Joe Auty wrote: > You mean the browser takes the domain name from the browser, does a DNS > lookup, and equates this to the IP, and because the IPs are differnet in > my example, the Servername is not necessary?
Yes - kind of... The browser always does a DNS lookup of the name you type in. That's how it knows which IP address to send the request to (TCP/IP only cares about IP addresses). The distinction comes in the server. If you have two different VHs on different IPs then it is easy for the server to distinguish them. You can put ServerName into these VHs if you like, but, with the IP address, apache has enough to decide which VH to use. If you wanted to have more than one name-based VH on each IP address then you'd need the ServerNames again. > What if I wanted to setup something like the following: > > <VirtualHost IP.114:443> > pathtocert1 > Servername joe.com > DocumentRoot /home/joe > </VirtualHost> > > <VirtualHost IP.114:443> > pathtocert1 > Servername auty.com > DocumentRoot /home/auty > </VirtualHost> > > Because the IP is now ambigious, I'm assuming the Servername is required > unless I used the NameVirtualHost * convention (which I haven't really > gotten working with SSL in my brief attempts)? You missed the point of a previous mail - you can't have name-based SSL VHs. It doesn't work. It's impossible. > This (the above) seems to work as expected, although when I do a apachectl > startssl I get an error message about the one taking precident over the > other... the error message doesn't seem to affect any usage, it seems to > work fine. Am I right? If not, is there a way to get around the error? It "seems to work" because you are using the same certificate for both VHs. What is happening is accidental behaviour - the server uses the certificate from the first VH to establish the SSL session. Since the session is now established, it can see the full HTTP header and so can use the "Host:" field to determine which VH to use. This setup "works" if you don't care what certificate your VHs use but since authentication is as important as encryption in SSL, it is not a general solution. If you can spare the IP addresses, the correct way to proceed is with separate IP-based SSL VHs on each IP address. For non-SSL VHs, you can put as many as you like on each IP address so long as you put NameVirtualHost and define ServerName in each one. It breaks down like this: SSL VHs - must be IP-based or Port-based (name-based doesn't work). - only one per IP/port. - if you use conventional port 443, only one per IP address. - ServerName is redundant (no harm if you use it - it is just ignored) - NameVirtualHost meaningless non-SSL VHs - Can be IP, port or name-based If name-based: - Unlimited number of name-based VHs per IP - needs NameVirtualHost - needs ServerName in each VH If you have many non-SSL VHs and one SSL VH on a particular IP, it is good idea to define the port on the NameVirtualHost directive, e.g. NameVirtualHost 192.168.1.1:80 This suppresses a warnign about mixing SSL and non-SSL. Rgds, Owen Boyle. ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
