Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Apache: Dev

Why aren't name-based vhosts not working properly under SSL?

  

 
Apache dev RSS feed   Index | Next | Previous | View Threaded


mi+thun at aldan

Apr 16, 2012, 8:34 AM

Post #1 of 13 (454 views)
Permalink
Why aren't name-based vhosts not working properly under SSL?
If the SSL-certificate is the same for all named vhosts configured for the given
IP-address/port-number combination, why can not the vhosts have different
DocumentRoots and other settings?

Thank you. Yours,

-mi


h.reindl at thelounge

Apr 16, 2012, 8:39 AM

Post #2 of 13 (441 views)
Permalink
Re: Why aren't name-based vhosts not working properly under SSL? [In reply to]
Am 16.04.2012 17:34, schrieb Mikhail T.:
> If the SSL-certificate is the same for all named vhosts configured for the given IP-address/port-number
> combination, why can not the vhosts have different DocumentRoots and other settings?

because SSL was misdesigned years ago and the Host-Header
is also sent encrypted, so the server can not know for
with hostname the ssl-handshake is and since he knows
the Hostname AFTER handshake it is too late
Attachments: signature.asc (0.26 KB)


tevans.uk at googlemail

Apr 16, 2012, 8:40 AM

Post #3 of 13 (441 views)
Permalink
Re: Why aren't name-based vhosts not working properly under SSL? [In reply to]
On Mon, Apr 16, 2012 at 4:34 PM, Mikhail T. <mi+thun [at] aldan> wrote:
> If the SSL-certificate is the same for all named vhosts configured for the
> given IP-address/port-number combination, why can not the vhosts have
> different DocumentRoots and other settings?
>
> Thank you. Yours,
>
>   -mi
>

They can. Excerpt from my httpd.conf:

NameVirtualHost *:443

<VirtualHost *:443>
ServerName rc.xxxxxx.com
SSLEngine on
SSLCertificateFile /etc/ssl/star.xxxxxx.com/apache.crt
</VirtualHost>

<VirtualHost *:443>
ServerName sab.xxxxxx.com
SSLEngine on
SSLCertificateFile /etc/ssl/star.xxxxxx.com/apache.crt
</VirtualHost>

<VirtualHost *:443>
ServerName svn.xxxxxx.com
SSLEngine on
SSLCertificateFile /etc/ssl/star.xxxxxx.com/apache.crt
</VirtualHost>

Cheers

Tom


mi+thun at aldan

Apr 16, 2012, 8:51 AM

Post #4 of 13 (441 views)
Permalink
Re: Why aren't name-based vhosts not working properly under SSL? [In reply to]
On 16.04.2012 11:40, Tom Evans wrote:
> They can. Excerpt from my httpd.conf:
Your excerpt does not show different DocumentRoots -- nor any other settings...
Could you show more contents? What is the Apache version you are using? In all
my attempts, Apache a) issues a pointless warning about multiple SSL vhosts on
the same IP/port; b) uses the settings (including DocumentRoot) from the first
vhost encountered for all of them.

On 16.04.2012 11:39, Reindl Harald wrote:
> because SSL was misdesigned years ago and the Host-Header is also sent
> encrypted, so the server can not know for with hostname the ssl-handshake is
> and since he knows the Hostname AFTER handshake it is too late
No, this does not answer my question. In my scenario the SSL-certificate is the
same for all vhosts concerned. So Apache could use that certificate to establish
the SSL connection, and then parse the Host:-header to determine, which group of
other (non-SSL) settings to apply to the request. But Apache does not do that --
not in 2.2.22.

Is this an omission, that can and should be fixed, or am I missing something
else? Thanks!

-mi


covener at gmail

Apr 16, 2012, 8:55 AM

Post #5 of 13 (442 views)
Permalink
Re: Why aren't name-based vhosts not working properly under SSL? [In reply to]
> No, this does not answer my question. In my scenario the SSL-certificate is
> the same for all vhosts concerned. So Apache could use that certificate to
> establish the SSL connection, and then parse the Host:-header to determine,
> which group of other (non-SSL) settings to apply to the request. But Apache
> does not do that -- not in 2.2.22.
>
> Is this an omission, that can and should be fixed, or am I missing something
> else? Thanks!

