Mailing List Archive: Apache: Dev

Why aren't name-based vhosts not working properly under SSL?

Index | Next | Previous | View Threaded

mi+thun at aldan

Apr 16, 2012, 8:34 AM

Post #1 of 13 (455 views)
Permalink

Why aren't name-based vhosts not working properly under SSL?

If the SSL-certificate is the same for all named vhosts configured for the given
IP-address/port-number combination, why can not the vhosts have different
DocumentRoots and other settings?

Thank you. Yours,

-mi

h.reindl at thelounge

Apr 16, 2012, 8:39 AM

Post #2 of 13 (442 views)
Permalink

Re: Why aren't name-based vhosts not working properly under SSL? [In reply to]

Am 16.04.2012 17:34, schrieb Mikhail T.:
> If the SSL-certificate is the same for all named vhosts configured for the given IP-address/port-number
> combination, why can not the vhosts have different DocumentRoots and other settings?

because SSL was misdesigned years ago and the Host-Header
is also sent encrypted, so the server can not know for
with hostname the ssl-handshake is and since he knows
the Hostname AFTER handshake it is too late

Attachments:

signature.asc (0.26 KB)

tevans.uk at googlemail

Apr 16, 2012, 8:40 AM

Post #3 of 13 (442 views)
Permalink

Re: Why aren't name-based vhosts not working properly under SSL? [In reply to]

On Mon, Apr 16, 2012 at 4:34 PM, Mikhail T. <mi+thun [at] aldan> wrote:
> If the SSL-certificate is the same for all named vhosts configured for the
> given IP-address/port-number combination, why can not the vhosts have
> different DocumentRoots and other settings?
>
> Thank you. Yours,
>
> -mi
>

They can. Excerpt from my httpd.conf:

NameVirtualHost *:443

<VirtualHost *:443>
ServerName rc.xxxxxx.com
SSLEngine on
SSLCertificateFile /etc/ssl/star.xxxxxx.com/apache.crt
</VirtualHost>

<VirtualHost *:443>
ServerName sab.xxxxxx.com
SSLEngine on
SSLCertificateFile /etc/ssl/star.xxxxxx.com/apache.crt
</VirtualHost>

<VirtualHost *:443>
ServerName svn.xxxxxx.com
SSLEngine on
SSLCertificateFile /etc/ssl/star.xxxxxx.com/apache.crt
</VirtualHost>

Cheers

Tom

mi+thun at aldan

Apr 16, 2012, 8:51 AM

Post #4 of 13 (442 views)
Permalink

Re: Why aren't name-based vhosts not working properly under SSL? [In reply to]

On 16.04.2012 11:40, Tom Evans wrote:
> They can. Excerpt from my httpd.conf:
Your excerpt does not show different DocumentRoots -- nor any other settings...
Could you show more contents? What is the Apache version you are using? In all
my attempts, Apache a) issues a pointless warning about multiple SSL vhosts on
the same IP/port; b) uses the settings (including DocumentRoot) from the first
vhost encountered for all of them.

On 16.04.2012 11:39, Reindl Harald wrote:
> because SSL was misdesigned years ago and the Host-Header is also sent
> encrypted, so the server can not know for with hostname the ssl-handshake is
> and since he knows the Hostname AFTER handshake it is too late
No, this does not answer my question. In my scenario the SSL-certificate is the
same for all vhosts concerned. So Apache could use that certificate to establish
the SSL connection, and then parse the Host:-header to determine, which group of
other (non-SSL) settings to apply to the request. But Apache does not do that --
not in 2.2.22.

Is this an omission, that can and should be fixed, or am I missing something
else? Thanks!

-mi

covener at gmail

Apr 16, 2012, 8:55 AM

Post #5 of 13 (443 views)
Permalink

Re: Why aren't name-based vhosts not working properly under SSL? [In reply to]

> No, this does not answer my question. In my scenario the SSL-certificate is
> the same for all vhosts concerned. So Apache could use that certificate to
> establish the SSL connection, and then parse the Host:-header to determine,
> which group of other (non-SSL) settings to apply to the request. But Apache
> does not do that -- not in 2.2.22.
>
> Is this an omission, that can and should be fixed, or am I missing something
> else? Thanks!

