Virtualhosts (with SSL and without) on Apache-Webserver 1.3.19

Hello!

I have a problem! I have installed the new apache1.3.19 from the RH 7.1 Installation-CD. With these option i will also installed openssl.

So i would like to have 2 Virtualhosts on my Server:

1.) http://www.domain.com
2.) https://www.secure-domain-com

I have generated a certificate on my local Server and i have tried to configure the httpd.conf with two virtualhost, one on Port 80 and the other on Port 443. It works if i enter http://www.domain.com and https://www.secure-domain.com. But if i enter https://www.domain.com or http://www.secure-domain.com (the other combinations) my Webserver will be return the Secure-Document-Root-Files for the insecure Domain and otherwise.

I have tried any possible combination, but alway the same result!

Can anybody help?

Thanx
Luky

Wish you a great day!

Well, I think this is what your after.

in your httpd.conf make sure your virtuals are set up like this:

NameVirtualHost 10.0.0.1 <----- change all 10.0.0.1 to ip of your server


<VirtualHost 10.0.0.1:80>
ServerAdmin webmaster@www.domain.com
DocumentRoot /www/docs/www.domain.com
ServerName www.domain.com
ErrorLog logs/www.domain.com-error_log
CustomLog logs/www.domain.com-access_log common
</VirtualHost>

<VirtualHost 10.0.0.1:443>
ServerAdmin webmaster@www.secure-domain.com
DocumentRoot /www/docs/www.secure-domain.com
ServerName www.secure-domain.com
ErrorLog logs/www.secure-domain.com-error_log
CustomLog logs/www.secure-domain.com-access_log common
</VirtualHost>

Also, make sure that DocumentRoot directive in the main configuration area of httpd.conf does not point to your secure docs area or it will accept hits on port 80 (non-secure).

another way to do it if your using mod_ssl is like this (refer to mod_ssl docs for more info on this):

<Location >
SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)-/ \
and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
</Location>

This way you can set certain criteria on directories. I have never done it this way, however I would imagine that doing it this way would force the browser into https mode, dont quote me on that though.

Good Luck!

>> I have tried any possible combination, but alway the same result!

secure-domain.com and www.domain.com are not the same. Go to OpenSSL webiste and find out what cn (common name) is. The cn must match your default hostname. So www.domain.com would match and subdomain.domain.com wouldn't match. Not to mention secure-domain.com.

If the secure site and the non-secure site are running on both the same ip, apache will automatically default to the first virtual host if you try and go to the ip and/or any address that resolves to that ip, but doesn't have a virtual host setup.

sooo, the only real way around this, is to create a insecure virtual host for the secure site, that redirects everything to the secure version. Ie -

<VirtualHost <ipaddress>>
ServerAdmin webmaster@www.domain.com
DocumentRoot /www/docs/www.domain.com
ServerName www.secure-domain.com
RedirectPermanent / https://secure-domain.com/
</VirtualHost>

and make sure to put the NameVirutalHost <ipaddress> directive, as you will have more than one virtual host on the same ip/port.

Then when somebody goes to http://secure-domain.com, this will get redirected to https://secure-domain.com

and you can do it the other way around for the other domain (but I imagine the secure one was the real problem)



Mike

>> Then when somebody goes to http://secure-domain.com, this will get redirected to https://secure-domain.com

You can do that with mod_rewrite:

RewriteEngine on
# continue only if http_host is www.secure-domain.com
RewriteCond %{HTTP_HOST} ^www\.secure-domain\.com$ [NC]
# if server_port is 80, do the redirection
RewriteCond %{SERVER_PORT} ^80$ [NC]
RewriteRule ^/(.*)$ https://www.secure-domain.com/$1 [R,L]

>> I have generated a certificate on my local Server and i have tried to configure the httpd.conf with two virtualhost

As I said, read up OpenSSL doc. You can't use a single cert for multiple hostnames. Each hostname must have its unique cert. There is no rule saying you can't generate 2 certs on the same server. The rule is, your www.secure-domain.com can't be a CNAME of www.domain.com. Instead, it must have an A record that points to the same IP as www.domain.com.

