multiple ssl virtual hosts on apache - apache

I want to configure two virtual hosts with their own ssl certificates on apache (apache 2.2.22 and openssl 1.0.1, debian 7.6). I've found many articles about SNI, but still can't configure it properly. Here's my config:
ports.conf
NameVirtualHost *:80
NameVirtualHost *:443
Listen 80
<IfModule mod_ssl.c>
Listen 443
</IfModule>
<IfModule mod_gnutls.c>
Listen 443
</IfModule>
test1-ssl
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName test1.com
DocumentRoot /var/www/test1
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/test1.crt
SSLCertificateKeyFile /etc/apache2/ssl/test1.key
</VirtualHost>
</IfModule>
test2-ssl
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName test2.test.pl
DocumentRoot /var/www/test2
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/test2.crt
SSLCertificateKeyFile /etc/apache2/ssl/test2.key
</VirtualHost>
</IfModule>
Domain https://test1.com works properly (with its own certificate).
Domain https://test2.test.pl displays content of domain test1.com and uses test1 ssl certificate instead of test2.crt (as it is defined in config file test2-ssl).
Any ideas,sugestions very appreciated.
Kind regards,
and thanks in advance!

After little more searching it turns out that it's possible (https://www.digicert.com/ssl-support/apache-multiple-ssl-certificates-using-sni.htm). My only problem was two separate configuration files for domains... when I configure virtualhost for domains in one config file it worked.

In my use case, I had 2 certificates, one wildcard and one not.
I put on a single file both configs:
<VirtualHost *.wildcard.com:443>
....
<VirtualHost normal.com:443>
...
but didn't work. The solution was this:
<VirtualHost *:443>
....
<VirtualHost *:443>
...
for both domains, provided that on every virtualhost definition you add the desired ServerName and ServerAlias:
ServerName normal.com
ServerAlias www.normal.com
ServerAlias m.normal.com
etc

Related

Apache: Central Virtual Host configuration per domain

I'm having some problems configuring multiple domains in my apache instance.
I have 2 domains: a.com and b.com
I only want to configure the cert files once, so i have a configuration for a.com and b.com. But if i have something like this:
<VirtualHost *:443>
ServerName a.com
ServerAlias www.a.com *.a.com
SSLEngine On
SSLCertificateFile /path/fullchain-a.pem
SSLCertificateKeyFile /path/privkey-a.pem
</VirtualHost>
<VirtualHost *:443>
ServerName b.com
ServerAlias www.b.com *.b.com
SSLEngine On
SSLCertificateFile /path/fullchain-b.pem
SSLCertificateKeyFile /path/privkey-b.pem
</VirtualHost>
it wont allow me to define subdomains in seperate configuration files. Because of the whole wildcard stuff, it just doesn't care about the following vhosts.
Is there a way to configure the certificates centrally so all subdomain vhosts will automatically default to them, without having to specify the whole path in each and every subdomain config?
So i just need to do this:
<VirtualHost *:443>
ServerName subdomain.b.com
DocumentRoot /var/www/html-b
</VirtualHost>
<VirtualHost *:443>
ServerName subdomain.a.com
DocumentRoot /var/www/html-a
</VirtualHost>
<VirtualHost *:443>
ServerName test.a.com
ServerAlias test.b.com
DocumentRoot /var/www/shared-html
</VirtualHost>
or do i need to specify the certificate paths for each subdomain?
I tried using multiple default vhosts, but it would always default to the fist one.

Running SSL and non-SSL sites simultaneously with MAMP (4.0.6)