Got a pointer to your configuration?

mi+thun at aldan

Apr 16, 2012, 9:07 AM

Post #6 of 13 (443 views)
Permalink

Re: Why aren't name-based vhosts not working properly under SSL? [In reply to]

On 16.04.2012 11:55, Eric Covener wrote:
> Got a pointer to your configuration?
Well, the real one I was designing now uses a work-around (single vhost with
mod_rewrite examining the Host-header and picking the proper subdirectore). Here
is a mock one, that I'd rather be using -- instead of messing with mod_rewrite:

Listen: 443

# Common settings for all:
SSLCertificateFile conf/ssl.crt/everywhere.cer
SSLCertificateKeyFile conf/ssl.key/everywhere.key
SSLCertificateChainFile conf/ssl.crt/Comodo-intermediate.cer

<VirtualHost *:443>

ServerName drupal6
ServerAlias project1.example.com
ServerAlias project2.example.net
DocumentRoot /www/drupal6

</VirtualHost>

<VirtualHost *:443>

ServerName drupal7
ServerAlias project3.example.com
ServerAlias project4.example.net
DocumentRoot /www/drupal7

</VirtualHost>

Older projects 1 and 2 use Drupal-6, while the new projects 3 and 4 -- Drupal-7.
Yours,

-mi

tevans.uk at googlemail

Apr 16, 2012, 9:21 AM

Post #7 of 13 (445 views)
Permalink

Re: Why aren't name-based vhosts not working properly under SSL? [In reply to]

On Mon, Apr 16, 2012 at 4:51 PM, Mikhail T. <mi+thun [at] aldan> wrote:
> On 16.04.2012 11:40, Tom Evans wrote:
>
> They can. Excerpt from my httpd.conf:
>
> Your excerpt does not show different DocumentRoots -- nor any other
> settings... Could you show more contents? What is the Apache version you are
> using? In all my attempts, Apache a) issues a pointless warning about
> multiple SSL vhosts on the same IP/port; b) uses the settings (including
> DocumentRoot) from the first vhost encountered for all of them.
>

Er, OK:

NameVirtualHost *:80
NameVirtualHost *:443

<VirtualHost *:443>
ServerName rc.xxxxxx.com

SSLEngine on
SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /etc/ssl/xxxxxx/star.xxxxxx.com/apache.crt
SSLCertificateKeyFile /etc/ssl/xxxxxx/star.xxxxxx.com/apache.key
SSLCACertificateFile /etc/ssl/xxxxxx/ca.crt
ErrorDocument 403 /errors/certneeded.html
Alias /errors /usr/local/etc/apache22/xxxxxxerrors
SSLVerifyClient optional

<LocationMatch ^(?!/errors/)>
SSLRequire %{SSL_CLIENT_VERIFY} eq "SUCCESS"
SSLVerifyClient optional
</LocationMatch>

SSLVerifyDepth 1
SSLCARevocationFile /etc/ssl/xxxxxx/ca.crl
SSLOptions +StdEnvVars
SSLUserName SSL_CLIENT_S_DN_Email
RequestHeader set X-SSL-Enabled 1

DocumentRoot /usr/home/tom/projects/rc/htdocs

<Directory /usr/home/tom/projects/rc/htdocs>
Order allow,deny
Allow from all
</Directory>

#CustomLog /var/log/httpd-ssl-rc.log "%t %h %{SSL_PROTOCOL}x
%{SSL_CIPHER}x \"%r\" %b"

SetEnv proxy-nokeepalive 1

RewriteEngine on
RewriteCond %{REQUEST_URI} !^/favicon.ico
RewriteCond %{REQUEST_URI} !^/media
RewriteCond %{REQUEST_URI} !^/amedia
RewriteCond %{REQUEST_URI} !^/errors
RewriteRule ^/(.*)$ /rc.fcgi/$1 [QSA,L]

FastCGIExternalServer /usr/home/tom/projects/rc/htdocs/rc.fcgi
-socket /usr/home/tom/projects/rc/run/rc.socket
</VirtualHost>

<VirtualHost *:443>
ServerName sab.xxxxxx.com

SSLEngine on
SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /etc/ssl/xxxxxx/star.xxxxxx.com/apache.crt
SSLCertificateKeyFile /etc/ssl/xxxxxx/star.xxxxxx.com/apache.key
SSLCACertificateFile /etc/ssl/xxxxxx/ca.crt
SSLVerifyClient optional

ErrorDocument 403 /errors/certneeded.html
Alias /errors /usr/local/etc/apache22/xxxxxxerrors