I have tried to use the Rweite-Module but it seems that it will not work! So i would like to send you my http.conf-File. Can you take a look at it?

Thanx
luky


-------------------------------
##
## httpd.conf -- Apache HTTP server configuration file
##

### Section 1: Global Environment
#
# The directives in this section affect the overall operation of Apache,
# such as the number of concurrent requests it can handle or where it
# can find its configuration files.
#

ServerType standalone

ServerRoot "/etc/httpd"

LockFile /var/lock/httpd.lock

PidFile /var/run/httpd.pid

ScoreBoardFile /var/run/httpd.scoreboard

#ResourceConfig conf/srm.conf
#AccessConfig conf/access.conf

Timeout 300

KeepAlive On

MaxKeepAliveRequests 100

KeepAliveTimeout 15

MinSpareServers 5
MaxSpareServers 20

StartServers 8

MaxClients 150

MaxRequestsPerChild 100

Listen 80

#BindAddress 123.123.123.123:80


#ExtendedStatus On

### Section 2: 'Main' server configuration
#
# The directives in this section set up the values used by the 'main'
# server, which responds to any requests that aren't handled by a
# <VirtualHost> definition. These values also provide defaults for
# any <VirtualHost> containers you may define later in the file.
#
# All of these directives may appear inside <VirtualHost> containers,
# in which case these default settings will be overridden for the
# virtual host being defined.
#

#Port 443

User apache
Group apache

ServerAdmin root@localhost

ServerName 123.123.123.123

DocumentRoot "/var/www/html"

<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>

<Directory "/var/www/imperia.raiffeisen.it/html">
Options Indexes Includes FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
</Directory>

UserDir public_html

#<Directory /home/*/public_html>
# AllowOverride FileInfo AuthConfig Limit
# Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
# <Limit GET POST OPTIONS PROPFIND>
# Order allow,deny
# Allow from all
# </Limit>
# <Limit PUT DELETE PATCH PROPPATCH MKCOL COPY MOVE LOCK UNLOCK>
# Order deny,allow
# Deny from all
# </Limit>
#</Directory>

DirectoryIndex index.html index.htm index.shtml index.php index.php4 index.php3 index.cgi

AccessFileName .htaccess

<Files ~ "^\.ht">
Order allow,deny
Deny from all
</Files>

#CacheNegotiatedDocs

UseCanonicalName On

TypesConfig /etc/mime.types

DefaultType text/plain

<IfModule mod_mime_magic.c>
MIMEMagicFile conf/magic
</IfModule>

HostnameLookups Off

LogLevel warn

#CustomLog /var/log/httpd/referer_log referer
#CustomLog /var/log/httpd/agent_log agent

#CustomLog /var/log/httpd/access_log combined

ServerSignature On

Alias /icons/ "/var/www/icons/"
<Directory "/var/www/icons">
Options Indexes MultiViews
AllowOverride None
Order allow,deny
Allow from all
</Directory>

ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"
<Directory "/var/www/cgi-bin">
AllowOverride None
Options ExecCGI
Order allow,deny
Allow from all
</Directory>

IndexOptions FancyIndexing



IndexIgnore .??* *~ *# HEADER* README* RCS CVS *,v *,t

AddEncoding x-compress Z
AddEncoding x-gzip gz tgz

AddType application/x-tar .tgz

AddHandler cgi-script .cgi

AddType text/html .shtml
AddHandler server-parsed .shtml

#AddHandler send-as-is asis

AddHandler imap-file map

#AddHandler type-map var

#MetaDir .web

#MetaSuffix .meta

BrowserMatch "Mozilla/2" nokeepalive
BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0

BrowserMatch "RealPlayer 4\.0" force-response-1.0
BrowserMatch "Java/1\.0" force-response-1.0
BrowserMatch "JDK/1\.0" force-response-1.0

<IfModule mod_perl.c>
Alias /perl/ /var/www/perl/
<Location /perl>
SetHandler perl-script
PerlHandler Apache::Registry
Options +ExecCGI
</Location>
</IfModule>


Alias /doc/ /usr/share/doc/
<Location /doc>
order deny,allow
deny from all
allow from localhost .localdomain
Options Indexes FollowSymLinks
</Location>


### Section 3: Virtual Hosts
#
# VirtualHost: If you want to maintain multiple domains/hostnames on your
# machine you can setup VirtualHost containers for them.
# Please see the documentation at <URL:http://www.apache.org/docs/vhosts/>
# for further details before you try to setup virtual hosts.
# You may use the command line option '-S' to verify your virtual host
# configuration.

