I have SSL installed on my server, and I am using subdomain wildcards in the VirtualHost part of my ssl.conf file. The SSL certificate is valid for all subdomains, this works great.
Now i want to set up a subdomain and use this as a test, i.e. test.mywebapp.com. This test subdomain should point to a different document root. I want to put that in my ssl.conf by adding a new VirtualHost entry.
Currently the only entry is _default_:443. How can I add a new entry without overlapping with the exiting one? I tried test.mywebapp.com:443, but it keeps using the _default_ one.
Cheers,
Rick
Keep <VirtualHost _default_:443> (or *:443 or the.ip.address:443, but not the host name).
Use the ServerName directive within the virtual host to configure a different host.
Related
Ran into an issue with one of our setups, not to sure if that's even possible.
We're running a simple Ubuntu 18.04LTS server with PHP-FPM and Apache installed, that will host over a dozen different sites, with at least half of them having different SSL certificates. The server only has a single IP address/NIC.
To make everything easier to manage, I had initially created different vhost config files in /etc/apache2/sites-available, so every site would have their own; this was causing issues as one of the sites would be deemed "default" for SSL and its certificate would be handed out to all the other sites.
Going through StackOverflow and the internet, I've found a lot of posts that were saying to have a single vhost config file with all of our different site configurations...but now I have a thousand line config file, which is a mess to manage.
Is there a way to use SNI, with a single IP/NIC, with different vhost config files, or is our setup "uncommon" and we'll need to use a single vhost config file ?
Thanks!
EDIT: Link to a copy of the vhost config we use, sanitized of course: https://pastebin.com/1tQYBSxR
This is how Apache works for SSL VirtualHosts by default:
<VirtualHost *:443>
ServerName site1.com
# Certs definitions for site1.com
</VirtualHost>
<VirtualHost *:443>
ServerName site2.com
# Certs definitions for site2.com
</VirtualHost>
<VirtualHost *:443>
ServerName site3.com
# Certs definitions for site3.com
</VirtualHost>
Now you would expect that when a client connects with one of the sites, Apache understands which site it wants and uses that certificate, right?
But that is not the case. Apache does not know which site is asked for until after SSL negotiation is done. It must therefore always use the first VirtualHost certificate.
NameVirtualHost (Apache 2.2 directive, always on in v2.4) does not work for SSL.
You can put the definitions of each domain in a separate file. As long as they are all Included in the global config file. But again, only the first defined VirtualHost will serve *.443 requests.
In fact I have managed Apache servers with ~50 VirtualHost definitions, and having them all in one file would have been a nightmare. Split them by domain. You can even name the file THE_DOMAIN.conf.
Now how to get rid of that problem:
have 1 IP per domain. Which means 1 IP per VirtualHost. That way Apache knows which site the user requested, right form the start. But that requires as many addresses as you have domains.
have 1 port per domain. Instead of using port 443, some sites could use a non-default port. But that is weird for clients who have to specify the port in the request. Ex. https://example.com:445/. In enterprise setups, you can get your firewall-nat-proxy to change the port back for the client, but this is out of scope of this answer. This might be blocked as they are not default ports.
use SNI. This is supported by modern browsers, where the identification of the desired domain is sent at the time of SSL negotiation.
Using SNI is detailed here (and other references on the web) https://cwiki.apache.org/confluence/display/httpd/NameBasedSSLVHostsWithSNI
Overview:
the first VirtualHost is still the default used for clients that do not support SNI (older browser for example).
A new directive was added: SSLStrictSNIVHostCheck
You must use a minimum version of OpenSSL on the host, and Apache must have been compiled with it. It must enable TLS extensions.
Have fun!
I have a Hybris server installation hosting two sites hosted on two directories /site1 and /site2 pointing to two different domains such as www.site1.com and www.site2.com and both domains point to same ELB endpoint. In our current setup, we use the proxy web server (rewrite method) to add the /sitepath to the domain names. Eg: ELBcname/site1 and ELBcname/site2. We do this because both sites are deployed in the same instance.