<LocationMatch ^(?!/errors/)>
SSLRequire %{SSL_CLIENT_VERIFY} eq "SUCCESS"
SSLVerifyClient optional
</LocationMatch>

SSLVerifyDepth 1
SSLCARevocationFile /etc/ssl/xxxxxx/ca.crl
SSLUserName SSL_CLIENT_S_DN_Email
SSLOptions +StdEnvVars
RequestHeader set X-SSL-Enabled 1

DocumentRoot /var/empty

<Directory /var/empty>
Order allow,deny
Allow from all
</Directory>

ProxyPass /errors !
ProxyPass / http://ethan.xxxxxx.com:8085/sabnzbd/ retry=0
ProxyPassReverse / http://ethan.xxxxxx.com:8085/sabnzbd/
SetEnv proxy-nokeepalive 1
</VirtualHost>

<VirtualHost *:443>
ServerName svn.xxxxxx.com

SSLEngine on
SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /etc/ssl/xxxxxx/star.xxxxxx.com/apache.crt
SSLCertificateKeyFile /etc/ssl/xxxxxx/star.xxxxxx.com/apache.key
SSLCACertificateFile /etc/ssl/xxxxxx/ca.crt
SSLVerifyClient optional

ErrorDocument 403 /errors/certneeded.html
Alias /errors /usr/local/etc/apache22/xxxxxxerrors

<Location />
DAV svn
SVNPath /tank/svn/repos/devel
</Location>

<LocationMatch ^(?!/errors/)>
SSLRequire %{SSL_CLIENT_VERIFY} eq "SUCCESS"
SSLVerifyClient optional
</LocationMatch>

SSLVerifyDepth 1
SSLCARevocationFile /etc/ssl/xxxxxx/ca.crl
SSLUserName SSL_CLIENT_S_DN_Email
</VirtualHost>

This is httpd 2.2.21 btw

Cheers

Tom

ruediger.pluem at vodafone

Apr 16, 2012, 9:24 AM

Post #8 of 13 (444 views)
Permalink

RE: Why aren't name-based vhosts not working properly under SSL? [In reply to]

Without a NameVirtualHost directive this cannot work as you intend.
Add NameVirtualHost *:433

Regards

R�diger

From: Mikhail T. [mailto:mi+thun [at] aldan]
Sent: Montag, 16. April 2012 18:07
To: dev [at] httpd; covener [at] gmail
Subject: Re: Why aren't name-based vhosts not working properly under SSL?

On 16.04.2012 11:55, Eric Covener wrote:

Got a pointer to your configuration?
Well, the real one I was designing now uses a work-around (single vhost with mod_rewrite examining the Host-header and picking the proper subdirectore). Here is a mock one, that I'd rather be using -- instead of messing with mod_rewrite:
Listen: 443

# Common settings for all:
SSLCertificateFile conf/ssl.crt/everywhere.cer
SSLCertificateKeyFile conf/ssl.key/everywhere.key
SSLCertificateChainFile conf/ssl.crt/Comodo-intermediate.cer

<VirtualHost *:443>
ServerName drupal6
ServerAlias project1.example.com
ServerAlias project2.example.net
DocumentRoot /www/drupal6
</VirtualHost>

<VirtualHost *:443>
ServerName drupal7
ServerAlias project3.example.com
ServerAlias project4.example.net
DocumentRoot /www/drupal7
</VirtualHost>
Older projects 1 and 2 use Drupal-6, while the new projects 3 and 4 -- Drupal-7. Yours,
-mi

margol at beamartyr

Apr 16, 2012, 9:25 AM

Post #9 of 13 (445 views)
Permalink

Re: Why aren't name-based vhosts not working properly under SSL? [In reply to]

Are you sure that your client supports SNI?