Got a pointer to your configuration?


mi+thun at aldan

Apr 16, 2012, 9:07 AM

Post #6 of 13 (442 views)
Permalink
Re: Why aren't name-based vhosts not working properly under SSL? [In reply to]
On 16.04.2012 11:55, Eric Covener wrote:
> Got a pointer to your configuration?
Well, the real one I was designing now uses a work-around (single vhost with
mod_rewrite examining the Host-header and picking the proper subdirectore). Here
is a mock one, that I'd rather be using -- instead of messing with mod_rewrite:

Listen: 443

# Common settings for all:
SSLCertificateFile conf/ssl.crt/everywhere.cer
SSLCertificateKeyFile conf/ssl.key/everywhere.key
SSLCertificateChainFile conf/ssl.crt/Comodo-intermediate.cer

<VirtualHost *:443>

ServerName drupal6
ServerAlias project1.example.com
ServerAlias project2.example.net
DocumentRoot /www/drupal6

</VirtualHost>

<VirtualHost *:443>

ServerName drupal7
ServerAlias project3.example.com
ServerAlias project4.example.net
DocumentRoot /www/drupal7

</VirtualHost>

Older projects 1 and 2 use Drupal-6, while the new projects 3 and 4 -- Drupal-7.
Yours,

-mi


tevans.uk at googlemail

Apr 16, 2012, 9:21 AM

Post #7 of 13 (444 views)
Permalink
Re: Why aren't name-based vhosts not working properly under SSL? [In reply to]
On Mon, Apr 16, 2012 at 4:51 PM, Mikhail T. <mi+thun [at] aldan> wrote:
> On 16.04.2012 11:40, Tom Evans wrote:
>
> They can. Excerpt from my httpd.conf:
>
> Your excerpt does not show different DocumentRoots -- nor any other
> settings... Could you show more contents? What is the Apache version you are
> using? In all my attempts, Apache a) issues a pointless warning about
> multiple SSL vhosts on the same IP/port; b) uses the settings (including
> DocumentRoot) from the first vhost encountered for all of them.
>

Er, OK:

NameVirtualHost *:80
NameVirtualHost *:443


<VirtualHost *:443>
ServerName rc.xxxxxx.com

SSLEngine on
SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /etc/ssl/xxxxxx/star.xxxxxx.com/apache.crt
SSLCertificateKeyFile /etc/ssl/xxxxxx/star.xxxxxx.com/apache.key
SSLCACertificateFile /etc/ssl/xxxxxx/ca.crt
ErrorDocument 403 /errors/certneeded.html
Alias /errors /usr/local/etc/apache22/xxxxxxerrors
SSLVerifyClient optional

<LocationMatch ^(?!/errors/)>
SSLRequire %{SSL_CLIENT_VERIFY} eq "SUCCESS"
SSLVerifyClient optional
</LocationMatch>

SSLVerifyDepth 1
SSLCARevocationFile /etc/ssl/xxxxxx/ca.crl
SSLOptions +StdEnvVars
SSLUserName SSL_CLIENT_S_DN_Email
RequestHeader set X-SSL-Enabled 1

DocumentRoot /usr/home/tom/projects/rc/htdocs

<Directory /usr/home/tom/projects/rc/htdocs>
Order allow,deny
Allow from all
</Directory>

#CustomLog /var/log/httpd-ssl-rc.log "%t %h %{SSL_PROTOCOL}x
%{SSL_CIPHER}x \"%r\" %b"

SetEnv proxy-nokeepalive 1

RewriteEngine on
RewriteCond %{REQUEST_URI} !^/favicon.ico
RewriteCond %{REQUEST_URI} !^/media
RewriteCond %{REQUEST_URI} !^/amedia
RewriteCond %{REQUEST_URI} !^/errors
RewriteRule ^/(.*)$ /rc.fcgi/$1 [QSA,L]

FastCGIExternalServer /usr/home/tom/projects/rc/htdocs/rc.fcgi
-socket /usr/home/tom/projects/rc/run/rc.socket
</VirtualHost>


<VirtualHost *:443>
ServerName sab.xxxxxx.com

SSLEngine on
SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /etc/ssl/xxxxxx/star.xxxxxx.com/apache.crt
SSLCertificateKeyFile /etc/ssl/xxxxxx/star.xxxxxx.com/apache.key
SSLCACertificateFile /etc/ssl/xxxxxx/ca.crt
SSLVerifyClient optional

ErrorDocument 403 /errors/certneeded.html
Alias /errors /usr/local/etc/apache22/xxxxxxerrors

