Direct from Apache.org SSL FAQ
Why is it not possible to use Name-Based Virtual Hosting to identify different
SSL virtual hosts?
Name-Based Virtual Hosting is a very popular method of identifying different
virtual hosts. It allows you to use the same IP address and the same port
number for many different sites. When people move on to SSL, it seems natural
to assume that the same method can be used to have lots of different SSL
virtual hosts on the same server.
It comes as rather a shock to learn that it is impossible.
The reason is that the SSL protocol is a separate layer which encapsulates the
HTTP protocol. So the SSL session is a separate transaction, that takes place
before the HTTP session has begun. The server receives an SSL request on IP
address X and port Y (usually 443). Since the SSL request does not contain any
Host: field, the server has no way to decide which SSL virtual host to use.
Usually, it will just use the first one it finds, which matches the port and IP
address specified.
You can, of course, use Name-Based Virtual Hosting to identify many non-SSL
virtual hosts (all on port 80, for example) and then have a single SSL virtual
host (on port 443). But if you do this, you must make sure to put the non-SSL
port number on the NameVirtualHost directive, e.g.
NameVirtualHost 192.168.1.1:80
Other workaround solutions include:
Using separate IP addresses for different SSL hosts. Using different port
numbers for different SSL hosts.
Randy Rowe
Lincoln City Libraries I.T.
-----Original Message-----
From: "Martin Renvoize" <martin.renvo...@ptfs-europe.com>
Sent 5/13/2011 3:33:09 AM
To: "Mizst Audens" <mizs...@gmail.com>
Cc: koha@lists.katipo.co.nz
Subject: Re: [Koha] Enabling SSL for Koha staff view
You could however,
Use Name based Virtualhosts (like kohaapoc.yourlibrary.com and
kohastaff.yourlibrary.com) and run both on port 443 for secure. To do this
you'll either need two certificates (one for each domain) or a SAN shared
certificate with both domain names in it.
An example http.conf might look like (assuming the two certificate approach);
## OPAC Default Access
<VirtualHost 127.0.1.1:80>
DocumentRoot /home/koha/kohaclone/koha-tmpl
ServerName kohalibrary.halton.gov.uk
. . .
</VirtualHost>
## OPAC Secure
<VirtualHost 127.0.1.1:443>
DocumentRoot /home/koha/kohaclone/koha-tmpl
ServerName kohalibrary.halton.gov.uk
. . .
# SSL Setup
# CA Root and Intermediate Certificates
SSLEngine On
SSLCACertificatePath /etc/apache2/ssl/certs/
SSLCACertificateFile /etc/apache2/ssl/certs/gs_combined_ca.crt
SSLCertificateFile /etc/apache2/ssl/certs/kohalibrary.crt
SSLCertificateKeyFile /etc/apache2/ssl/certs/kohalibrary.key
</VirtualHost>
## Intranet Secure
<VirtualHost 109.75.173.120:443>
DocumentRoot /home/koha/kohaclone/koha-tmpl
ServerName kohastaff.halton.gov.uk
. . .
# SSL Setup
# CA Root and Intermediate Certificates
SSLEngine On
SSLCACertificatePath /etc/apache2/ssl/certs/
SSLCACertificateFile /etc/apache2/ssl/certs/gs_combined_ca.crt
SSLCertificateFile /etc/apache2/ssl/certs/kohastaff.crt
SSLCertificateKeyFile /etc/apache2/ssl/certs/kohastaff.key
</VirtualHost>
2011/5/8 Mizst Audens <mizs...@gmail.com>
No, it's not possible due to the limitation of the architecture. A port can
serve only http or https but not both at the same time.
The transparency of http/https in normal websites is due to the standardization
of port 80 and 443. (port 80 runs http, and port 443 runs https, so each port
only runs one type of connection) When you don't use these standard ports, you
will need to specify the correct combination of protocol and port in order to
reach a service.
--Mizst
On Sun, May 8, 2011 at 12:33 PM, Altaf Mahmud <altaf.mah...@gmail.com> wrote:
Is it possible to use port 8080 for both purposes (HTTP and HTTPS)? Actually,
I just wanted to secure port 8080, can I do that?
Thanks a lot!
On Sat, May 7, 2011 at 8:34 PM, Mizst Audens <mizs...@gmail.com> wrote:
You must create another virtual host at another port (for example, 8081) for
the staff area and enable SSL for that virtual host, and it will require
another SSL certificate. Your staff will need to use (example)
https://127.0.1.1:8081 if they want to use SSL, and http://127.0.1.1:8080 if
they don't want to use SSL.
Note that https://127.0.1.1 is in fact an alias for https://127.0.1.1:443. You
already used 443 for the OPAC, so you'll need another port for the staff.
--Mizst
2011/5/7 Altaf Mahmud <altaf.mah...@gmail.com>
Hello,
I'm trying to implement SSL in my Koha server running on Debian 6.0 (squeeze).
I've implemented it for my OPAC view, I've created another file 'koha-ssl' in
../apache2/sites-available/ directory and enabled it. I've edited
../apache2/sites-available/koha like following:
NameVirtualHost *:80
<VirtualHost 127.0.1.1:80>
.....
.....
</VirtualHost>
And ../apache2/sites-available/koha-ssl like following:
NameVirtualHost *:443
<VirtualHost 127.0.1.1:443>
.....
SSLEngine On
SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
.....
</VirtualHost>
Now https://127.0.1.1/ is showing the OPAC. But I can't figure it out how to
implement it for staff-view <VirtualHost 127.0.1.1:8080>
Request for port 80 is redirecting to port 443, how can I do that for port
8080? In fact, I don't have any prior idea on doing this; a descriptive
suggestion is appropriate for me.
Thanks.
--
Altaf Mahmud
System Programmer
Ayesha Abed Library
BRAC University
Bangladesh.
_______________________________________________
Koha mailing list http://koha-community.org
Koha@lists.katipo.co.nz
http://lists.katipo.co.nz/mailman/listinfo/koha
--
Altaf Mahmud
System Programmer
Ayesha Abed Library
BRAC University
Bangladesh.
_______________________________________________
Koha mailing list http://koha-community.org
Koha@lists.katipo.co.nz
http://lists.katipo.co.nz/mailman/listinfo/koha
--
Martin Renvoize
Software Developer, PTFS Europe Ltd
Content Management and Library Solutions
martin.renvo...@ptfs-europe.com
skype: Martin Renvoize
http://www.ptfs-europe.com
_______________________________________________ Koha mailing list
http://koha-community.org Koha@lists.katipo.co.nz
http://lists.katipo.co.nz/mailman/listinfo/koha
_______________________________________________
Koha mailing list http://koha-community.org
Koha@lists.katipo.co.nz
http://lists.katipo.co.nz/mailman/listinfo/koha