NameVirtualHost 123.123.123.123:80
NameVirtualHost 123.123.123.123:443

RewriteEngine on
RewriteCond %{HTTP_HOST} ^www\.domain\.com$
RewriteRule ^/(.*)$ http://www.domain.com:80/$1
RewriteCond %{HTTP_HOST} ^www\.secure-domain\.com$
RewriteRule ^/(.*)$ https://www.secure-domain.com:443/$1

<VirtualHost 123.123.123.123:80>
SSLDisable
Port 80
DocumentRoot /var/www/www.domain.com
ServerName www.domain.com
</VirtualHost>


<IfDefine HAVE_SSL>

Listen 443

#SSLSessionCache shm:/var/cache/ssl_gcache_data(524288)

<VirtualHost 123.123.123.123:443>
SSLEngine on
SSLCertificateFile /etc/httpd/conf/ssl.crt/secure-domain.com.cert.cert
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/secure-domain.com.cert.key
DocumentRoot /var/www/www.secure-domain.com
ServerName www.secure-domain.com
<Files ~ "\.(cgi|shtml)$">
SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
CustomLog /var/log/httpd/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>

SSLVerifyClient 0
SSLVerifyDepth 10

</IfDefine>

>> I have tried to use the Rweite-Module but it seems that it will not work!

That's not what we wanted to know. Instead, tell us how you can you tell with supported reasons (i.e. apachectl graceful generated error).

Before configuring Apache, make sure you have done the DNS part like I mentioned previously and follow these steps in order:

1) Make sure www.secure-domain.com has an A record ( not CNAME) pointing to the same IP as www.domain.com.
2) Verify it by nslookup (if no Alias is shown by looking up www.secure-domain.com)
3) Test if mod_rewrite is compiled in by running apachectl graceful with your current rewrite codes intact.
If failed, recompile Apache and enable mod_rewrite.
4) Regenerate a new cert, make sure cn matches.
5) Alter your httpd.conf:
- Remove or uncomment ServerName 123.123.123.123 from the global line (outside of any <Virtualhost>) # you don't need this as it's defined in <VirtualHost>
- UseCanonicalName On set it to Off
- Use my rewrite codes, not yours
# if you still want people to reach your secure-domain.com on port 80
- Your <IfDefine HAVE_SSL>, change to:
<IfDefine SSL>
Listen 80
Listen 443
# and close it like so
</IfDefine>

I know it is uselsss to provide just a portion of your httpd.conf, but next time you post your httpd.conf, please remove all the lines that begin with # so that it doesn't waste too much resource of Devshed.

>You can do that with mod_rewrite:

Well, yeah, you can do it with mod_rewrite, but that's a LOT more confusing to somebody that doesn't know to use them (Regular expressions can be a hard thing to understand)...

Plus, if you use RedirectPermanent, it will actually update the users cache, as well as Favorites (if they have it bookmarked) to the *correct URL.

Hi Panic! Have you anohther solution for his Problem? Because i have tried to use the rewrite function but it doesn't work!?
I dont know why!

Thanx
Luky

Either way, you need to follow the 5 steps as I mentioned previously.

>> Because i have tried to use the rewrite function but it doesn't work!? I dont know why!

You came back to this thread with a unsupported statement: not working, dunno why?

How in the world do I have a clue what didn't work? If you still need help, please reply to all the questions I have asked.

>> but that's a LOT more confusing to somebody that doesn't know to use them

Why confusing? I can post the exact rules so all he needs to do is copy+paste. What's more? Do I have to teach him how to copy+paste? Further, if he posted real data (not example like: ServerName 123.123.123.123), I can even solve his problem whole lot faster. That's what I am here for.