<LocationMatch ^(?!/errors/)>
SSLRequire %{SSL_CLIENT_VERIFY} eq "SUCCESS"
SSLVerifyClient optional
</LocationMatch>

SSLVerifyDepth 1
SSLCARevocationFile /etc/ssl/xxxxxx/ca.crl
SSLUserName SSL_CLIENT_S_DN_Email
SSLOptions +StdEnvVars
RequestHeader set X-SSL-Enabled 1

DocumentRoot /var/empty

<Directory /var/empty>
Order allow,deny
Allow from all
</Directory>

ProxyPass /errors !
ProxyPass / http://ethan.xxxxxx.com:8085/sabnzbd/ retry=0
ProxyPassReverse / http://ethan.xxxxxx.com:8085/sabnzbd/
SetEnv proxy-nokeepalive 1
</VirtualHost>

<VirtualHost *:443>
ServerName svn.xxxxxx.com

SSLEngine on
SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /etc/ssl/xxxxxx/star.xxxxxx.com/apache.crt
SSLCertificateKeyFile /etc/ssl/xxxxxx/star.xxxxxx.com/apache.key
SSLCACertificateFile /etc/ssl/xxxxxx/ca.crt
SSLVerifyClient optional

ErrorDocument 403 /errors/certneeded.html
Alias /errors /usr/local/etc/apache22/xxxxxxerrors

<Location />
DAV svn
SVNPath /tank/svn/repos/devel
</Location>

<LocationMatch ^(?!/errors/)>
SSLRequire %{SSL_CLIENT_VERIFY} eq "SUCCESS"
SSLVerifyClient optional
</LocationMatch>

SSLVerifyDepth 1
SSLCARevocationFile /etc/ssl/xxxxxx/ca.crl
SSLUserName SSL_CLIENT_S_DN_Email
</VirtualHost>

This is httpd 2.2.21 btw

Cheers

Tom


ruediger.pluem at vodafone

Apr 16, 2012, 9:24 AM

Post #8 of 13 (443 views)
Permalink
RE: Why aren't name-based vhosts not working properly under SSL? [In reply to]
Without a NameVirtualHost directive this cannot work as you intend.
Add NameVirtualHost *:433

Regards

Rüdiger

From: Mikhail T. [mailto:mi+thun [at] aldan]
Sent: Montag, 16. April 2012 18:07
To: dev [at] httpd; covener [at] gmail
Subject: Re: Why aren't name-based vhosts not working properly under SSL?

On 16.04.2012 11:55, Eric Covener wrote:

Got a pointer to your configuration?
Well, the real one I was designing now uses a work-around (single vhost with mod_rewrite examining the Host-header and picking the proper subdirectore). Here is a mock one, that I'd rather be using -- instead of messing with mod_rewrite:
Listen: 443

# Common settings for all:
SSLCertificateFile conf/ssl.crt/everywhere.cer
SSLCertificateKeyFile conf/ssl.key/everywhere.key
SSLCertificateChainFile conf/ssl.crt/Comodo-intermediate.cer

<VirtualHost *:443>
ServerName drupal6
ServerAlias project1.example.com
ServerAlias project2.example.net
DocumentRoot /www/drupal6
</VirtualHost>

<VirtualHost *:443>
ServerName drupal7
ServerAlias project3.example.com
ServerAlias project4.example.net
DocumentRoot /www/drupal7
</VirtualHost>
Older projects 1 and 2 use Drupal-6, while the new projects 3 and 4 -- Drupal-7. Yours,
-mi


margol at beamartyr

Apr 16, 2012, 9:25 AM

Post #9 of 13 (444 views)
Permalink
Re: Why aren't name-based vhosts not working properly under SSL? [In reply to]
Are you sure that your client supports SNI?

