Hi Joel, all,
On Fri, Feb 21, 2014 at 12:14:28AM +1100, Joel Sing wrote:
> > I have an OpenBSD 5.4 machine, with httpd serving pages successfully
> > over both HTTP and HTTPS (with a CaCert-issued certificate). I want to
> > serve multiple sites on both protocols (the certificate has AltNames for
> > the various sites).
> > (Almost) everything works fine, and I do indeed manage to successfully
> > access all sites over HTTPS as expected. However, the HTTPS environment
> > variable, which should be set to 'on' for HTTPS sessions, is missing for
> > all but the first VHost. This is problematic because multiple apps
> > (mostly php-5.3.27, but also some CGI and Rewrites) inspect this
> > variable and behave differently depending on whether it is set to 'on'
> > or anything else.
> > NameVirtualHost *:80
> > NameVirtualHost *:443
> > <VirtualHost *:80 *:443>
> > ServerName www.domain2.tld
> > ServerAdmin webmas...@domain.tld
> > DocumentRoot /var/www/sites/domain2.tld/www
> > </VirtualHost>
> > <Directory "/sites/domain2.tld/www">
> > Options MultiViews SymLinksIfOwnerMatch Includes
> > AllowOverride FileInfo
> > Order allow,deny
> > Allow from all
> > </Directory>
> > This is a rather standard setup, and I've had this working on previous
> > machines (<=5.3). The HTTPD and SSL logs do not show any error nor
> > warning. I have been trying many combinations of NameVirtualHost,
> > VirtualHost and ServerName / ServerAlias.
> In this particular case the lack of HTTPS=on is due to the fact that you do
> not actually have SSL enabled in the /srv/www/conf/sites.d/ configuration
> snippet. Normally this would have (at minimum) SSLEngine, SSLCertificateFile
> and SSLCertificateKeyFile directives in the /srv/www/conf/sites.d/
> VirtualHost configuration files (as an aside, if your hosting/application
> requires SSL, you probably should consider setting up :80 as a redirect to
> https, rather than configuring both *:80 and *:443 on the same virtual
host).
Ha! This got me in the right direction. Thanks for your help! I now have
a working setup which is roughly as follows.
<VirtualHost *:80>
ServerName www.domain.tld
ServerAlias domain.tld other.domain.tld
ServerAdmin webmas...@domain.tld
DocumentRoot /var/www/sites/domain.tld/www
</VirtualHost>
<VirtualHost *:443>
ServerName www.domain.tld
ServerAlias domain.tld other.domain.tld
ServerAdmin webmas...@domain.tld
DocumentRoot /var/www/sites/domain.tld/www
SSLEngine on
SSLCertificAteFile /etc/ssl/server.crt
SSLCertificateKeyFile /etc/ssl/private/server.key
</VirtualHost>
<Directory "/sites/domain.tld/www">
Options MultiViews SymLinksIfOwnerMatch Includes
AllowOverride FileInfo
ErrorDocument 404 /404.xhtml
Order allow,deny
Allow from all
# Redirect aliases to the main name
RewriteEngine On
RewriteCond %{HTTPS} on
RewriteRule ^(.*)$ - [env=REQUEST_SCHEME:https]
RewriteCond %{HTTPS} !^on
RewriteRule ^(.*)$ - [env=REQUEST_SCHEME:http]
RewriteCond %{HTTP_HOST} !^www.domain.tld
RewriteRule (.*) %{ENV:REQUEST_SCHEME}://www.domain.tld/$1 [R,L]
</Directory>
Essentially, it does create two VHosts on either port, with the required
SSL machinery for port 443. Then, most of the configuration I initially
had in the VHost (not shown before), has been moved to the DocumentRoot
Directory entry. This allows to avoid most of the configuration
duplication between clear/SSL VHosts, which I was trying to avoid by
having a single one.
As to why it worked in my previous configuration, you ask? Well I did
have exactly that. I just didn't see it when recreating the
configuration...
A note, though, is that using a single VHost for both non-SSL and SSL
ports does work, and the SSL connection is established properly
(provided at least one VHost, probably the first one, on port 443 is
properly configured for SSL with keys and certificates). The only
problem I could find was really in the missing mod_ssl environment
variables.
> Generally speaking, you will likely have fewer challenges if you configure
> each HTTPS virtual host using a dedicated IP address (or port). That way the
> virtual host selection is made prior to SSL negotitation occurring.
I only have a limited set of IPv4s (as in: 1), so I unfortunately cannot
do that.
Thanks again!
--
Olivier Mehani <sht...@ssji.net>
PGP fingerprint: 4435 CF6A 7C8D DD9B E2DE F5F9 F012 A6E2 98C6 6655
Confidentiality cannot be guaranteed on emails sent or received unencrypted.
[demime 1.01d removed an attachment of type application/pgp-signature which had
a name of signature.asc]