>> Well, yeah, you can do it with mod_rewrite

Not just can, you should have said should. mod_rewrite is extremely powerful. It's fully integrated into Apache like a scripting language. It requires less resource and you can do things more efficiently and reliable. Yes, you can do it in PHP or Perl or any others, but that requires calling external process and requires alot more resources. Why waste your limited resource if you can do it otherwise more efficiently? Since he still hasn't replied to my questions, his problem might not have anything to do with mod_rewrite or whatever way of redirection.

>Why confusing? I can post the exact rules so all he needs to do >is copy+paste.

What good is copying and pasting something that you don't understand? It's not, it's useless.

>Do I have to teach him how to copy+paste?

what is that all about?

>That's what I am here for.

It that what you are here for? I'm here to try and help other people with their problems. I dont' know what you are doing here. If I got replies back like yours, to questions I asked, I would stop asking. It doesn't help the other people to hear you going off like a jerk to them.

>Not just can, you should have said should.

Anybody that thinks there is only one way to do something is a fool.

>It requires less resource and you can do things more efficiently >and reliable

can it? does it?

For the re-write rules you need mod_rewrite, and mod_alias for RedirectPermenent. Which is more resource intensive? I know that mod_rewrite is heck of a lot bigger. It can do a lot of cool things, and I use it all the time... but to say it's the only way to do it, is just closed minded.

>Yes, you can do it in PHP or Perl

Who ever said anything about PHP or Perl? I'm talking about Apache directives here too.

Moral of the story is -> Use whatever method is easiest, and most efficient, as long as you come to the same conclusion.

mod_rewrite is definatly not the easiest, and probably not the most efficient (as far as resources go)

pwluky,

in your httpd.conf file, take out the two lines

NameVirtualHost 123.123.123.123:80
NameVirtualHost 123.123.123.123:443

and replace it with

NameVirtualHost 123.123.123.123

Then after your

<VirtualHost 123.123.123.123:80>
SSLDisable
Port 80
DocumentRoot /var/www/www.domain.com
ServerName www.domain.com
</VirtualHost>

create a non-secure virtual host for www.secure-domain.com, and add a RedirectPermanent directive.

ie

<VirtualHost 123.123.123.123:80>
SSLDisable
Port 80
DocumentRoot /var/www/www.domain.com
ServerName www.secure-domain.com
RedirectPermanent / https://www.secure-domain.com/
</VirtualHost>

With this in there, if sombody goes to http://www.secure-domain.com (or any pages under this domain), it gets redirected to https://secure-domain.com

Also, take out all that Rewrite stuff.

Let me know how that goes.

>> What good is copying and pasting something that you don't understand? It's not, it's useless.

Because he just wanted get it working plus more efficiently. Right, mod_rewrite is not easy for newbie and it takes time to learn. He can always learn it later on. I was just trying to post the exact code so he can get his site up and running.
Say he needs a guestbook script, he can download a free one written by someone. Without any understanding how the codes really work, he can get his page up and running. Of course, if he chooses to write his own, he always can.

>> If I got replies back like yours, to questions I asked, I would stop asking.

I already asked him the same question 3 times but without a helpful reply (not working, dunno why?). I wanted to help, but he showed he doesn't need further help from me with such unhelpful reply.

>> Anybody that thinks there is only one way to do something is a fool

How you came up with that?
can do it - more than one way
should do it - more than one way but more appropriate way than others
must do it - one way, no others

get it?

>> and I use it all the time... but to say it's the only way to do it, is just closed minded

You really use mod_rewrite all the time? We'll see, time will tell so I am not going to test you whether or not you really know anything about mod_rewrite.

>> mod_rewrite is definatly not the easiest, and probably not the most efficient (as far as resources go)

That's just because you don't know much about mod_rewrite. Yes, it works with RedirectPermanent too but this directive is not cross-browsers supported. Some old browsers don't handle this redirection properly.

Whichever ways he use doesn't matter, it's all up to him. Anyhow, he still need to get the 5 steps taken care before configuring the url redirection. He can't use a single cert for multiple domains in the first place. That is why web hosting out there use the shared cert approach:

http://www.hisdomain.com - login name: blahblah
https://www.webhostdomain.com/blahblah/

Hello freebsd!

I have written a private message to you. You have seen?

Luky