On 16/04/2012 19:21, Tom Evans wrote:
> On Mon, Apr 16, 2012 at 4:51 PM, Mikhail T. <mi+thun [at] aldan> wrote:
>> On 16.04.2012 11:40, Tom Evans wrote:
>>
>> They can. Excerpt from my httpd.conf:
>>
>> Your excerpt does not show different DocumentRoots -- nor any other
>> settings... Could you show more contents? What is the Apache version you are
>> using? In all my attempts, Apache a) issues a pointless warning about
>> multiple SSL vhosts on the same IP/port; b) uses the settings (including
>> DocumentRoot) from the first vhost encountered for all of them.
>>
> Er, OK:
>
> NameVirtualHost *:80
> NameVirtualHost *:443
>
>
> <VirtualHost *:443>
> ServerName rc.xxxxxx.com
>
> SSLEngine on
> SSLCipherSuite
> ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
> SSLCertificateFile /etc/ssl/xxxxxx/star.xxxxxx.com/apache.crt
> SSLCertificateKeyFile /etc/ssl/xxxxxx/star.xxxxxx.com/apache.key
> SSLCACertificateFile /etc/ssl/xxxxxx/ca.crt
> ErrorDocument 403 /errors/certneeded.html
> Alias /errors /usr/local/etc/apache22/xxxxxxerrors
> SSLVerifyClient optional
>
> <LocationMatch ^(?!/errors/)>
> SSLRequire %{SSL_CLIENT_VERIFY} eq "SUCCESS"
> SSLVerifyClient optional
> </LocationMatch>
>
> SSLVerifyDepth 1
> SSLCARevocationFile /etc/ssl/xxxxxx/ca.crl
> SSLOptions +StdEnvVars
> SSLUserName SSL_CLIENT_S_DN_Email
> RequestHeader set X-SSL-Enabled 1
>
> DocumentRoot /usr/home/tom/projects/rc/htdocs
>
> <Directory /usr/home/tom/projects/rc/htdocs>
> Order allow,deny
> Allow from all
> </Directory>
>
> #CustomLog /var/log/httpd-ssl-rc.log "%t %h %{SSL_PROTOCOL}x
> %{SSL_CIPHER}x \"%r\" %b"
>
> SetEnv proxy-nokeepalive 1
>
> RewriteEngine on
> RewriteCond %{REQUEST_URI} !^/favicon.ico
> RewriteCond %{REQUEST_URI} !^/media
> RewriteCond %{REQUEST_URI} !^/amedia
> RewriteCond %{REQUEST_URI} !^/errors
> RewriteRule ^/(.*)$ /rc.fcgi/$1 [QSA,L]
>
> FastCGIExternalServer /usr/home/tom/projects/rc/htdocs/rc.fcgi
> -socket /usr/home/tom/projects/rc/run/rc.socket
> </VirtualHost>
>
>
> <VirtualHost *:443>
> ServerName sab.xxxxxx.com
>
> SSLEngine on
> SSLCipherSuite
> ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
> SSLCertificateFile /etc/ssl/xxxxxx/star.xxxxxx.com/apache.crt
> SSLCertificateKeyFile /etc/ssl/xxxxxx/star.xxxxxx.com/apache.key
> SSLCACertificateFile /etc/ssl/xxxxxx/ca.crt
> SSLVerifyClient optional
>
> ErrorDocument 403 /errors/certneeded.html
> Alias /errors /usr/local/etc/apache22/xxxxxxerrors
>
> <LocationMatch ^(?!/errors/)>
> SSLRequire %{SSL_CLIENT_VERIFY} eq "SUCCESS"
> SSLVerifyClient optional
> </LocationMatch>
>
> SSLVerifyDepth 1
> SSLCARevocationFile /etc/ssl/xxxxxx/ca.crl
> SSLUserName SSL_CLIENT_S_DN_Email
> SSLOptions +StdEnvVars
> RequestHeader set X-SSL-Enabled 1
>
> DocumentRoot /var/empty
>
> <Directory /var/empty>
> Order allow,deny
> Allow from all
> </Directory>
>
> ProxyPass /errors !
> ProxyPass / http://ethan.xxxxxx.com:8085/sabnzbd/ retry=0
> ProxyPassReverse / http://ethan.xxxxxx.com:8085/sabnzbd/
> SetEnv proxy-nokeepalive 1
> </VirtualHost>
>
> <VirtualHost *:443>
> ServerName svn.xxxxxx.com
>
> SSLEngine on
> SSLCipherSuite
> ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
> SSLCertificateFile /etc/ssl/xxxxxx/star.xxxxxx.com/apache.crt
> SSLCertificateKeyFile /etc/ssl/xxxxxx/star.xxxxxx.com/apache.key
> SSLCACertificateFile /etc/ssl/xxxxxx/ca.crt
> SSLVerifyClient optional
>
> ErrorDocument 403 /errors/certneeded.html
> Alias /errors /usr/local/etc/apache22/xxxxxxerrors
>
> <Location />
> DAV svn
> SVNPath /tank/svn/repos/devel
> </Location>
>
> <LocationMatch ^(?!/errors/)>
> SSLRequire %{SSL_CLIENT_VERIFY} eq "SUCCESS"
> SSLVerifyClient optional
> </LocationMatch>
>
> SSLVerifyDepth 1
> SSLCARevocationFile /etc/ssl/xxxxxx/ca.crl
> SSLUserName SSL_CLIENT_S_DN_Email
> </VirtualHost>
>
> This is httpd 2.2.21 btw
>
> Cheers
>
> Tom

