27 March 2007

Apache HTTPD Virtual Hosts and SSL

how do i do configure Apache2 to answer for all subdomains requested. as i want to be ble to create sub domains on my server using my main domain name. - patty552 @ UbuntuForums

Various statements of misconception in this thread at UbuntuForums.

Apache HTTPD Virtual Hosts make the web go round. They allow a single server to host many web sites with different addresses. In the web hosting world, this allows for efficient, cheap web hosting. For your average person running Apache HTTPD, it means efficient, cheap home networking and web development testing environments.

Virtual hosts are easy to set up, just check the documentation at http://httpd.apache.org/docs/ . That said, there are two main ways to configure virtual hosting, which you have to keep in mind when starting out. One method involves matching the request host name, IP address, port, or any combination of them to a separate block of HTTPD configuration statements. The other method specifies a directory pattern to use for the document root and cgi-bin based on parts of the host name.

For the former method of configuring virtual hosts, all one needs to do is add a wildcard ServerAlias directive to the VirtualHost block for your domain name.

<VirtualHost 1.2.3.4>
ServerName domain.tld
ServerAlias *.domain.tld
DocumentRoot /var/www/
</VirtualHost>


For the latter, all one needs to do is match against only the domain name, or include subdomains in the pattern, making sure to create the appropriate directory structure.

VirtualDocumentRoot /var/www/%-2/
VirtualDocumentRoot /var/www/%-2/%-3/


Web hosts tend to use the larger VirtualHost method. Smaller shops, or generic mass hosts (departmental or employee hosting within an organization,for example) will find the latter very helpful, particularly when serving out of user's home directories.

All this is great, but what about SSL? You could start up a separate instance of Apache HTTPD to serve over an SSL connection, but you probably don't want to do that. There are some advantages, which but that is beyond the scope of this piece. The easiest way is to use a VirtualHost block to match against connections on port 443, the default HTTPS port. Contrary to popular belief, you do not need a separate IP address to do this.

<VirtualHost *:443>
SSLEngine On
SSLCertificateFile /etc/httpd/ssl.pem
DocumentRoot /var/www/
</VirtualHost>


This works just fine if you are only serving one site over HTTPS. The problem comes in when you have multiple domain names being served from the same server which need SSL. Since the SSL certificate needs to be used before the web browser sends a request to the server, the server has no way of picking a domain-specific SSL certificate to use. Name-based matching just won't work for SSL. This is why proprietors of shared web hosting services demand that you purchase a dedicated IP address if you want to use SSL. IP addresses are known before SSL certificates are used, so by matching based on IP address, we can use domain-specific SSL certificates.

<VirtualHost 1.2.3.4:443>
SSLEngine On
SSLCertificateFile /etc/httpd/dom1-ssl.pem
DocumentRoot /var/www/dom1/
</VirtualHost>

<VirtualHost 1.2.3.5:443>
SSLEngine On
SSLCertificateFile /etc/httpd/dom2-ssl.pem
DocumentRoot /var/www/dom2/
</VirtualHost>


So, to recap, you do not need a separate IP address to use HTTPS. You do need separate IP addresses to use HTTPS on servers with multiple domains using SSL.

4 comments:

Anonymous said...

This is about the only spot where I've found how to setup the virtual host under SSL. I'm confident that I'm almost there making this work in my hosting environment. I can hit the site I'm looking for now at http:127.0.0.2 - but when I attempt https:127.0.0.2 - I get a 403 Error.

Any further info?

new20220806 said...

SNI is Server Name Indication. The SNI feature in Apache provides the ability to host multiple SSL enabled VirtualHosts on a single IP address.

http://en.wikipedia.org/wiki/Server_Name_Indication

EV SSL Certificate said...

I just finished up reading your blog the first time so I thought I should comment to let you know your stuff is great.

EV SSL said...

Hi Christopher Ingram,

Your entire post has clear classification about Apache HTTPD Virtual Hosts and SSL certificate. Entire post includes step by step information about how we can secure all sub domains while Apache HTTPD Virtual Hosts with SSL certificates.

Thanks for sharing with us!