To enable SSL, I've uncommented this line in httpd.conf:
# Secure (SSL/TLS) connections
Include /Applications/MAMP/conf/apache/extra/httpd-ssl.conf
The httpd-ssl.conf file itself I've left untouched, and created .crt and .key files for a self-signed SSL certificate in the places it's expecting to see them by default:
SSLCertificateFile "/Applications/MAMP/conf/apache/server.crt"
SSLCertificateKeyFile "/Applications/MAMP/conf/apache/server.key"
Back in the main httpd.conf, I've created a VirtualHost for a site I want to use SSL, and configured like this to eventually get it working:
NameVirtualHost *
<VirtualHost *>
DocumentRoot "/Users/jonnott/Documents/sslsite1.dev"
ServerName sslsite1.dev:443
ServerAlias www.sslsite1.dev
SSLEngine on
SSLCertificateFile "/Applications/MAMP/conf/apache/server.crt"
SSLCertificateKeyFile "/Applications/MAMP/conf/apache/server.key"
</VirtualHost>
This SSL site now works fine.
However, the problem I have is that now whenever I try to visit any local non-SSL hosts, I get this error:
Bad Request
Your browser sent a request that this server could not understand.
Reason: You're speaking plain HTTP to an SSL-enabled server port.
Instead use the HTTPS scheme to access this URL, please.
These other non-SSL sites are configured in httpd.conf like this:
<VirtualHost *>
DocumentRoot "/Users/jonnott/Documents/site2.dev"
ServerName site2.dev
ServerAlias www.site2.dev
</VirtualHost>
What am I missing / doing wrong?
I think I've pretty much figured it out after reading this:
http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#vhosts2
I needed BOTH of these in my httpd.conf before the start of my VirtualHost directives:
NameVirtualHost *:80
NameVirtualHost *:443
..and then each VirtualHost needed to be port-specific:
<VirtualHost *:80>
DocumentRoot "/Users/jonnott/Documents/Projects/site1"
ServerName site1.dev:80
</VirtualHost>
<VirtualHost *:443>
DocumentRoot "/Users/jonnott/Documents/Projects/site1"
ServerName site1.dev:443
SSLEngine on
SSLCertificateFile "/Applications/MAMP/conf/apache/server.crt"
SSLCertificateKeyFile "/Applications/MAMP/conf/apache/server.key"
</VirtualHost>

Redirect HTTP to HTTPS Apache2

im trying to redirect http to https.
I've found a lot answers, but nothing works for me.
I dont know why, maybe its a apache2 config error?
I tryin it also in the .htaccess and there also nothing happens.
Just this Error:
Bad Request
Your browser sent a request that this server could not understand.
Reason: You're speaking plain HTTP to an SSL-enabled server port.
Instead use the HTTPS scheme to access this URL, please.
Here's my Virtual Host File.
#Redirect HTTP TO HTTPS
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{SERVER_NAME}/%$1 [R,L]
#VHOSTS
<VirtualHost *:443>
Servername www.latoya.eu
ServerAlias latoya.eu www.latoya.eu
Documentroot /var/www/latoya
ErrorLog /path/to/log/error.log
CustomLog /path/to/log/access.log combined
SSLEngine on
SSLCertificateFile /path/to/ssl/files/pem.crt
SSLCertificateKeyFile /path/to/ssl/files/private.key
SSLCertificateChainFile /path/to/ssl/files/pem.ca-bundle
</VirtualHost>
<VirtualHost *:443>
Servername board.latoya.eu
Documentroot /var/www/latoya
ErrorLog /path/to/log/error.log
CustomLog /path/to/log/access.log combined
SSLEngine on
SSLCertificateFile /path/to/ssl/files/pem.crt
SSLCertificateKeyFile /path/to/ssl/files/private.key
SSLCertificateChainFile /path/to/ssl/files/pem.ca-bundle
</VirtualHost>
<VirtualHost *:443 *:80>
Servername secure.latoya.eu
Documentroot /var/www/latoya
ErrorLog /path/to/log/error.log
CustomLog /path/to/log/access.log combined
SSLEngine on
SSLCertificateFile /path/to/ssl/files/pem.crt
SSLCertificateKeyFile /path/to/ssl/files/private.key
SSLCertificateChainFile /path/to/ssl/files/pem.ca-bundle
</VirtualHost>
<VirtualHost *:80 *:443>
Servername static.kritzelpixel.com
Documentroot /var/www/static.kritzelpixel.com
ErrorLog /path/to/log/error.log
CustomLog /path/to/log/access.log combined
SSLCertificateFile /path/to/ssl/files/pem.crt
SSLCertificateKeyFile /path/to/ssl/files/private.key
SSLCertificateChainFile /path/to/ssl/files/pem.ca-bundle
</VirtualHost>
Using "VirtualHost *:80 *:443" or the opposite in the same virtualhost tag is completely incorrect since one virtualhost can't be SSL and not be SSL at the same time.
The fact that Apache HTTPD is not screaming in pain about it is because you "can" use different ports in the same virtualhost but that was certainly not designed to have a SSL port and a non-SSL port together.
So my suggestion is you correct your configuration to look sane, that is, having specific virtualhost *:80 and virtualhost *:443 separately.
In the VirtualHost *:80 entries you can then Redirect / https://example.com/ with the specific hostnames for your case to redirect from 80 to 443 a single line and without the need to use mod_rewrite.
To redirect to SSL mod_rewrite is not needed and overkill.
Briefly:
<VirtualHost *:80>
ServerName example.com
Redirect / https://example.com/
</VirtualHost>
<VirtualHost *:443>
ServerName example.com
SSLEngine on
#other directives here
</VirtualHost>
And the same with the rest of the names if they have different configurations.

