Mike,
On Fri, Dec 17, 2004 at 02:04:43PM -0800, Mike Kennedy wrote:
> I can't find anything specific to my question in the FAQs but I'm trying
> to set up a tomcat server with virtual hosts using https. I have two ips,
> each with its own SSL cert as I understand is necessary for https.
>
> What I want is to have each ip use port 443 with its own document tree
> (virtual host) but I cannot seem to get this to work. When I set up an
> additional ip to use port 443 I get an error 400 (bad request).
I'm not sure what you mean by "virtual host". AFAIK there are
generally two uses of the phrase.
The first is to refer to a single web server answering to more
than one domain name _without_ using one IP address per domain name.
The second is to offer a customer seemingly full access to a
server to run their website, without having one separate physical box
per customer. Some solutions go all the way and try to make the
customer feel like they have root on the box. Some solutions just provide
the customer a greater-than-end-user level of access to tweaking the
configuration of their webserver, cgi scripts and database.
If you're asking the first, I don't know if my recent learning
experience with Apache Virtual hosting will be relevant, but it may be
give you some insight into what you're doing. It may only go for
tomcat used in an apache/modjk/tomcat setup. Or it may not be at all
relevant to tomcat, whether stand-alone or with apache.
I recently re-installed my apache server, and in the process set
up apache virtual hosting. I learned that it's almost impossible to
set up SSL with virtual hosts with apache, you need to use IP-based
hosting if you want to serve multiple domains from one apache
installation via SSL, without any hitches.
That said, if all you really care about is encrypting the
connection, non-IP based (i.e. virtual) multiple domain hosting is
still tolerable.
Basically the SSL cert that's served by the server will match the
default virtual host (the first one defined in the configuration).
Requests to the other domains on the SSL port will hit the same SSL
server and get served the SSL cert for the default domain. The
browser will squawk because the Cert doesn't match the domain.
If you're *really* security-conscious, this is a problem, since
there's an opportunity for a man-in-the-middle attack. Somebody could
slip the browser a bogus Cert and proxy requests to your server,
eavesdropping on them all the while. But if you're just providing
some encrypted web-access to an application, you may not mind.
Security is all about trade-offs.
--
Steven J. Owens
[EMAIL PROTECTED]
"I'm going to make broad, sweeping generalizations and strong,
declarative statements, because otherwise I'll be here all night and
this document will be four times longer and much less fun to read.
Take it all with a grain of salt." - http://darksleep.com/notablog
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