On 16/04/2012 19:21, Tom Evans wrote:
> On Mon, Apr 16, 2012 at 4:51 PM, Mikhail T. <mi+thun [at] aldan> wrote:
>> On 16.04.2012 11:40, Tom Evans wrote:
>>
>> They can. Excerpt from my httpd.conf:
>>
>> Your excerpt does not show different DocumentRoots -- nor any other
>> settings... Could you show more contents? What is the Apache version you are
>> using? In all my attempts, Apache a) issues a pointless warning about
>> multiple SSL vhosts on the same IP/port; b) uses the settings (including
>> DocumentRoot) from the first vhost encountered for all of them.
>>
> Er, OK:
>
> NameVirtualHost *:80
> NameVirtualHost *:443
>
>
> <VirtualHost *:443>
> ServerName rc.xxxxxx.com
>
> SSLEngine on
> SSLCipherSuite
> ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
> SSLCertificateFile /etc/ssl/xxxxxx/star.xxxxxx.com/apache.crt
> SSLCertificateKeyFile /etc/ssl/xxxxxx/star.xxxxxx.com/apache.key
> SSLCACertificateFile /etc/ssl/xxxxxx/ca.crt
> ErrorDocument 403 /errors/certneeded.html
> Alias /errors /usr/local/etc/apache22/xxxxxxerrors
> SSLVerifyClient optional
>
> <LocationMatch ^(?!/errors/)>
> SSLRequire %{SSL_CLIENT_VERIFY} eq "SUCCESS"
> SSLVerifyClient optional
> </LocationMatch>
>
> SSLVerifyDepth 1
> SSLCARevocationFile /etc/ssl/xxxxxx/ca.crl
> SSLOptions +StdEnvVars
> SSLUserName SSL_CLIENT_S_DN_Email
> RequestHeader set X-SSL-Enabled 1
>
> DocumentRoot /usr/home/tom/projects/rc/htdocs
>
> <Directory /usr/home/tom/projects/rc/htdocs>
> Order allow,deny
> Allow from all
> </Directory>
>
> #CustomLog /var/log/httpd-ssl-rc.log "%t %h %{SSL_PROTOCOL}x
> %{SSL_CIPHER}x \"%r\" %b"
>
> SetEnv proxy-nokeepalive 1
>
> RewriteEngine on
> RewriteCond %{REQUEST_URI} !^/favicon.ico
> RewriteCond %{REQUEST_URI} !^/media
> RewriteCond %{REQUEST_URI} !^/amedia
> RewriteCond %{REQUEST_URI} !^/errors
> RewriteRule ^/(.*)$ /rc.fcgi/$1 [QSA,L]
>
> FastCGIExternalServer /usr/home/tom/projects/rc/htdocs/rc.fcgi
> -socket /usr/home/tom/projects/rc/run/rc.socket
> </VirtualHost>
>
>
> <VirtualHost *:443>
> ServerName sab.xxxxxx.com
>
> SSLEngine on
> SSLCipherSuite
> ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
> SSLCertificateFile /etc/ssl/xxxxxx/star.xxxxxx.com/apache.crt
> SSLCertificateKeyFile /etc/ssl/xxxxxx/star.xxxxxx.com/apache.key
> SSLCACertificateFile /etc/ssl/xxxxxx/ca.crt
> SSLVerifyClient optional
>
> ErrorDocument 403 /errors/certneeded.html
> Alias /errors /usr/local/etc/apache22/xxxxxxerrors
>
> <LocationMatch ^(?!/errors/)>
> SSLRequire %{SSL_CLIENT_VERIFY} eq "SUCCESS"
> SSLVerifyClient optional
> </LocationMatch>
>
> SSLVerifyDepth 1
> SSLCARevocationFile /etc/ssl/xxxxxx/ca.crl
> SSLUserName SSL_CLIENT_S_DN_Email
> SSLOptions +StdEnvVars
> RequestHeader set X-SSL-Enabled 1
>
> DocumentRoot /var/empty
>
> <Directory /var/empty>
> Order allow,deny
> Allow from all
> </Directory>
>
> ProxyPass /errors !
> ProxyPass / http://ethan.xxxxxx.com:8085/sabnzbd/ retry=0
> ProxyPassReverse / http://ethan.xxxxxx.com:8085/sabnzbd/
> SetEnv proxy-nokeepalive 1
> </VirtualHost>
>
> <VirtualHost *:443>
> ServerName svn.xxxxxx.com
>
> SSLEngine on
> SSLCipherSuite
> ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
> SSLCertificateFile /etc/ssl/xxxxxx/star.xxxxxx.com/apache.crt
> SSLCertificateKeyFile /etc/ssl/xxxxxx/star.xxxxxx.com/apache.key
> SSLCACertificateFile /etc/ssl/xxxxxx/ca.crt
> SSLVerifyClient optional
>
> ErrorDocument 403 /errors/certneeded.html
> Alias /errors /usr/local/etc/apache22/xxxxxxerrors
>
> <Location />
> DAV svn
> SVNPath /tank/svn/repos/devel
> </Location>
>
> <LocationMatch ^(?!/errors/)>
> SSLRequire %{SSL_CLIENT_VERIFY} eq "SUCCESS"
> SSLVerifyClient optional
> </LocationMatch>
>
> SSLVerifyDepth 1
> SSLCARevocationFile /etc/ssl/xxxxxx/ca.crl
> SSLUserName SSL_CLIENT_S_DN_Email
> </VirtualHost>
>
> This is httpd 2.2.21 btw
>
> Cheers
>
> Tom


