09.21.05
Apache2 + VirtualHosts + mod_ssl
I’m running Apache2 (on Debian), for several name-based virtual hosts. For a while now i’ve been wanting some of my admin pages to be using https so that I would be happy to allow myself the use them whem I’m outside the protected home LAN. (They currently use basic authentication / sessions / passwords, and that’s really safe in the big wide world now isn’t it! :~)
I am already aware that you can only run one https server (on port 443) because the SSL layer doesn’t allow the reuse of IP/ports for different identities as HTTP 1.1 will. Fine. But I just spent ages getting one https server to run with my other virtual existing servers… it should be easy right?Plenty of docs on the net right?
Ian Miller has a nice Debian, Apache2 and SSL primer, but it “assumed” some things about “default” files that didn’t match up to my current config or woes.
The apache2-ssl-certificate script is a very nice thing for apache2 certificate setup.
Well, it is easy if you know how - and if I had had better error messages then… but that really was the problem. My incorrect configuration problems were *working* configurations - but not the way I wanted (no https!!!) My precious https:// connections were being handled by my default http virtual host - gurr!
See, there are several flexible variations of virtual host matching/setup - that was the problem. They didn’t match easily to what I wanted to do with a new port specific “virtual” host.
Resources that were some help… (perhaps I should have read more and hacked less to start with…)
http://httpd.apache.org/docs/2.0/mod/mod_ssl.html
http://httpd.apache.org/docs/2.0/ssl/ssl_howto.html
http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html
http://httpd.apache.org/docs/2.0/vhosts/name-based.html
http://httpd.apache.org/docs/2.0/vhosts/examples.html
So anyway, below is a quick config example that is similar to my final result, and would really have helped me. (Its one of the apache2 doc examples modified for my virtual hosts + https case). It shows how I tell apache2 to listen to both port 80 and 443, and then two examples of virtual (name-based) hosting on port 80, and the all important single (~virtual) host on port 443 that uses mod_ssl. (I’m catching all IP’s with * so that a) its easier and b) it works for internal and external requests… but that’s another story.)
Listen 80 Listen 443 NameVirtualHost *:80 NameVirtualHost *:443 ServerName www.example1.com DocumentRoot /var/www/example1-80 ServerName www.example2.org DocumentRoot /var/www/example2-80 # there can be only one domainname certificate on this ip, so forget it. # ServerName www.example.org SSLEngine On SSLCertificateFile /etc/apache2/ssl/apache.pem DocumentRoot /www/otherdomain-443 ...
I’m really beginning to like the way that apache2 is setup on debian (i don’t know what is debian specific however). You create sites in /etc/apache2/sites-available/ and if you want to enable them a2ensite <i>myconfigfile</i> creates a symlink into /etc/apache2/sites-enabled for you and all the symlinks are read in by the main /etc/apache2/apache2.conf files. (I always forget ln syntax otherwise… :-). There is a matching a2dissite to remove sites from being active, and similar a2enmod/a2dismod to add and remove apache2 modules.
I also use the apache2ctl start:restart:stop script (rather than /etc/init.d/apache2 …)
Well, now that i’ve won that battle, I think I’ll probably move my admin status/ tools pages to a different port (ie 447 etc) so that I can leave the standard 443 port for typical *standard* visitors… seeing a strange port number in a url can really mess with less informed and cautious people I suspect.
I love sunrise… staying up with a … “challenge” … is my normal opportunity.