As far as I know Hybris installation use apache-tomcat as their application web server. Can I do Apache Namevirtualhost configuration to point the two domains to these with different document root to avoid using the proxy server?
Eg:
<VirtualHost *:80>
DocumentRoot "/hybrisdocroot/site1/"
ServerName site1
</VirtualHost>
<VirtualHost *:80>
DocumentRoot "/hybrisdocroot/site2/"
ServerName site2
</VirtualHost>
Or is there any provision to add the path to Cname of ELB or ALB?
I would drop the proxy entirely, terminate SSL at the ELB with ACM Certificates on each domain (ie ssl common name *.site1.com and *.site2.com) and eliminate the path completely. Let the site answer at the fully qualified domain name (FQDN) only, and ideally only on HTTPS - HTTP is really disfavored now IMHO.
The path construction you indicate may have been used to simplify SSL termination and eliminate the number of certs needed for the service. Since ACM certs are free, the goal should be to provision each site with its own proper SSL cert.
Or is there any provision to add the path to Cname of ELB or ALB?
No. And in any case not needed if you eliminate the path from the URI to reach each site. And of course you can use ELB CNAMEs/ALIAS for a FQDN.
I have issue with my provider - ehost.
I have wildcard certificate. I wanted to first test it before I go live. So I request to install it on subdomain first (uat.domain.com). I have tested application and want to go live. Provider said that it is impossible to install certificate on primary domain (domain.com) because they have installed it first on subdomain.
Of course they have offered me to buy certificate from them.
I really don't understand the issue can someone tell me if they have right or not? I thought that is possible even to take the certficate from ehost and send it to another provider and install it. The certificate is now installed on Apache Server and folders to subdomain and primary domain are in the same server.
Without looking at the actual configuration it is hard to tell, but to answer your question, if they say it is impossible, that is because they are just using 1 VirtualHost in their server.
Generally shared hosting have these kind of issues because they dedicate 1 single instance of Apache to many different clients and have 1 virtualhost per client, but this is just guessing you need to check this is what currently happening.
But I can also describe how Apache works so you understand what may be happening:
If the Apache configuration has different virtualhosts, you can have as many different certificates, wildcards and whatnot, as virtualhosts you have.
This is, 1 certificate per VirtualHost.
But that is not all, if you have several different domain or subdomain names this is when you need to carefully plan how you must configure them.
For instance
If you have defined this virtualhost first:
<VirtualHost *:443>
ServerName example.com
ServerAlias *.example.com
</VirtualHost>
No other virtualhosts for whatever.example.com or example.com will apply or be used since this virtualhost will grab all the requests for those names.
But if you have:
<VirtualHost *:443>
ServerName domain.com
</VirtualHost>
And now you need to define a virtualhost with a new wildcard certificate for your subdomain, you can perfectly do using the new wildcard certificate for *.example.com:
<VirtualHost *:443>
ServerName xxxxx.example.com
</VirtualHost>
and can now define more virtualhosts if you want/need with the same wildcard cert for *.example.com:
<VirtualHost *:443>
ServerName yyyyy.example.com
</VirtualHost>
Note these are stripped down virtualhost examples (obviously your virtualhosts will have more directives inside them, specially the ones loading the key and certificates, etc).
And briefly, things you need to consider:
Apache HTTPD looks at Host header to know to which virtualhost it must deliver the request.
If you overlap names or define too greedy serveraliases, further defined virtualhosts may never receive requests if the previous virtualhosts matches the host name requested. This is, first match in virtualhost list wins.
Apache lets you have 1 certificate per virtualhost, it does not matter if you use the same certificate in several virtualhosts though.
You just have to be careful of not overlapping names and wildcards if you use ServerAlias. Having two virtualhosts covering the same name will just make httpd ignore the second virtualhost for the same name.
