I'm setting up a redirect server where users can input an alternate domain name, point DNS to my server, and configure it to redirect to their servers. My plan is to use the default virtual host in Apache to handle all the requests, route everything to a web application that looks up the place to redirect in a database.
I'd like to support HTTPS, but I can't figure a way to dynamically specify the certificate and key for each site. The only way that I know of configuring HTTPS is by putting directives for SSH certs and keys into a virtual host specific to that domain name. I'd like to store the certificates and keys in the database along with the domain name and have Apache call my web app during the SNI handshake.
Is it possible to have flexible, dynamic SNI under Apache?
Related
Is it possible to configure a vhost on httpd that accepts any domain received and proxies to the actual website? Like subdomain wildcard but for the domain.
I'm assuming that tools like Squid Proxy can do this just fine, I'm just curious if it can be done with apache.
Sure that is possible, but you don't even need a proxy for that. The apache http server offers the concept of a "default virtual host". Which is exactly what you want: that host is responsible to respond to incoming requests to http hosts that do not have a specific configuration.
The default typically simply is the first of all hosts defined inside an apache http server.
An alternative I personally use is to setup the virtual hosts by just a basic configuration (name, admin and the like), but to include the actual content configuration (DocumentRoot and rewriting stuff) from a separate file). That way you can easily share the same setup between many virtual hosts but still have individual configuration options per domain, subdomain, http host, however you want to call that (there is no difference for the http server anyway, it is all http hosts).
I have a HTTPS website hosted by IIS. In this site I embed another HTPPS website within a iframe. The content of this iframe is hosted by Apache. Both servers, IIS and Apache, are on the same server.
Do we need to have the same SSL certificates on both webservers?
The first listens on port 8443 and the second one on port 443. Do we need to separate public IPs? Is there another way to root internally?
How would be the proper setup having two different webservers (IIS, embeded Apache) and only one external IP?
Do we need to have the same SSL certificates on both webservers?
No, you could bind different SSL certifcate if you bind different domain for your IIS or apache server.
The first listens on port 8443 and the second one on port 443. Do we need to separate public IPs? Is there another way to root internally?
No, we access the site by using the same ip with different ports.
How would be the proper setup having two different webservers (IIS, embeded Apache) and only one external IP?
In my opinion, the only things is that you should make sure the port is free for each web server.
For example, if IIS use 80, the Apache couldn't use 80.
I have a site where i have ssl created by letsencrypt, but there is a problem with no sni ssl. Is it confugired ok?
https://www.ssllabs.com/ssltest/analyze.html?d=watcheds.com
Site looks good https://watcheds.com .
I
Your site is almost certainly hosted on a virtual host with many other sites on the same IP address. As such, HTTPS won't work without SNI because the server can't know which virtual host the client wants to connect to. The raw data in a TCP connection only has the IP address and port. The HTTP data is all in the packet content, which is encrypted in HTTPS.
SNI access works via HTTPS because the desired site is passed unencrypted and in the clear, allowing the server to properly route the incoming connection without access to your site's private SSL keys. Without SNI, the server would need to decrypt the incoming HTTPS request before knowing where to route it, and this would require the server to have access to your site's private keys.
And if the server were hosting many virtual hosts, without something like SNI it wouldn't know which set of private keys to use...
I have an application written in Symfony2 which basically is a website builder. There are many domains pointing to the server IP, the php app inspects the request and displays the contents associated to that domain.
Is there a way to install ssl certificates on Apache for every domain, every domain should have its own certificate, whithout having any Virtuahost?
Apache is configured to answer to every request on port 80 and 443
Apache permits only 1 certificate per configured host.
So to achieve your goals, you will either need to use a multidomain certificate and include all domain in that certificate. By default, most vendors limit you to 100 domains per certificate. Note that www.domain.com and domain.com count as 2 different domains for the purpose of multi-domain certificates.
https://wiki.apache.org/httpd/UnderstandingMultiUseSSLCertificates
Otherwise, you will need to configure Vhosts for each domain. Depending on your OS, you may be able to use SNI with Apache so you don't need unique IPs for each domain.
https://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI
I am trying to host 2 sites on a single IP address and they need to be accessed via SSL however the majority of my users use Internet Explorer on Windows XP meaning using multiple SSLs with SNI may prevent them getting access.
I was wondering if I could use a multiple virtual hosts but still use a single SSL certificate and avoid SNI ?
Alternatively how feasible is it for me to install two Apache webserver instances, each its own DocumentRoot and own SSL certificate and for me to simply use the first Apache webserver as an entry point to entertain some requests and to redirect others to the other SSLed Apache instance ?
Could I potentially use the Windows Host file (Windows 2008 Server) to redirect incoming requests to the intended Apache Server instead of using VirtualHosts ?
Apologies if I have confused concepts.
You can try to purchase an X.509 certificate with two domains in it. I don't know what particular CAs do this, but I also don't see why they would refuse. You need to ask their support, though.
Your idea to redirect some requests to another server residing on a different port sounds good as well, though you will have to use two different certificates for different domain names, of course.
Finally if your second domain can be something like additional.mydomain.com , you have greater chance to buy a certificate issued for mydomain.com + www.mydomain.com + additional.mydomain.com (this can be a wildcard certificate or a certificate with additional subdomain names).