tevans.uk at googlemail

Apr 16, 2012, 9:27 AM

Post #10 of 13 (443 views)
Permalink

Re: Why aren't name-based vhosts not working properly under SSL? [In reply to]

On Mon, Apr 16, 2012 at 5:25 PM, Issac Goldstand <margol [at] beamartyr> wrote:
> Are you sure that your client supports SNI?
>

This is not reliant on SNI.

Cheers

Tom

mi+thun at aldan

Apr 16, 2012, 9:34 AM

Post #11 of 13 (444 views)
Permalink

Re: Why aren't name-based vhosts not working properly under SSL? [In reply to]

On 16.04.2012 12:24, Pl�m, R�diger, Vodafone Group wrote:
>
> Without a NameVirtualHost directive this cannot work as you intend.
>
> Add NameVirtualHost *:433
>
I see... I thought, I'm already giving Apache all the information it needs,
though (with ServerAlias directives)... But if spelling-out the NameVirtualHost
is all I need to add, that works for me...

Thank you! Yours,

-mi

i.galic at brainsware

Apr 17, 2012, 8:17 AM

Post #12 of 13 (413 views)
Permalink

Re: Why aren't name-based vhosts not working properly under SSL? [In reply to]

----- Original Message -----
> On Mon, Apr 16, 2012 at 4:51 PM, Mikhail T.
> <mi+thun [at] aldan> wrote:
> > On 16.04.2012 11:40, Tom Evans wrote:
> >
> > They can. Excerpt from my httpd.conf:
> >
> > Your excerpt does not show different DocumentRoots -- nor any other
> > settings... Could you show more contents? What is the Apache
> > version you are
> > using? In all my attempts, Apache a) issues a pointless warning
> > about
> > multiple SSL vhosts on the same IP/port; b) uses the settings
> > (including
> > DocumentRoot) from the first vhost encountered for all of them.
> >
>
> Er, OK:

Hi Tom,

some constructive criticism, if you so allow:

I can see a lot of repetition here, you might
profit a lot from mod_macro

[snip]
> <LocationMatch ^(?!/errors/)>
> SSLRequire %{SSL_CLIENT_VERIFY} eq "SUCCESS"
> SSLVerifyClient optional
> </LocationMatch>

It seems sensible to set this in server context, so you
don't have to repeat it over and over again.

[snip]

> This is httpd 2.2.21 btw
>
> Cheers
>
> Tom

i

--
Igor Galić

Tel: +43 (0) 664 886 22 883
Mail: i.galic [at] brainsware
URL: http://brainsware.org/
GPG: 6880 4155 74BD FD7C B515 2EA5 4B1D 9E08 A097 C9AE

tevans.uk at googlemail

Apr 17, 2012, 8:27 AM

Post #13 of 13 (413 views)
Permalink

Re: Why aren't name-based vhosts not working properly under SSL? [In reply to]

2012/4/17 Igor Galić <i.galic [at] brainsware>:
> Hi Tom,
>
> some constructive criticism, if you so allow:

Thanks, I don't actually have a problem with my config. The OP
questioned whether my cut-down version of the config actually did use
different ServerRoot, etc, so I posted a more complete example.

>
> I can see a lot of repetition here, you might
> profit a lot from mod_macro

No thanks! I prefer a little repetition over magic and indirection.

>
> [snip]
>> <LocationMatch ^(?!/errors/)>
>> SSLRequire %{SSL_CLIENT_VERIFY} eq "SUCCESS"
>> SSLVerifyClient optional
>> </LocationMatch>
>
> It seems sensible to set this in server context, so you
> don't have to repeat it over and over again.

Those three are not the only vhosts, and the alias is not relevant
outside those three vhosts.

Cheers

Tom

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads