I have tomcat installed and running on an ubuntu 12.04 LTS system utilizing port 443 for https requests (GeoTrust certificate installed).
On the same machine, apache2 responds to requests on port 80.
Now I was given to task to secure the webapps (php) running on apache2 with SSL as well, but with a different server certificate.
Is this possible at all? - My assumption would be "no", because I cannot have two servers listening on the same port, but I'm not too sure and haven't found any helpful information about this so far.
Any help would be highly appreciated..
These days, you'll still have difficulty serving more than one certificate on a single interface/port combination (e.g. 0.0.0.0:443). IF you want to use two separate ports for HTTPS, it's no problem. If you want to bind to different interfaces (e.g. 1.2.3.4:443 and 4.3.2.1:443) it's no problem. If you want them both on the same interface/port, you'll have to rely on Server Name Indication which may or may not be supported by your web server version and/or client.
If you want different certificates, you probably want different hostnames, too, so maybe you can get a second interface configured on the machine. Note that you don't need to have multiple NICs on the machine just to enable a different interface: your OS should be able to create another interface with a different IP address and still share the NIC. Then you just set DNS to point each hostname to a different IP address and make sure you bind each SSL VirtualHost to the proper IP address (instead of using 0.0.0.0 or * for the hostname).
Honestly, SNI is the easiest thing to do: just use VirtualHosts with SSL enabled (with different certs) in each one the way you'd "expect" it to work and see if the server starts up without complaint. If so, you'll need to test your clients to see if it's going to work for your audience. For the SNI scenario, I am assuming that Apache httpd would handle all of the SSL traffic and that you'd use something like mod_proxy_* or mod_jk to proxy to Tomcat.
For the split-IP scenarios, you can do whatever you want: terminate SSL within Tomcat or use httpd for everything and proxy for dynamic content to Tomcat.
Related
I have already installed an Apache HTTP server in my RedHat system, now I need to install a Bitnami application package which contains another Apache. So I am wondering how to make them not disturbing each other?
I guess I need to configure different ports for the two HTTP server. But what if one has 8080 and another has 9090, will we visit http://[ServerName]:8080/something.html and http://[ServerName]:9090/something.html? I think this way is quite inconvenient. Am I wrong or any better idea?
My advice would be to do something like this.
Have one Apache instance listen in port 80 and the other one in port 8080 for example. The Apache instance that listens in port 80 can act as a proxy to the other Apache (port 8080) using the ProxyPass and ProxyPassReverse directives.
https://httpd.apache.org/docs/2.4/mod/mod_proxy.html
You would need to define prefixes or virtual hosts and inside them add ProxyPass directives.
I don't know to what kind of user those applications are targeted to but the usual end-user is not used to enter ports when browsing the web.
If you like to use the ports, go for it, but I would recommend using Name-based Virtual Host
so you could use different domains or subdomains to each application.
In addition to the example provided by the docs (in where they just point to different folders) in this digitalocean page they document how to make redirects to different urls.
I completely agree with EndermanAPM that usual end-user is not used to enter ports when browsing the web. Therefore, I would only allow port 80 to be accessed by the end-users.
Additional to the current solutions I see another one:
avoid messing up the settings of the Apache servers in order to not end-up with some malfunctions of your websites
leave the Apache servers listen on their designated ports (8080 respectively 9090)
install a dedicated proxy in front of the Apache servers. The proxy would listen on port 80 and would define redirect rules that would parse the request and would redirect it to the proper Apache server. (see the attached picture)
I recommend you HA Proxy. It is a very fast and reliable http and tcp proxy. I've been using it in production for years, in front of application servers, web servers and even database servers. Once you get used with its syntax, it is pretty easy to use.
I am aware that introducing a new component into the equation might add another source of potential issues. But I think that the architecture is cleaner. Besides, the two Apache servers will not be disturbing each other as you requested. You can shut down any one of the two and the other one would properly work further.
Is it possible to run multiple apache sites on the same IP, domain and port (meaning the <VirtualHost> tags are exactly identical and no ServerName is given) while using SSL (not sure whether SSL makes a difference here)?
I would like to separate my web services into files in etc/apache2/sites-available to be able to activate or deactivate them on demand. Basically Apache should just take all files and string them together internally, but leave me the possibility to a2dissite certain parts.
Further clarification:
By "sites", I mean files in the etc/apache2/sites-available directory. "Web services" in this context are certain application like phpMyAdmin or an Etherpad which run on the Apache and whose configuration (e.g. Alias or ProxyPass) I want to write into its own configuration file ("site"),
The short answer is no.
SSL operates at a level between TCP and HTTP. But the virtual host name is sent via HTTP. So how does SSL know which certificate to use for a virtual host?
There is a way to do it - basically start up the HTTP over TCP then switch to SSL after the virtual host name (in the Host header) is sent. However this is complex, error prone and generally considered a bad idea.
Best practice is to have one IP per SSL. One machine can have multitple IP addresses, even a single network port can have mulitple IP addresses.
I am trying to host 2 sites on a single IP address and they need to be accessed via SSL however the majority of my users use Internet Explorer on Windows XP meaning using multiple SSLs with SNI may prevent them getting access.
I was wondering if I could use a multiple virtual hosts but still use a single SSL certificate and avoid SNI ?
Alternatively how feasible is it for me to install two Apache webserver instances, each its own DocumentRoot and own SSL certificate and for me to simply use the first Apache webserver as an entry point to entertain some requests and to redirect others to the other SSLed Apache instance ?
Could I potentially use the Windows Host file (Windows 2008 Server) to redirect incoming requests to the intended Apache Server instead of using VirtualHosts ?
Apologies if I have confused concepts.
You can try to purchase an X.509 certificate with two domains in it. I don't know what particular CAs do this, but I also don't see why they would refuse. You need to ask their support, though.
Your idea to redirect some requests to another server residing on a different port sounds good as well, though you will have to use two different certificates for different domain names, of course.
Finally if your second domain can be something like additional.mydomain.com , you have greater chance to buy a certificate issued for mydomain.com + www.mydomain.com + additional.mydomain.com (this can be a wildcard certificate or a certificate with additional subdomain names).
What's use to have a Apache Web Server listening on more than one port?
Can any one explain me the use case?
You may want to use both IPv4 and IPv6, use HTTP and HTTPS, etc.
http://httpd.apache.org/docs/2.2/bind.html
You may have multiple network providers, and multiple IP's provided by each. Though listening to 0.0.0.0 will listen to all addresses, sometimes you may want to listen to selected addresses, not all of them.
Edit: Forgot: also an important reason is when you have to serve multiple sites and multiple domains from one host (one IP). You will then use different ports for each different site. They are so called name-based virtual hosts.
If you'll need it, here's a link on how to name-based virtual hosts from apache docs.
I can see at least two possible use cases for that:
Assuming that your application is accessible to the public via port 80. But you wish to manage your database via phpmyadmin (a php tool to manage MySQL servers). Because of that you could configure Apache web server in a way, that it would listen on some other "private" port for phpmyadmin calls. This way, only you and your team can access it.
When you don't have registered domain names with you, you can create multiple sites running on your server and assign different ports to different sites. This way, you could test your site until your domain name gets registered.
well... for http the default port is 80 and HTTPS default is 443
and you can serve in another port for some reason.
We have a site www.name1.domain.com for which we successfully created and implemented an SSL cert. We then added another site, www.name2.domain.com, and are seeing some strange behaviour in IE7 and IE8 (surprise!).
Basically, IE7,8 reports a mismatch of host name when we go to https://www.name2.domain.com/ . When I add and view this cert in IE for this domain, the host name is incorrect, but belongs to the older host name, i.e., www.name1.domain.com.
Firefox doesn't have this issue, and picks up correct host name www.name2.domain.com for the second site without issue.
Any ideas why IE is misbehaving (apart for the sassy ones (-: ) ?
Your problem is that Internet Explorer on Windows XP (and probably other software as well) is not SNI capable.
I've just ran into the same problem - basically Firefox and Chrome are ok and get the correct certificate, but Internet Explorer does not. Then I've looked it up a bit and saw this on Wikipedia, among other things:
Browsers with support for TLS server name indication [7] Internet
Explorer 7 or later, on Windows Vista or higher. Does not work on
Windows XP, even Internet Explorer 8.
So, your apache/openSSL combo is SNI capable and can do this, but Windows XP is not.
My solution is that I'm putting the primary subdomain first in the VirtualHost configuration, and the secondary less. At least there is less explanation to clients on why this pops up.
I don't know if it would work for you though.
Firefox supports running SSL over the same port,443 (using the same IP) to two virtual hosts (in Apache), but IE7 does not.
http://www.eggheadcafe.com/software/aspnet/36069240/sni-support.aspx
====
http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#vhosts2
Why is it not possible to use Name-Based Virtual Hosting to identify different SSL virtual hosts?
Name-Based Virtual Hosting is a very popular method of identifying different virtual hosts. It allows you to use the same IP address and the same port number for many different sites. When people move on to SSL, it seems natural to assume that the same method can be used to have lots of different SSL virtual hosts on the same server.
It comes as rather a shock to learn that it is impossible.
The reason is that the SSL protocol is a separate layer which encapsulates the HTTP protocol. So the SSL session is a separate transaction, that takes place before the HTTP session has begun. The server receives an SSL request on IP address X and port Y (usually 443). Since the SSL request does not contain any Host: field, the server has no way to decide which SSL virtual host to use. Usually, it will just use the first one it finds, which matches the port and IP address specified.
You can, of course, use Name-Based Virtual Hosting to identify many non-SSL virtual hosts (all on port 80, for example) and then have a single SSL virtual host (on port 443). But if you do this, you must make sure to put the non-SSL port number on the NameVirtualHost directive, e.g.
NameVirtualHost 192.168.1.1:80
Other workaround solutions include:
Using separate IP addresses for different SSL hosts. Using different port numbers for different SSL hosts.