On Thu Feb 07, 2002 at 03:01:42PM -0800, [EMAIL PROTECTED] wrote:
> I've got apache 1.3.22 running with mod_ssl and a few different virtual
> hosts seperated as /www/htdocs/domains/{foo,bar}.org et al.
>
> I have an application that I'd like to run over SSL and make available to
> only one of the domains (foo.org), but not the others (bar.org et al),
> but I'd like the others to be covered by the default SnakeOil cert
> provided.
>
> To accomplish this, I added a VirtualHost for foo.org in the <IfModule
> mod_ssl.c> section underneath the pre-existing <VirtualHost _default_:443>
> VH whose SSLCertificateFile and SSLCertificateKeyFile paths point to the
> default keys for the SnakeOil cert and whose DocumentRoot is /www/htdocs/.
>
> In the foo.org VirtualHost, I've got <VirtualHost [my_ip]:443> set with
> the DocumentRoot of /www/htdocs/domains/foo.org and the paths to the
> cert info set to /www/htdocs/domains/foo.org/server.{crt,key}.
>
> When apache starts, it prompts me for my passphrase for foo.org so
> I know it gets that far and it's reading those files. The problem
> is that not only does https://foo.org/ssl_app work as it should, but
> https://bar.org/ssl_app works as well. So it appears that the _default_
> VH isn't even getting read or that it is being overruled by the second
> VH, namely foo.org. I thought it was the first VH that was more or less
> the catch all for any incoming requests that aren't for a domain that's
> got its own subsequent VH?
>
> I've tried everything I can think of and I'm at my wit's end. Can
> anyone see or know what I'm doing wrong? I'd sure appreciate any info
> anyone might have.AFAIK, due to the nature of HTTPS, you need to have it on it's own IP address if you want to diferentiate(sp?) between two different domains. Ie. foo.org would have to be 10.0.1.20 and bar.org 10.0.1.21, then you would set foo.org VirtualHost 10.0.1.20:443 and likewise with bar.org. The problem is that the SSL starts before any other info is transmitted, so it cannot distinguish between hostnames prior to doing the SSL encryption. In other words, it tries to encrypt with the server on the other end and the only way apache can tell one domain from another is by the IP address associated with each. It's really annoying and a real PITA, but you'll need seperate IPs for every *different* SSL-enabled site you want. -- MandrakeSoft Security; http://www.mandrakesecure.net/ "lynx -source http://www.freezer-burn.org/bios/vdanen.gpg | gpg --import" 1024D/FE6F2AFD 88D8 0D23 8D4B 3407 5BD7 66F9 2043 D0E5 FE6F 2AFD Current Linux kernel 2.4.8-34.1mdk uptime: 15 days 21 hours 25 minutes.
msg49232/pgp00000.pgp
Description: PGP signature
