[ic] Interchange and https

Peter peter at pajamian.dhs.org
Thu May 13 21:34:51 EDT 2004


Mike Heins wrote:
> Quoting Mark Weaver (mark at americanmicroinc.com):
> 
>>Mike Heins wrote:
>>
>>>Quoting Mark Weaver (mark at americanmicroinc.com):
>>>
>>>
>>>>Is anyone else using interchange on a virtual host with SSL that is 
>>>>working? I've not been able to get this working for anything. Sure could 
>>>>use some help.

Yes, see my example below on how I configure it properly.

>>>It has nothing to do with Interchange, of course.
>>>
>>>SSL simply doesn't work with NameVirtualHost. You can only have one
>>>per IP address.
>>>
>>
>>Yes...I've been finding this out the hard way. Any ideas for a solution? 
>>I didn't think there was a problem with Interchange. "it" appears to be 
>>operating just as it should. Apache on the other hand is being a HUGE pita.
> 
> 
> It isn't an Apache problem, either. It is an inherent limitation of
> HTTPS. You can have but one host per IP address (or IP Address/port
> combination).

Also technically speaking you can use NameVirtualHost with ssl.  What 
will happen is that apache will use the certificate named in the first 
VirtualHost section for that IP address for all virtual hosts that use 
the same IP.  This means that for any domain except the one that the 
certificate was actually created for people will get a popup that 
informs them that the certificate is for the wrong domain, but if they 
click to accept the certificate they will be able to go on and browse 
the site with a secure connection.

I take advantage of this in that I want people to be able to browse to 
https://domain.com as well as https://www.domain.com and also to some 
variants that might be common misspellings of the domain name, but I 
don't want to take out a seperate certificate or allocate a seperate IP 
address for each of these domain name variants, so I create two 
VirtualHost containers, one is for www.domain.com and the other is for 
domain.com plus all the variants as domain aliases.  The latter uses a 
redirect to send people to the former and it all works fine on one IP. 
All that happens, then is that if someone mispells the domain name or 
leaves out the www. part they get a popup from their browser warning 
that the certificate is funny, then they get redirected to the correct 
domain.

My setup actually looks something like this:

NameVirtualHost 0.0.0.0
<VirtualHost 0.0.0.0>
ServerName www.domain.com
DocumentRoot /var/www/html/www.domain.com/
ScriptAlias /cgi-bin/ "/var/www/html/www.domain.com/cgi-bin/"
</VirtualHost>

<VirtualHost 0.0.0.0>
ServerName domain.com
ServerAlias www.doomain.com doomain.com www.domaid.com domaid.com
RedirectPermanent / http://www.domain.com/
</VirtualHost>

NameVirtualHost 0.0.0.0:443
<VirtualHost 0.0.0.0:443>
ServerName www.domain.com
DocumentRoot /var/www/html/www.domain.com/
ScriptAlias /cgi-bin/ "/var/www/html/www.domain.com/cgi-bin/"
SSLEngine on
SSLCipherSuite 
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /var/www/conf/ssl.crt/www.domain.com.crt
SSLCertificateKeyFile /var/www/conf/ssl.key/www.domain.com.key
SSLCACertificateFile /var/www/conf/ssl.crt/ca.txt
SetEnvIf User-Agent ".*MSIE.*" \
          nokeepalive ssl-unclean-shutdown \
          downgrade-1.0 force-response-1.0
</VirtualHost>

# If someone hits one of these thier browser will warn them that
# the certificate is for the wrong domain but it will still work.
<VirtualHost 0.0.0.0:443>
ServerName domain.com
ServerAlias www.doomain.com doomain.com www.domaid.com domaid.com
RedirectPermanent / https://www.domain.com/
SSLEngine on
SSLCipherSuite 
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /var/www/conf/ssl.crt/www.domain.com.crt
SSLCertificateKeyFile /var/www/conf/ssl.key/www.domain.com.key
SSLCACertificateFile /var/www/conf/ssl.crt/ca.txt
SetEnvIf User-Agent ".*MSIE.*" \
          nokeepalive ssl-unclean-shutdown \
          downgrade-1.0 force-response-1.0
</VirtualHost>


Peter


More information about the interchange-users mailing list