[olug] SSL for Multiple Apache Named VirtualHosts on a single IP?
Rob Townley
rob.townley at gmail.com
Fri Mar 5 03:58:54 UTC 2010
On Thu, Mar 4, 2010 at 7:12 PM, Rob Townley <rob.townley at gmail.com> wrote:
> OS = CentOS 5.4
>
> Apache 2 by itself is not capable of supporting more than one SSL
> enabled name based virtual host on the same numeric IP address. So
> each VirtualHost effectively needs its own IP. Are Apache's
> limitations true even of wildcard SSL certificates?
> http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#vhosts
> http://askcolddrink.blogspot.com/2007/03/apache-httpd-virtual-hosts-and-ssl.html
>
> That is frustrating because the SSL Certificate itself is not tied to
> an IP address, but the SSL protocol seems to force the binding to a
> single IP name. Security has got to be easier than this this by now.
> i compiled and wrote OpenSSL windows services 10 years ago, so i am
> rusty. But i do remember TLS promised something better, but the
> browsers didn't support it. These are internal private only web
> servers, so i can add more numeric IP addresses, but i would much
> rather not have that overhead.
>
> I.] There has got to be an easier ready-to-go framework running on
> top of Apache to facilitate a way to handle multiple name based SSL
> VirtualHosts on the same IP? Hibernate? Spring? Joomla? Drupal?
> Which one would work best for forcing https on the login pages for
> various sysadmin pages such as FreeGhost, drbl, ocsinventory-ng, rt,
> phpMyAdmin each with their own subdomain name?
>
> II.] If all the VirtualHosts are in the same domain name and that
> domain name has a wildcard SSL certificate, is there some way around
> Apache's limitations?
>
> A.) Self generated *.DomainName.com WildCard SSL certificate.
> B.) VirtualHosts all within that same *.DomainName.com wildcard.
> C.) ServerNameAlias with all the different server names in a single
> VirtualHost entry.
> D.) Perl / Python / PHP script that reads the client's host
> directive and then rewrites it to somewhere else maybe using
> VirtualDocumentRoot.
>
>
>
> III.] Something involving reverse proxy but that is overkill.
>
Well investigating how i could have goofed up httpd.conf yet again to
have an unencrypted connection on port 443, i came across some new
features for 2.2, but that may only work with OpenSSL 0.9.8f or later
and of course i have 0.9.8e on CentOS. If you have SNI working on
CentOS 5.4, please let me know. Gonna have to boost these results up
when searching because google is returning way too much old
information for such an important topic.
http://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI
http://www.linux-magazine.com/w3/issue/92/072-074_SNI.pdf
More information about the OLUG
mailing list