In Apache web server, when using name-based virtual hosting you can use either the IP or the actual domain name in the VirtualHost directive.
(Name-based virtual hosting on Debian is enabled via /etc/apache/ports.conf through NameVirtualHost <ip>:<port> statement, where <port> has to be the same one as in a Listen directive.)
So, then this:
<VirtualHost 10.0.0.1:80>
...
or this:
<VirtualHost sub.domain.tld:80>
...
will equally work.
What are the differences, and which approach should be preferred?
Using an IP address is preferred so that your config can be parsed even if DNS resolution fails.
You can use the ServerName directive to control which hostname the VirtualHost block applies to, without triggering a DNS resolution:
<VirtualHost 10.0.0.1:80>
ServerName sub.domain.tld
...
</VirtualHost>
http://httpd.apache.org/docs/current/dns-caveats.html has more examples of good and bad practice.
Related
I have two entries in my DNS: www.domain.tld and svn.domain.tld
Both point to my company's public IP address of 88.77.66.55.
I have two apache servers serving port 80 on my LAN behind that public IP. One hosts my website on 192.168.1.2 and the other hosts my SVN server at 192.168.1.3.
I would like to route the IPs to:
www.domain.tld -> 192.168.1.2
svn.domain.tld -> 192.168.1.3
Here's my current intended design, but I don't know if it's feasible so I'm looking for feedback. My router will forward all port 80 data to 192.168.1.2. Then, on that machine:
/etc/apache2/httpd.conf
---
NameVirtualHost 192.168.1.2:80
NameVirtualHost 192.168.1.3:80
<VirtualHost 192.168.1.2:80>
ServerName www.domain.tld
</VirtualHost>
<VirtualHost 192.168.1.3:80>
ServerName svn.domain.tld
</VirtualHost>
Am I using the correct mechanism to accomplish this? Can I use hostnames instead of IPs? I'd like to get some indication of issues before I start messing with configurations and cause downtime.
I think that will work. Nginx reverse proxy is another way to do this on a larger scale.
I've been trying to create 3 different domains linking to 3 different sites on the same machine, 2 which works but the third on the different port links to the first page.
My apache config looks like this:
Listen 81
NameVirtualHost *:81
<VirtualHost *:80>
ServerName www.example.com
DocumentRoot /var/www/www
</VirtualHost>
<VirtualHost *:80>
ServerName www2.example.com
DocumentRoot /var/www/www2
</VirtualHost>
<VirtualHost *:81>
ServerName controlpanel.example.com
DocumentRoot /var/www/controlpanel
</VirtualHost>
I've used Bind9 to set up the domains.
www IN A 123.123.123.123
www2 IN A 123.123.123.123
controlpanel IN A 123.123.123.123
www and www2 works fine and shows the correct site, however controlpanel.example.com also links to the first www site. When I enter the port manualy on the ip, xxx.xxx.xxx.xxx:81, i get linked correctly. The thing is that I don't really know where I'm doing it wrong, this is the first time I'm trying anything like this. You got any ideas?
Im also running this on an old ubuntu 12.04 server.
Regarding where you're going in the comments for the previous answer:
You could add a port 80 virtualhost for controlpanel.example.com and put a single statement inside,
Redirect / http://controlpanel.example.com:81
The purpose of the ServerName is not to inform the browser what port your webserver is using. It's used for name-based virtualhosts and as a last resort for self-referential links (out of the box, self-referential links are generated with whatever the client already thought it was accessing via the Host: header)
But there is definitely something quite bizarre about your requirement. Usually the motivation is to not use custom ports, and if they are, to address the server with a low port and have the por remapped by some intermediary (load balancer, proxy).
If you want your third virtualhost to be simulataneously the defautl on port 81 and a name-based option on port 80:
Change
<VirtualHost *:81>
to
<VirtualHost *:80 *:81>
Apache finds the set of virtual hosts with the best IP:PORT based match first, then if NameVirtualHost also matches, starts looking at the ServerNames from that set.
I am facing an issue with configuring domain name in my httpd.conf file. Entry in httpd.conf file.
Listen sample.com:443
<VirtualHost sample.com:443>
SSLEnable
ServerName MyIHSInstalledServerName
</VirtualHost>
KeyFile /serverPath/keyfile.kdb
SSLDisable
SSLTrace
Now I am confused on what should be the entry made in /etc/hosts
{IP} sample.com sample. Here what is the IP I should mention and is my entry in httpd.conf file correct? Please help.
Your /etc/hosts file is not really relevant to your Apache config.
For SSL virtual hosts, use either the actual ip address that you want your SSL httpd daemon to be bound to
eg
<VirtualHost 10.1.1.1:443>
or use:
<VirtualHost _default_:443>
which will bind the daemon to the first ip address not in use by any other SSL virtual host, which should work in the vast majority of cases
The name of the service is only relevant to the ServerName directive. If you include that, the httpd daemon will only respond to requests that include that name in the header.
I'm running Apache2 on Ubuntu 10, and I have my site configuration files laid out numerically and in order. My default server is psychedeli.ca, but I also run another site off the same box at mahoganytales.com. Currently, both of these domains point to the same site (the one for psychedeli.ca). The declaration NameVirtualHost *:80 is in my ports.conf file, so I'm pretty sure my global server config checks out. How can I fix this?
