logo majestic logo threadwatch logo seochat tools logo