Fedora Linux Support Community & Resources Center
  #1  
Old 15th January 2010, 01:24 PM
tquang Offline
Registered User
 
Join Date: Jul 2009
Posts: 82
windows_7opera
Ask: Multi domain (site) with SSL on APACHE

Hi everybody. Currently I has problem with my configuration Apache: setup 2 CA for 2 domain following VirtualHost, there not match

Apache 2.2.14
OpenSSL 0.9.8e-12.el5

Problem:
_https://site1.com browser notice SSL with info CA is site1.com
_https://site2.com browser does not match SSL CA site2.com, only show CA of site1.com
=> With 2 site made 2 CA for each domain.

Below my content config file

Quote:
Originally Posted by Site1.Com
<VirtualHost *:80>
ServerAdmin admin@admin.com
ServerName site1.com
ServerAlias www.site1.com
Redirect permanent / https://site1.com
</VirtualHost>
<VirtualHost *:443>
ServerAdmin admin@admin.com
DocumentRoot "/var/www/web/site1.com"
ServerName site1.com
ServerAlias www.site1.com
ErrorLog "/var/www/web/site1.com/logs/error"
CustomLog "/var/www/web/site1.com/logs/custom" common
<Directory "/var/www/web/site1.com/">
Options FollowSymLinks
AllowOverride None
Order deny,allow
Allow from all
</Directory>
SSLEngine on
SSLCertificateFile /var/www/ssl/site1.com.crt
SSLCertificateKeyFile /var/www/ssl/site1.com.key
</VirtualHost>
Quote:
Originally Posted by Site2.Com
<VirtualHost *:80>
ServerAdmin admin@admin.com
ServerName site2.com
ServerAlias www.site2.com
Redirect permanent / https://site2.com
</VirtualHost>
<VirtualHost *:443>
ServerAdmin admin@admin.com
DocumentRoot "/var/www/web/site2.com"
ServerName site2.com
ServerAlias www.site2.com
ErrorLog "/var/www/web/site2.com/logs/error"
CustomLog "/var/www/web/site2.com/logs/custom" common
<Directory "/var/www/web/site2.com/">
Options FollowSymLinks
AllowOverride None
Order deny,allow
Allow from all
</Directory>
SSLEngine on
SSLCertificateFile /var/www/ssl/site2.com.crt
SSLCertificateKeyFile /var/www/ssl/site2.com.key
</VirtualHost>
Thank you very much for read and reply

---------- Post added at 08:24 PM CST ---------- Previous post was at 06:05 PM CST ----------

Okey, I'm config running by port: 443, 444, 445 , ...... it work. But, I need run 443 only for all domains

So, anybody have other idea?
Reply With Quote
  #2  
Old 15th January 2010, 03:44 PM
ibbo Offline
Registered User
 
Join Date: Jun 2005
Location: Leeds
Posts: 1,264
linuxfedorafirefox
Well its a tricky one as each domain would like its own SSL cert otherwise as you find your going to get all that crud coming out.

You can do a few things.

The easiest would be to setup a wildcard certificate, something like below added to each of your vhost definitions.

Code:
<IfModule mod_ssl.c>
      SSLEngine on
      SSLProxyEngine On
      SSLCipherSuite ALL:!ADH:!EXPORT56:-AES256-SHA:-DHE-RSA-AES256-SHA:-DHE-DSS-AES256-SHA:RC4+RSA:+HIGH:+MEDIUM:+LOW:!SSLv2:+EXP:+eNULL
      SSLCertificateFile    /etc/ssl/certs/ssl-cert-snakeoil.pem
      SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key

      BrowserMatch ".*MSIE.*" \
      nokeepalive ssl-unclean-shutdown \
      downgrade-1.0 force-response-1.0
      BrowserMatch ^Mozilla/4\.0[678] no-gzip
    </ifModule>
Another idea is to setup an apache accelerator (another instance of apache that listens on port 80 but redirects requests via mod_proxy upon the domain name given)

This method could make the accelerator deal with SSL (only the host here listening on port 80 and 443) . The data flow between accellerator and say site1.com is in clear but the client and the accelerator deal in SSL (where ssl is requested).

Something like below would do (in conjunction with the SSL definition above)

Code:
    ProxyRequests Off
    RewriteEngine On

    RewriteRule ^/(.*) http://127.0.0.1:8080/$1 [P]
    ProxyPassReverse /  http://127.0.0.1:8080

    ProxyPreserveHost On
Of course it gets more complex so try out the snakeoil file (you should have it if you have openssl installed, I think its openssl).

Ibbo
__________________
A Hangover Lasts A Day, But Our Drunken Memories Last A Lifetime
--
Linux user #349545
(GNU/Linux)iD8DBQBAzWjX+MZAIjBWXGURAmflAKCntuBbuKCWenpm XoA7LNydllVQOwCfdjyzXscddzQvlhBedAcD7qfKmHo==zx0H
Reply With Quote
  #3  
Old 16th January 2010, 12:43 AM
tquang Offline
Registered User
 
Join Date: Jul 2009
Posts: 82
windows_7opera
Good Morning and thank you, ibbo

Provisional, i was returned with Directy panament (auto forward http port to https other port)

I'm reconfig my config file follow your info, but it not work. When site2.com loaded, only CA of site1 appear, site2 not work


Here my content
Code:
<IfModule mod_ssl.c>
SSLEngine on
SSLProxyEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:-AES256-SHA:-DHE-RSA-AES256-SHA:-DHE-DSS-AES256-SHA:RC4+RSA:+HIGH:+MEDIUM:+LOW:!SSLv2:+EXP:+eNULL
SSLCertificateFile /var/www/ssl/site1.com.crt
SSLCertificateKeyFile /var/www/ssl/site1.com.key
BrowserMatch ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
BrowserMatch ^Mozilla/4\.0[678] no-gzip
</IfModule>

ServerName site1.com
ServerAlias *.site1.com
ErrorLog "/var/www/web/site1.com/logs/error"
CustomLog "/var/www/web/site1.comlogs/custom" common

<Directory "/var/www/web/site1.com/">
Options All FollowSymLinks
AllowOverride All
Order deny,allow
Allow from all
</Directory>

</VirtualHost>
Reply With Quote
Reply

Tags
apache, domain, multi, site, ssl

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Apache with and without SSL == Site with https and http neo_fox Servers & Networking 2 30th April 2008 11:06 AM
Apache & My Domain P4rD0nM3 Servers & Networking 0 29th February 2008 02:40 PM
How to set up Apache with my domain name Ianb1972 Servers & Networking 8 22nd March 2007 01:02 AM
apache problems on multi interface configuration warnockm Servers & Networking 4 19th March 2007 03:39 PM
[Apache] php site doesn't display Yeti595 Servers & Networking 2 7th October 2005 07:07 AM


Current GMT-time: 05:05 (Saturday, 26-07-2014)

TopSubscribe to XML RSS for all Threads in all ForumsFedoraForumDotOrg Archive
logo

All trademarks, and forum posts in this site are property of their respective owner(s).
FedoraForum.org is privately owned and is not directly sponsored by the Fedora Project or Red Hat, Inc.

Privacy Policy | Term of Use | Posting Guidelines | Archive | Contact Us | Founding Members

Powered by vBulletin® Copyright ©2000 - 2012, vBulletin Solutions, Inc.

FedoraForum is Powered by RedHat