Sunday, March 4, 2012

Multiple vhosts with apache httpd

There are two major questions about that:
1. May an apache site has multiple https virtual hosts?
2. May an apache site has different certificates for different virtual hosts.

Answers:
1. Yes, but the vhosts has to share single certificate (in general).
2. In general, no. If you have single IP address, you could use single SSL certificate. Certificates are per IP, not per vhost.

Why?
The HTTPS connection is just HTTP encapsulated and encrypted in SSL layer. SSL request to the server is to IP, not to domain. The steps are:
1. SSL connection from client to the server via IP.
2. SSL connection establishing - for this the server certificate is provided.
3. SSL connection established with provided server certificate
4. apache (I mean any web server) has to look inside HTTPS request and see the requested domain.

How to pass trough it?
My site is miteff.com. I created a certificate for it. I use exactly this certificate for my subdomains - wiki.miteff.com, etc. The web browsers throw an warning for certificate errors - the visitors must accept them, or to use http version of the site.

Conclusion
So step 4 cannot be before step 2 and for that reason, we have single SSL certificate for each IP address.

Other thoughts
Yes, I know that this is stupid. It breaks some of my plans too. But it is misplanning of the securing HTTP protocol and we must obey it.

Apache httpd behavior
I have a web server (debian based) with about 20 domains and subdomains in it. A minor ones. I tested a lot of combinations and the working one for me is:
- default-ssl vhost has SSLCertificateFile and SSLCertificateKeyFile with the data for the certificate used in ALL hosted sites.
- all other domains/vhosts has also SSLCertificateFile and SSLCertificateKeyFile directives (with the same or with different data, no matter). Their values are totally ignored. If I remove them, the apache refuses to start with errors.

Please leave comment, if this post helps you.

No comments:

Post a Comment