[expert] Any Apache gurus in the house?
I've got apache 1.3.22 running with mod_ssl and a few different virtual
hosts seperated as /www/htdocs/domains/{foo,bar}.org et al.
I have an application that I'd like to run over SSL and make available to
only one of the domains (foo.org), but not the others (bar.org et al),
but I'd like the others to be covered by the default SnakeOil cert
provided.
To accomplish this, I added a VirtualHost for foo.org in the section underneath the pre-existing
VH whose SSLCertificateFile and SSLCertificateKeyFile paths point to the
default keys for the SnakeOil cert and whose DocumentRoot is /www/htdocs/.
In the foo.org VirtualHost, I've got set with
the DocumentRoot of /www/htdocs/domains/foo.org and the paths to the
cert info set to /www/htdocs/domains/foo.org/server.{crt,key}.
When apache starts, it prompts me for my passphrase for foo.org so
I know it gets that far and it's reading those files. The problem
is that not only does https://foo.org/ssl_app work as it should, but
https://bar.org/ssl_app works as well. So it appears that the _default_
VH isn't even getting read or that it is being overruled by the second
VH, namely foo.org. I thought it was the first VH that was more or less
the catch all for any incoming requests that aren't for a domain that's
got its own subsequent VH?
I've tried everything I can think of and I'm at my wit's end. Can
anyone see or know what I'm doing wrong? I'd sure appreciate any info
anyone might have.
Thanks in advance,
-Charlie
--
GPG Key fingerprint = 4F36 EC4F 2F2C 5F59 9690 09E5 4C0F 9DB0 8623 53CE
"I went to the museum where they had all the heads and arms from the
statues that are in all the other museums."
-- Steven Wright
Want to buy your Pack or Services from MandrakeSoft?
Go to http://www.mandrakestore.com
Re: [expert] Any Apache gurus in the house?
On Thu Feb 07, 2002 at 03:01:42PM -0800, [EMAIL PROTECTED] wrote:
> I've got apache 1.3.22 running with mod_ssl and a few different virtual
> hosts seperated as /www/htdocs/domains/{foo,bar}.org et al.
>
> I have an application that I'd like to run over SSL and make available to
> only one of the domains (foo.org), but not the others (bar.org et al),
> but I'd like the others to be covered by the default SnakeOil cert
> provided.
>
> To accomplish this, I added a VirtualHost for foo.org in the mod_ssl.c> section underneath the pre-existing
> VH whose SSLCertificateFile and SSLCertificateKeyFile paths point to the
> default keys for the SnakeOil cert and whose DocumentRoot is /www/htdocs/.
>
> In the foo.org VirtualHost, I've got set with
> the DocumentRoot of /www/htdocs/domains/foo.org and the paths to the
> cert info set to /www/htdocs/domains/foo.org/server.{crt,key}.
>
> When apache starts, it prompts me for my passphrase for foo.org so
> I know it gets that far and it's reading those files. The problem
> is that not only does https://foo.org/ssl_app work as it should, but
> https://bar.org/ssl_app works as well. So it appears that the _default_
> VH isn't even getting read or that it is being overruled by the second
> VH, namely foo.org. I thought it was the first VH that was more or less
> the catch all for any incoming requests that aren't for a domain that's
> got its own subsequent VH?
>
> I've tried everything I can think of and I'm at my wit's end. Can
> anyone see or know what I'm doing wrong? I'd sure appreciate any info
> anyone might have.
AFAIK, due to the nature of HTTPS, you need to have it on it's own IP
address if you want to diferentiate(sp?) between two different
domains. Ie. foo.org would have to be 10.0.1.20 and bar.org
10.0.1.21, then you would set foo.org VirtualHost 10.0.1.20:443 and
likewise with bar.org.
The problem is that the SSL starts before any other info is
transmitted, so it cannot distinguish between hostnames prior to doing
the SSL encryption. In other words, it tries to encrypt with the
server on the other end and the only way apache can tell one domain
from another is by the IP address associated with each.
It's really annoying and a real PITA, but you'll need seperate IPs for
every *different* SSL-enabled site you want.
--
MandrakeSoft Security; http://www.mandrakesecure.net/
"lynx -source http://www.freezer-burn.org/bios/vdanen.gpg | gpg --import"
1024D/FE6F2AFD 88D8 0D23 8D4B 3407 5BD7 66F9 2043 D0E5 FE6F 2AFD
Current Linux kernel 2.4.8-34.1mdk uptime: 15 days 21 hours 25 minutes.
msg49232/pgp0.pgp
Description: PGP signature
Re: [expert] Any Apache gurus in the house?
On Thursday 07 February 2002 17:01, [EMAIL PROTECTED] wrote:
> I've got apache 1.3.22 running with mod_ssl and a few different virtual
> hosts seperated as /www/htdocs/domains/{foo,bar}.org et al.
>
> In the foo.org VirtualHost, I've got set with
> the DocumentRoot of /www/htdocs/domains/foo.org and the paths to the
> cert info set to /www/htdocs/domains/foo.org/server.{crt,key}.
>
> I've tried everything I can think of and I'm at my wit's end. Can
> anyone see or know what I'm doing wrong? I'd sure appreciate any info
> anyone might have.
You might try putting the app in it's own directory '/www/htdocs/app' and
create an 'Alias /app/ /www/htdocs/app/' in the 'foo.org' VirtualHost
directive, that way, it should only be accessible via https://foo.bar/app/.
--
Live fast, die young,
you're sucking up my bandwidth.
--
J.P. Pasnak, CD
[EMAIL PROTECTED]
http://www.warpedsystems.sk.ca
Kernel version: 2.4.17-13mdk
Current Linux uptime: 2 days 22 hours 14 minutes.
Want to buy your Pack or Services from MandrakeSoft?
Go to http://www.mandrakestore.com
Re: [expert] Any Apache gurus in the house?
On Thu, 07 Feb, at 18:18:07 -0600, J.P. Pasnak <[EMAIL PROTECTED]> done said: > > You might try putting the app in it's own directory '/www/htdocs/app' and > create an 'Alias /app/ /www/htdocs/app/' in the 'foo.org' VirtualHost > directive, that way, it should only be accessible via https://foo.bar/app/. I gave that a go, but no love. I think Vincent might be right -- there might have to be a secondary IP. I'll have to try that one out a little later. Thanks, -Charlie -- GPG Key fingerprint = 4F36 EC4F 2F2C 5F59 9690 09E5 4C0F 9DB0 8623 53CE No man is an Iland, intire of it selfe; every man is a peece of the Continent, a part of the maine; if a Clod bee washed away by the Sea, Europe is the lesse, as well as if a Promontorie were, as well as if a Mannor of thy friends or of thine owne were; any mans death diminishes me, because I am involved in Mankinde; And therefore never send to know for whom the bell tolls; It tolls for thee. -- John Donne, "No Man is an Iland" Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