tevans.uk at googlemail

Apr 16, 2012, 9:27 AM

Post #10 of 13 (442 views)
Permalink
Re: Why aren't name-based vhosts not working properly under SSL? [In reply to]
On Mon, Apr 16, 2012 at 5:25 PM, Issac Goldstand <margol [at] beamartyr> wrote:
> Are you sure that your client supports SNI?
>

This is not reliant on SNI.

Cheers

Tom


mi+thun at aldan

Apr 16, 2012, 9:34 AM

Post #11 of 13 (443 views)
Permalink
Re: Why aren't name-based vhosts not working properly under SSL? [In reply to]
On 16.04.2012 12:24, Plüm, Rüdiger, Vodafone Group wrote:
>
> Without a NameVirtualHost directive this cannot work as you intend.
>
> Add NameVirtualHost *:433
>
I see... I thought, I'm already giving Apache all the information it needs,
though (with ServerAlias directives)... But if spelling-out the NameVirtualHost
is all I need to add, that works for me...

Thank you! Yours,

-mi


i.galic at brainsware

Apr 17, 2012, 8:17 AM

Post #12 of 13 (412 views)
Permalink
Re: Why aren't name-based vhosts not working properly under SSL? [In reply to]
----- Original Message -----
> On Mon, Apr 16, 2012 at 4:51 PM, Mikhail T.
> <mi+thun [at] aldan> wrote:
> > On 16.04.2012 11:40, Tom Evans wrote:
> >
> > They can. Excerpt from my httpd.conf:
> >
> > Your excerpt does not show different DocumentRoots -- nor any other
> > settings... Could you show more contents? What is the Apache
> > version you are
> > using? In all my attempts, Apache a) issues a pointless warning
> > about
> > multiple SSL vhosts on the same IP/port; b) uses the settings
> > (including
> > DocumentRoot) from the first vhost encountered for all of them.
> >
>
> Er, OK:

Hi Tom,

some constructive criticism, if you so allow:

I can see a lot of repetition here, you might
profit a lot from mod_macro

[snip]
> <LocationMatch ^(?!/errors/)>
> SSLRequire %{SSL_CLIENT_VERIFY} eq "SUCCESS"
> SSLVerifyClient optional
> </LocationMatch>

It seems sensible to set this in server context, so you
don't have to repeat it over and over again.

[snip]

> This is httpd 2.2.21 btw
>
> Cheers
>
> Tom

i


--
Igor Galić

Tel: +43 (0) 664 886 22 883
Mail: i.galic [at] brainsware
URL: http://brainsware.org/
GPG: 6880 4155 74BD FD7C B515 2EA5 4B1D 9E08 A097 C9AE


tevans.uk at googlemail

Apr 17, 2012, 8:27 AM

Post #13 of 13 (412 views)
Permalink
Re: Why aren't name-based vhosts not working properly under SSL? [In reply to]
2012/4/17 Igor Galić <i.galic [at] brainsware>:
> Hi Tom,
>
> some constructive criticism, if you so allow:

Thanks, I don't actually have a problem with my config. The OP
questioned whether my cut-down version of the config actually did use
different ServerRoot, etc, so I posted a more complete example.

>
> I can see a lot of repetition here, you might
> profit a lot from mod_macro

No thanks! I prefer a little repetition over magic and indirection.

>
> [snip]
>>     <LocationMatch ^(?!/errors/)>
>>         SSLRequire %{SSL_CLIENT_VERIFY} eq "SUCCESS"
>>         SSLVerifyClient optional
>>     </LocationMatch>
>
> It seems sensible to set this in server context, so you
> don't have to repeat it over and over again.

Those three are not the only vhosts, and the alias is not relevant
outside those three vhosts.

Cheers

Tom

Apache dev RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.