> Has anyone looked into implementing this? We currently support
> thousands and thousands of virtual hosts and have (literally)
> megabytes of configruation files with complex IfDefine and
> Include directives that take Apache minutes to process, so moving
> to mod_virtualhost will be the biggest lifesaver for us, however,
> how would be the best way to support SSL? We don't want to have to
> use a old-style 1.3.6 VirtualHost entry for SSL enabled sites.
>
> mod_virtualhost documentation for Apache 1.3.7 is available at
> http://www.apache.org/docs/mod/mod_vhost_alias.html.
>
> Suggestions would be great! Thanks.
When the mass virtual hosting patch was first contributed to Apache, I started
a discussion of how to implement SSL mass virtual hosting on the
[EMAIL PROTECTED] list. This thread started with my message entitled "SSL
mass-vhosting" on 6/11/99 with message-id
<001d01beb408$6dbb92e0$0500a8c0@delf>. In that thread, I tossed out a few ideas
for how one might go about implementing mass virtual hosting for mod_ssl.
Ralf said that mod_ssl mast virtual hosting would not work in message-id
<[EMAIL PROTECTED]> with the reasoning for why SSL will not
work for name based virtual hosts. However, I honestly think it is still
possible and he didn't rely to my response to his concerns in message-id
<002f01beb44a$bd0bcf80$0500a8c0@delf>.
I think I'll append the three messages of interest so people don't have to go
mucking through the list archives
- David Harris
Principal Engineer, DRH Internet Services
-----Forwarded Message-----
<001d01beb408$6dbb92e0$0500a8c0@delf>
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf
Of David Harris
Sent: Friday, June 11, 1999 8:47 AM
To: [EMAIL PROTECTED]
Subject: SSL mass-vhosting
On Friday, May 21, 1999 3:09 AM, Tony Finch wrote:
> BTW, something I have been thinking about but haven't investigated yet
> is mass SSL vhosting. Demon uses IP vhosting for historical reasons
> but other than that the main reason to do things that way is SSL. It
> would be cool to get mod_ssl to magically find a vhost's certificate
> on the fly in a similar manner to mod_vhost_alias and the document
> root. I haven't got my head round SSLeay yet so this idea probably
> won't happen until Demon decide they want to do SSL vhosting, unless
> anyone else wants to do it...
I think all the certificate and private key files are loaded in the server
init phase and then stored by mod_ssl. So, it seems that getting mass SSL
vhosting to work would be more of a trick than just dynamically creating the
crt/key path from each request... but more of making the crt/key cache
dynamic.
Ralf, can you offer any guidance?
- David Harris
Principal Engineer, DRH Internet Services
-----Forwarded Message-----
<[EMAIL PROTECTED]>
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf
Of Ralf S. Engelschall
Sent: Friday, June 11, 1999 2:34 PM
To: [EMAIL PROTECTED]
Subject: Re: SSL mass-vhosting
In article <001d01beb408$6dbb92e0$0500a8c0@delf> you wrote:
[[snip]]
mod_ssl reads all cert/keys on init, correct. And it decides which one to use
on a per request, or more correct, on a per connection basis. But the point
you miss for "SSL mass virtual hosting" is this: EVERY DECISION you want to do
at the HTTP level for the "mass virtual hosting" WILL NOT WORK. Why? Because
you decide too late. The cert/key has to be already known _before_ any bytes
of HTTP request will be transferred over the network. That's a chicken and
egg problem and I'm 99.5% sure you cannot adapt the old "mass virtual hosting"
idea for HTTPS, at least not for solving the cert/key selection problem. I
would be happy when someone proofs me to be wrong, but I no chance here :-(
The only way this could be solves is when the SSL layer's Hello messages
already contain the virtual host:port information. But SSLv3/TLSv1 doesn't
support this.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
-----Forwarded Message-----
<002f01beb44a$bd0bcf80$0500a8c0@delf>
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf
Of David Harris
Sent: Friday, June 11, 1999 4:41 PM
To: [EMAIL PROTECTED]
Subject: RE: SSL mass-vhosting
Ralf Engelschall wrote:
[[snip]]
I understand that the crt/key has to be picked _before_ any bytes of the
HTTP request are passed, an therefore we don't have the "Host:" header to
make the cert/key choice. That excludes making any virtual hosting choices
based on the host header - so host header based mass SSL hosting is out just
as SSL with host VirtualHosts is out. But we do have the ipaddr of the local
socket which we can get when the SSLv3/TLSv1 layer is being initialized - so
ipaddr SSL mass hosting is workable. (Just as ipaddr based SSL-VirtualHosts
work just fine.)
It seems to me the way to do this is two new directives analogous to
VirtualDocumentRootIP for mod_ssl: SSLCertificateFileIP and
SSLCertificateKeyFileIP. They would choose a crt/key based on the local
ipaddr of the incoming connection. Something like:
SSLCertificateFileIP /path/to/keydir/%0.crt
SSLCertificateKeyFileIP /path/to/keydir/%0.key
would be a workable mass-SSL-hosting configuration.
But this gets sticky fast: mod_ssl currently imports the crt/key files into
an internal store when the server starts. This way each connection does not
have to read the key/crt from disk, but it already exists in memory. Also,
if a passphrase is required to get the key from the keyfile, the user can be
prompted because this store is built before Apache disassociates from the
terminal.
So, to implement this ip-based crt/key file lookup some basic changes to the
way mod_ssl manages crt/keys internally are needed.
First, the crt/key store would have to be a shared memory cache of some sort
which is populated by the children processes as requests come in -- instead
of assembled by the parent on startup. This way the crt/key is read from
disk and parsed on the first incoming connection on that ipaddr and stored
in the cache. Every so often a stat (or every request, you choose) might be
required to check and see if the key file has been updated or been removed.
Also, all keys should be expired on a graceful restart.
Additionally, this dynamic crt/key import would not be able to ask for a
passphrase from the user, so the keys could not be passphrase-encoded. But
remember this is mass virtual hosting, so not being able to type a thousand
passphrases is not going to bother anyone, I don't think. :-)
Seems to me this is quite a bit harder than just expanding a template string
with the ipaddr and tossing it in a structure somewhere. Uh, non-trivial
might be the word.
Ralf, I'd just like to know if my thinking about this whole thing is correct
or way-off.
- David Harris
Principal Engineer, DRH Internet Services
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
