[ic] Interchange and https
Peter
peter at pajamian.dhs.org
Thu May 13 21:34:51 EDT 2004
Mike Heins wrote:
> Quoting Mark Weaver (mark at americanmicroinc.com):
>
>>Mike Heins wrote:
>>
>>>Quoting Mark Weaver (mark at americanmicroinc.com):
>>>
>>>
>>>>Is anyone else using interchange on a virtual host with SSL that is
>>>>working? I've not been able to get this working for anything. Sure could
>>>>use some help.
Yes, see my example below on how I configure it properly.
>>>It has nothing to do with Interchange, of course.
>>>
>>>SSL simply doesn't work with NameVirtualHost. You can only have one
>>>per IP address.
>>>
>>
>>Yes...I've been finding this out the hard way. Any ideas for a solution?
>>I didn't think there was a problem with Interchange. "it" appears to be
>>operating just as it should. Apache on the other hand is being a HUGE pita.
>
>
> It isn't an Apache problem, either. It is an inherent limitation of
> HTTPS. You can have but one host per IP address (or IP Address/port
> combination).
Also technically speaking you can use NameVirtualHost with ssl. What
will happen is that apache will use the certificate named in the first
VirtualHost section for that IP address for all virtual hosts that use
the same IP. This means that for any domain except the one that the
certificate was actually created for people will get a popup that
informs them that the certificate is for the wrong domain, but if they
click to accept the certificate they will be able to go on and browse
the site with a secure connection.
I take advantage of this in that I want people to be able to browse to
https://domain.com as well as https://www.domain.com and also to some
variants that might be common misspellings of the domain name, but I
don't want to take out a seperate certificate or allocate a seperate IP
address for each of these domain name variants, so I create two
VirtualHost containers, one is for www.domain.com and the other is for
domain.com plus all the variants as domain aliases. The latter uses a
redirect to send people to the former and it all works fine on one IP.
All that happens, then is that if someone mispells the domain name or
leaves out the www. part they get a popup from their browser warning
that the certificate is funny, then they get redirected to the correct
domain.
My setup actually looks something like this:
NameVirtualHost 0.0.0.0
<VirtualHost 0.0.0.0>
ServerName www.domain.com
DocumentRoot /var/www/html/www.domain.com/
ScriptAlias /cgi-bin/ "/var/www/html/www.domain.com/cgi-bin/"
</VirtualHost>
<VirtualHost 0.0.0.0>
ServerName domain.com
ServerAlias www.doomain.com doomain.com www.domaid.com domaid.com
RedirectPermanent / http://www.domain.com/
</VirtualHost>
NameVirtualHost 0.0.0.0:443
<VirtualHost 0.0.0.0:443>
ServerName www.domain.com
DocumentRoot /var/www/html/www.domain.com/
ScriptAlias /cgi-bin/ "/var/www/html/www.domain.com/cgi-bin/"
SSLEngine on
SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /var/www/conf/ssl.crt/www.domain.com.crt
SSLCertificateKeyFile /var/www/conf/ssl.key/www.domain.com.key
SSLCACertificateFile /var/www/conf/ssl.crt/ca.txt
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
</VirtualHost>
# If someone hits one of these thier browser will warn them that
# the certificate is for the wrong domain but it will still work.
<VirtualHost 0.0.0.0:443>
ServerName domain.com
ServerAlias www.doomain.com doomain.com www.domaid.com domaid.com
RedirectPermanent / https://www.domain.com/
SSLEngine on
SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /var/www/conf/ssl.crt/www.domain.com.crt
SSLCertificateKeyFile /var/www/conf/ssl.key/www.domain.com.key
SSLCACertificateFile /var/www/conf/ssl.crt/ca.txt
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
</VirtualHost>
Peter
More information about the interchange-users
mailing list