[SATLUG] Apache with 1 IP, two SSL sites, different ports

Gabriel Doss gabriel.doss at gmail.com
Thu May 21 12:31:15 CDT 2009


On Thu, May 21, 2009 at 9:42 AM, Jeremy Mann <jeremymann at gmail.com> wrote:

> On Wed, May 20, 2009 at 3:59 PM, Gabriel Doss <gabriel.doss at gmail.com>
> wrote:
> > I am trying to get apache-2.2 to serve three sites, one http and two
> https
> > with separate self-signed certs. I know apache requires different ports
> for
> > all three since two are SSL and cannot share a same IP/same port
> > configuration like http traffic can.
>
> Gabriel, this is false. I run a webserver here at the HSC that serves
> up various domains and 4 HTTPS sites concurrently. 3 of the HTTPS
> sites are the same IP and 1 is on a dedicated IP.
>
> Here is how I have it (domains and IP are removed)
>
> CentOS5 (Apache 2.1)
> /etc/httpd/conf.d/ssl.conf
>
> NameVirtualHost x.x.x.x:443
>
> <VirtualHost x.x.x.x:443>
> DocumentRoot /home/www/xxxxxx
> Servername xxxxxxxxx.uthscsa.edu
> ServerAdmin jeremy at xxxxxx.uthscsa.edu
> SSLEngine On
> SSLCertificateFile /etc/httpd/xxxxx/xxxxx.crt
> SSLCertificateKeyFile /etc/httpd/xxxxxx/xxxxx.key
> </VirtualHost>
>
> Repeat for as many https domains you need and restart Apache
>

Jeremy,

You must be changing the port for each VirtualHost. I can get it working on
separate ports on the same IP, just not same port/same IP, such as
192.168.1.100:443 for both sites. The server has no way of knowing which
site to serve since the SSL encryption happens before the http header check
so name-based virtual hosting does not work for SSL on the same port/same
IP. Either the IP or the port have to be different.

By the way, your example is how my VirtualHost settings look in ssl.conf,
except with a different port for each one.

Brad,

You can have two certs on the same IP, just not same IP/same port. I have
both certs working when I go to each site (the second using the :4443
specifier in the URL). While researching this problem I came across many who
mentioned this, but it is working right now so I can confirm that is not the
case.

Henry,

What you suggested worked. I set up a RedirectCond in .htaccess on the site
at :443 to check {HTTP_HOST} and if it matched the host of the site on
:4443, then redirect to the second site. I was surprised SSL did not pick up
the certificate on the first site at :443 before passing the rewrite to the
second site. Or maybe it did but that step is invisible to the user. I'll
have to check the logs to see more.

The port number still shows in the URL on the second site, but at least
users can type in https://secure2.domain.com and be directed to
https://secure2.domain.com:4443 instead of https://secure1.domain.com.

Bruce,

The stombi site you linked to is word-for-word from apache docs, with the
exception of the last couple paragraphs. Those paragraphs helped me wrap my
brain around the issue better.

Thanks for the help everyone. Much appreciated.

Gabriel


More information about the SATLUG mailing list