Re: [users@httpd] VirtualHost with ServerAlias and SSLCertificateFile no friends?
On 2024/07/04 13:57:06 Frank Gingras wrote: > On Thu, Jul 4, 2024 at 8:44 AM Michael Osipov wrote: > > > Folks, > > > > please consider the following example: > > > > > > ServerAdmin m...@example.com > > > ServerName foo.example.com > > > ServerAlias foo.sub.example.net > > > DocumentRoot /usr/local/www/apache24/data > > > ErrorLog "/var/log/apache/foo-ssl-errors.log" > > > CustomLog "/var/log/apache/foo-ssl-access.log" common > > > > > > SSLEngine On > > > SSLCertificateFile /etc/ssl/foo.example.com/cert.crt > > > SSLCertificateKeyFile /etc/ssl/foo.example.com/key.crt > > > SSLCertificateFile /etc/ssl/foo.sub.example.net/cert.crt > > > SSLCertificateKeyFile /etc/ssl/foo.sub.example.net/key.crt > > > > > > Include "..." > > > > > > > I'd like to run a single vhost serving the same content under multiple > > FQDNs to the users > > > > As far as I understand mod_ssl it does not seem to support to have SNI on > > a single vhost with multiple hostnames. I get error messages in the log > > file. > > I am running "Apache/2.4.59 (FreeBSD) OpenSSL/1.1.1w-freebsd". > > FWIW: the same concept is support with Tomcat: One connector, one default > > host, aliases and several SSLHostConfig elements. > > Is the approach to run two vhosts here? I am sure that a SAN certificate > > will do the trick, but for €€€ reasons I won' able to order one. > > > > Michael > > > > - > > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > > For additional commands, e-mail: users-h...@httpd.apache.org > > > > > In that case, define separate :443 vhosts for each name, and redirect to > the main one. As sad it is sounds and also looking into the source code there is no alternative to duplicate it. There is a long standing issue open in Bugzilla: https://bz.apache.org/bugzilla/show_bug.cgi?id=61081 At least the docs should tell that using ServerAlias requires a SAN certificate to function properly. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[users@httpd] VirtualHost with ServerAlias and SSLCertificateFile no friends?
Folks, please consider the following example: > > ServerAdmin m...@example.com > ServerName foo.example.com > ServerAlias foo.sub.example.net > DocumentRoot /usr/local/www/apache24/data > ErrorLog "/var/log/apache/foo-ssl-errors.log" > CustomLog "/var/log/apache/foo-ssl-access.log" common > > SSLEngine On > SSLCertificateFile /etc/ssl/foo.example.com/cert.crt > SSLCertificateKeyFile /etc/ssl/foo.example.com/key.crt > SSLCertificateFile /etc/ssl/foo.sub.example.net/cert.crt > SSLCertificateKeyFile /etc/ssl/foo.sub.example.net/key.crt > > Include "..." > I'd like to run a single vhost serving the same content under multiple FQDNs to the users As far as I understand mod_ssl it does not seem to support to have SNI on a single vhost with multiple hostnames. I get error messages in the log file. I am running "Apache/2.4.59 (FreeBSD) OpenSSL/1.1.1w-freebsd". FWIW: the same concept is support with Tomcat: One connector, one default host, aliases and several SSLHostConfig elements. Is the approach to run two vhosts here? I am sure that a SAN certificate will do the trick, but for €€€ reasons I won' able to order one. Michael - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[users@httpd] Custom authentication and ap_is_initial_req
Hi folks, I use a custom auth module with performs connection-legged authentication. I do see duplicate WWW-Authenticate headers in the response from the server. [Thu Jul 17 10:40:19 2014] [error] [client IP] authenticating main request [Thu Jul 17 10:40:19 2014] [error] [client IP] no Authorization header [Thu Jul 17 10:40:20 2014] [error] [client IP] authenticating main request [Thu Jul 17 10:40:20 2014] [error] [client IP] calling accept_sec_context [Thu Jul 17 10:40:20 2014] [error] [client IP] Negotiate: done: 0/0 [Thu Jul 17 10:40:20 2014] [error] [client IP] Authenticating subrequest [Thu Jul 17 10:40:20 2014] [error] [client IP] Negotiate: done: 0/0 The last two lines result in duplicate output. The question is, what is the purpose of the subrequest in genereal and why is a subrequest issued at at when my auth method is hooked with: ap_hook_check_user_id()? How should I take care of that to avoid duplicate output? if(ap_is_initial_req(r) return DECLINED; does not solve the problem. Thanks, Michael - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
