Apache Name Virtual Host with SSL

Question

I am attempting to setup our servers to allow traffic over SSL   I am aware that SSL does not work with Name Virtual Host  but we have all of our apache servers on virtual machines with dedicated private IPs   We have a primary virtual machine that has mod proxy setup to route traffic to the appropriate vms   However  in order to route https traffic we need to have the certificate installed on the proxy as well as the vms   We have a wildcard certificate that can be used across all of our hosts   Everything appears to work properly  but I receive the following in the apache logs for the proxy    warn  Init  SSL server IP port conflict  host1 domain com 443   etc apache2 sites-enabled host1 1  vs  host2 domain com 443   etc apache2 sites-enabled host2 1   There is one of these error message for each host we have setup on the proxy   Our Virtual Host setup for the proxy is posted below    lt VirtualHost ipaddress 443 gt      ServerName host1 domain com     ProxyPreserveHost On     ProxyRequests Off     ProxyPass   https   privateip 443      ProxyPassReverse   https   privateip 443       SSLProxyEngine on     SSLEngine on     SSLCertificateFile  etc ssl certs server crt     SSLCertificateKeyFile  etc ssl private server key  lt  VirtualHost gt    Is there any way that I can get this to work

User · Answer

As far as I know  Apache supports SNI since Version 2 2 12 Sadly the documentation does not yet reflect that change   Go for http   wiki apache org httpd NameBasedSSLVHostsWithSNI until that is finished

User · Answer

First you need NameVirtualHost ip 443 in you config file  You probably have one with 80 at the end  but you will also need one with 443   Second you need a   domain certificate  wildcard   it is possible to make one   Third you can make only something domain webs in one ip  because of the certificate

User · Answer

You MUST add below part to enable NameVirtualHost functionality with given IP   NameVirtualHost IP Address 443

User · Answer

You may be able to replace the    VirtualHost ipaddress 443   with   VirtualHost   443   You probably need todo this on all of your virt hosts   It will probably clear up that message  Let the ServerName directive worry about routing the message request     Again  you may not be able to do this if you have multiple ip s aliases to the same machine

User · Answer

Apache doesn t support SSL on name-based virtual host  only on IP based Virtual Hosts   Source  Apache 2 2 SSL FAQ question Why is it not possible to use Name-Based Virtual Hosting to identify different SSL virtual hosts   Unlike SSL  the TLS specification allows for name-based hosts  SNI as mentioned by someone else   but Apache doesn t yet support this feature   It supposedly will in a future release when compiled against openssl 0 9 8   Also  mod gnutls claims to support SNI  but I ve never actually tried it

User · Answer

The VirtualHost would look like this   NameVirtualHost IP Address 443   lt VirtualHost IP Address 443 gt      SSLEngine on     SSLCertificateFile  etc pki tls certs ca crt      Where  ca  is the name of the Certificate     SSLCertificateKeyFile  etc pki tls private ca key     ServerAdmin webmaster domain name com     DocumentRoot  var www html     ServerName www domain name com     ErrorLog logs www domain name com-error log     CustomLog logs www domain name com-access log common  lt  VirtualHost gt

User · Answer

It sounds like Apache is warning you that you have multiple  lt VirtualHost gt  sections with the same IP address and port    as far as getting it to work without warnings  I think you would need to use something like Server Name Indication  SNI   a way of identifying the hostname requested as part of the SSL handshake  Basically it lets you do name-based virtual hosting over SSL  but I m not sure how well it s supported by browsers  Other than something like SNI  you re basically limited to one SSL-enabled domain name for each IP address you expose to the public internet   Of course  if you are able to access the websites properly  you ll probably be fine ignoring the warnings  These particular ones aren t very serious - they re mainly an indication of what to look at if you are experiencing problems

[apache] Apache Name Virtual Host with SSL

Examples related to apache

Examples related to ssl

Examples related to ssl-certificate