If you have several different files for different virtualhosts, their files are read in alphabetical order, so if you have a-virtualhost.conf with servername 1.example.com and b-virtualhost.conf also with servername 1.example.com, b-virtualhost.conf will be ignored.
I am using AWS for the first time. I have created an ec2 instance and installed Apache server , made domain mapping from GoDaddy,
Now I want to create subdomains and point subdomains to the another document roots.
Like this :
www.mydomain.com should have domain root html\mydomain
www.test.mydomain.com document root to html\testsubdomain directory.
www.*.mydomain.com document root to html\subdomain directory
(* any subdomain other than test)
I tried to edit vhost file but could not find vhost file in apache server.
Generally where and how to achieve this?
Do I need to use Route53 for this?
DNS simply maps a domain name like www.mydomain.com or test.mydomain.com to an IP address. You will use Route 53 to set up this initial mapping.
However, your webserver needs to be configured to respond to each host. This is done using virtual hosts in apache. (Similar configuration are available for other web servers.
To create sub domains you need to add entry in configuration file for each sub domain being created. You can either create new config files for each subdomain or keep adding in httpd.conf. I added in httpd.conf. the code should look like this.
<VirtualHost *:80>
ServerName sub1.domain.tld
DocumentRoot "var/www/html/sub1"
</VirtualHost>
<VirtualHost *:80>
ServerName sub2.domain.tld
DocumentRoot "var/www/html/sub2"
</VirtualHost>
This adds 2 sub domains sub1 and sub2. After this you need to create an A record in route 53 pointing to the IP of EC2 instance.
In the Name field, you can place * so that this A record would be valid for al the sub domains that will be created.
If you want the subdomain have be SSL Certified and have requested a Wildcard Certificate from ACM and attached to the EC2 instance through Eastic Load Balancer then choose "Yes" for Alias else choose "No"
Value has to be IP Address of your EC2 instance if no Alias chosen and if Alias is chosen you can provide the ELB here in this field.
Hope this helps...
I want to implement a blog in my site with usernames as subdomains like user1.domain.com.
I've read bunch of articles that was mentioned to create an A record like below in DNS:
*.domain.com A 127.0.0.1 ;OR you site ip address
Then use .htaccess to redirect requests from subdomains to a folder in your server.
But I find another approach that was said to just modify your httpd.conf as below:
<VirtualHost *:80>
DocumentRoot /abs/path/to/webroot
ServerName domainname.com
ServerAlias *.domainname.com
<Directory /abs/path/to/webroot>
AllowOverride All
Order allow,deny
Allow from all
</Directory>
</VirtualHost>
Then retrieve subdomains via $_SERVER['HTTP_HOST'].
The question is why should someone use htaccess and put pressure on apache and create A DNS record when we can do a simple thing like ServerAlias *.domainname.com in httpd.conf?
I appreciate in advance for your views.
You need to setup both a wildcard DNS record and configure a server alias in httpd.conf to enable the hosting of arbitrary sub domains. They configure completely different things.
Add the wildcard DNS records is what allows clients to determine the IP address of your sub domain. With the wildcard DNS record about user1.domain.com will resolve to 127.0.0.1. If you do not have a DNS record no user1.domain.com will not be a valid name and it will not resolve to an IP address. the DNS record is to allow clients to connect to your server.
The httpd.conf configuration is local to your Apache server. It does not affect clients. The line ServerAlias *.domainname.com will configure Apache to tell it to process the arbitrary sub domains. Client's will not be directly affected by this setting.
You have added the ServerAlias, but for your computer to find that user1.domain.com and user2.domain.com should resolve to 127.0.0.1, you need to update your HOSTS file or DNS Table.
The configuration you have written is for Apache Server for handling the redirects when the user requests the domain. So, essentially, either you need a Dynamic HOSTS file or a service which resolves *.domain.com to your 127.0.0.1 server.
Hope this helps. :)