Here are my vhost files:
001-psycho
<VirtualHost *:80>
DocumentRoot /var/apps/psycho/public
ServerName psychedeli.ca
</VirtualHost>
002-mahogany
<VirtualHost *:80>
DocumentRoot /var/apps/mahogany/public
ServerName mahoganytales.com
</VirtualHost>
try create new conf file at /etc/apache2/conf.d, e.g., vhosts.conf
with this content in it:
NameVirtualHost *
It looks like the default configuration is in effect rather than your host entries. Following is the procedure that works in Ubuntu Apache2.
First,
create a VirtualHost in /etc/apache2/sites-available/somesite,
then a2ensite somesite to make it live.
Finally, /etc/init.d/apache2 restart to restart apache.
If you think, you have followed the above steps, then can you please confirm, that you have your hosts files in /etc/apache2/sites-enabled/?
Each domain name needs to have it's own single unique ip address, that's how different sites are found.
By using the *:80 in the virtual host directive, you're instructing Apache to listen on all IP addresses, port 80 and send it to this directory. With your second vhost, you're doing the same thing (All IP's port 80, and send it there). Well, since you're giving it two conflicting statements, it takes the first match, and uses it.
If you want to serve multiple websites, each must answer to it's own unique IP address, ie:
site aaa.com - 145.25.82.110
site bbb.com - 145.25.82.111
From there, each vhost entry will listen on it's own ip address and port for each site. In the OP's case the vhost needs to change to (using the example IPs):
<VirtualHost 145.25.82.110:80>
DocumentRoot /var/apps/psycho/public
ServerName psychedeli.ca
</VirtualHost>
<VirtualHost 145.25.82.111:80>
DocumentRoot /var/apps/mahogany/public
ServerName mahoganytales.com
</VirtualHost>
This instructs the server to listen on static IP 1 port 80 (as defined in the named.conf and associtated bind config files, and send it to the first site base directory, and any calls on the second static IP port 80 and send it to the second site base directory.
As for configuring bind/named, that's beyond the scope of this question...
I am attempting to setup our servers to allow traffic over SSL. I am aware that SSL does not work with Name Virtual Host, but we have all of our Apache servers on virtual machines with dedicated private IPs. We have a primary virtual machine that has mod_proxy setup to route traffic to the appropriate VMs.
However, in order to route HTTPS traffic we need to have the certificate installed on the proxy as well as the VMs. We have a wildcard certificate that can be used across all of our hosts. Everything appears to work properly, but I receive the following in the Apache logs for the proxy:
[warn] Init: SSL server IP/port conflict: host1.example.com:443 (/etc/apache2/sites-enabled/host1:1) vs. host2.example.com:443 (/etc/apache2/sites-enabled/host2:1)
There is one of these error message for each host we have setup on the proxy. Our Virtual Host setup for the proxy is posted below:
<VirtualHost ipaddress:443>
ServerName host1.example.com
ProxyPreserveHost On
ProxyRequests Off
ProxyPass / https://privateip:443/
ProxyPassReverse / https://privateip:443/
SSLProxyEngine on
SSLEngine on
SSLCertificateFile /etc/ssl/certs/server.crt
SSLCertificateKeyFile /etc/ssl/private/server.key
</VirtualHost>
Is there any way that I can get this to work?
It sounds like Apache is warning you that you have multiple <VirtualHost> sections with the same IP address and port... as far as getting it to work without warnings, I think you would need to use something like Server Name Indication (SNI), a way of identifying the hostname requested as part of the SSL handshake. Basically it lets you do name-based virtual hosting over SSL, but I'm not sure how well it's supported by browsers. Other than something like SNI, you're basically limited to one SSL-enabled domain name for each IP address you expose to the public internet.
Of course, if you are able to access the websites properly, you'll probably be fine ignoring the warnings. These particular ones aren't very serious - they're mainly an indication of what to look at if you are experiencing problems
As far as I know, Apache supports SNI since Version 2.2.12
Sadly the documentation does not yet reflect that change.
Go for http://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI until that is finished
You may be able to replace the:
VirtualHost ipaddress:443
with
VirtualHost *:443
You probably need todo this on all of your virt hosts.
It will probably clear up that message. Let the ServerName directive worry about routing the message request.
Again, you may not be able to do this if you have multiple ip's aliases to the same machine.
The VirtualHost would look like this:
NameVirtualHost IP_Address:443
<VirtualHost IP_Address:443>
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/ca.crt # Where "ca" is the name of the Certificate
SSLCertificateKeyFile /etc/pki/tls/private/ca.key
ServerAdmin webmaster#example.com
DocumentRoot /var/www/html
ServerName www.example.com
ErrorLog logs/www.example.com-error_log
CustomLog logs/www.example.com-access_log common
</VirtualHost>
First you need NameVirtualHost ip:443 in you config file!
You probably have one with 80 at the end, but you will also need one with 443.
Second you need a *.domain certificate (wildcard) (it is possible to make one)
Third you can make only something.domain webs in one ip (because of the certificate)
You MUST add below part to enable NameVirtualHost functionality with given IP.
NameVirtualHost IP_Address:443
Apache doesn't support SSL on name-based virtual host, only on IP based Virtual Hosts.
Source: Apache 2.2 SSL FAQ question Why is it not possible to use Name-Based Virtual Hosting to identify different SSL virtual hosts?
Unlike SSL, the TLS specification allows for name-based hosts (SNI as mentioned by someone else), but Apache doesn't yet support this feature. It supposedly will in a future release when compiled against openssl 0.9.8.
Also, mod_gnutls claims to support SNI, but I've never actually tried it.