Wildcard SSL with Multiple Domains

I have a CentOS/Apache+OpenSSL server. I host two domain names with wildcard sub domains (application logic surfaces the correct site), e.g.
https://*.testing1.com
https://*.testing2.com
It works great over HTTP:-
<VirtualHost *:80>
# Admin email, Server Name (domain name) and any aliases
ServerAdmin webmaster#testing1.com
ServerName testing1.com
ServerName testing2.com
ServerAlias *.testing1.com *.testing2.com
# Index file and Document Root (where the public files are located)
DirectoryIndex index.html index.php
DocumentRoot /home/app/public_html/public
</VirtualHost>
I've purchased two Wildcard SSL certificated for both testing1.com and testing2.com, but I'm unsure how to set it up in this structure:-
<VirtualHost *.testing1.com:443>
SSLEngine On
SSLCertificateFile /etc/httpd/ssl/*.testing1.com.crt
SSLCertificateKeyFile /etc/httpd/ssl/*.testing1.com.key
SSLCACertificateFile /etc/httpd/ssl/geotrust.cer
ServerAdmin john#testing1.com
ServerName testing1.com
ServerAlias *.testing1.com
DirectoryIndex index.html index.php
DocumentRoot /home/app/public_html/public
</VirtualHost>
<VirtualHost *.testing2.com:443>
SSLEngine On
SSLCertificateFile /etc/httpd/ssl/*.testing2.com.crt
SSLCertificateKeyFile /etc/httpd/ssl/*.testing2.com.key
SSLCACertificateFile /etc/httpd/ssl/geotrust.cer
ServerAdmin john#testing2.com
ServerName testing2.com
ServerAlias *.testing2.com
DirectoryIndex index.html index.php
DocumentRoot /home/app/public_html/public
</VirtualHost>
The above for the SSL doesn't work, with the *.testing1.com definition, nor with just testing1.com.
I will also need to repeat this for testing2.com
Name-based virtualhosts and SSL wil only work if all the virtualhosts are within the same domain and you have a wildcard SSL certificate for that domain.
But you have 2 different domains.
In this case it will only work if you give each SSL-enabled virtualhost it's own IPaddress.
So you should use IP-based virtualhosts, not Name-based.
Explanation:
The ServerName which is requested, is contained in the HTTP request headers, but before that the SSL encryption must be already setup. So the ServerName is only available after the encryption has been setup. Therefore Apache can never know which SSL certificate te serve up and wil just use the first one available on that particular IPaddress.
With the single dedicated IP we can configure domain-based wildcard SSL in centos + apache2.2 server.
Hope the configurations below will help you guys!!
NameVirtualHost IP:80
NameVirtualHost IP:443
Domain 1
<VirtualHost IP:80>
ServerName abc.domain1.com
DocumentRoot /var/www/html/domain1
</VirtualHost>
<VirtualHost IP:443>
ServerName *.domain1.com
DocumentRoot /var/www/html/domain1
SSLEngine On
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /var/www/html/domain1/cert/5465456.crt
SSLCertificateKeyFile /var/www/html/domain1/cert/domain1.com.key
SSLCertificateChainFile /var/www/html/domain1/cert/g2-g1.crt
</VirtualHost>
Domain 2
<VirtualHost IP:80>
ServerName abc.domain2.com
DocumentRoot /var/www/html/domain2
</VirtualHost>
<VirtualHost IP:443>
ServerName abc.domain2.com
DocumentRoot /var/www/html/domain2
SSLEngine On
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /var/www/html/domain2/cert/5465456.crt
SSLCertificateKeyFile /var/www/html/domain2/cert/domain1.com.key
SSLCertificateChainFile /var/www/html/domain2/cert/g2-g1.crt
</VirtualHost>

Same server, both SSL and non-SSL

Is it possible to have both SSL protocol and non-SSL protocol running on the same server in Apache 2.x?
So if I access http://example.com (non-SSL) and https://example.com (SSL) they would both be available.
If so, would I need to create a virtual host? How would this VirtualHost directive look like, could anyone give me an example? (Assuming I already have the certificates)
Yes, you simply add another VirtualHost for the same name on port 443 (HTTPS).
Set SSLProtocol to whichever protocols you wish to allow.
<VirtualHost *:80>
ServerName your-domain.com
DocumentRoot /var/www/your-domain-root
</VirtualHost>
<VirtualHost *:443>
DocumentRoot /var/www/your-domain-root
ServerName your-domain.com
SSLEngine On
SSLOptions +StrictRequire
SSLCertificateFile /path/to/server.crt
SSLCertificateKeyFile /path/to/server.key
SSLProtocol TLSv1
</VirtualHost>