Apache 2.x NameVirtualHosts + SSL
This is a discussion on Apache 2.x NameVirtualHosts + SSL within the Linux Web Servers forums, part of the Web Server and Related Forums category; Apologies in advance if this has been covered. I checked archives etc and haven't really found this particular configuration. ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
08-16-2003
|
|||
|
|||
Apache 2.x NameVirtualHosts + SSL
Apologies in advance if this has been covered. I checked archives etc and
haven't really found this particular configuration. Here is my current setup (all IPs and domains sanitized): Web server behind firewall, server has two IPs on ethernet, 10.0.0.1 and 10.0.0.2 I am running virtualhosts (NameVirtualHost) on 10.0.0.1:80 and one virtualhost (IP) on 10.0.0.2:443. I have all Listens etc nailed down, each port is only listening on it's respective IP. On the outside of this webserver (other side of the firewall) is the IP 192.168.0.1. I have these DNS entries (on the outside world): www.domain.com 192.168.0.1 www.other.com 192.168.0.1 secure.domain.com 192.168.0.1 And these inside the firewall: www.domain.com 10.0.0.1 www.other.com 10.0.0.1 secure.domain.com 10.0.0.2 The firewall is port forwarding as such: 192.168.0.1:80 -> 10.0.0.1:80 192.168.0.1:443 -> 10.0.0.2:443 I can get to all the non-ssl sites just fine. I can get to https://secure.domain.com fine as well. My issue is that I can also get to: https://www.domain.com https://www.other.com They happen to actually bring up the site (content) of secure.domain.com. From reading the docs at: http://httpd.apache.org/docs-2.0/vhosts/details.html It seems that this should NOT happen. Especially the section: --- Observations A name-based vhost can never interfere with an IP-base vhost and vice versa. IP-based vhosts can only be reached through an IP address of its own address set and never through any other address. The same applies to name-based vhosts, they can only be reached through an IP address of the corresponding address set which must be defined with a NameVirtualHost directive. --- So I understand that from an outside/inside DNS + firewalling perspective that if I intentionally pull up https://www.domain.com in a browser, my request will eventually get to 10.0.0.2:443 (due to the same single IP on the outside and port forwarding). I guess the bottom line is I would have thought this would have errored out as the Host: header should be www.domain.com and not secure.domain.com. Is this just one of the differences in SSL handling ? Here are the relevant (as far as I know) sections of my config: ############ # httpd.conf ############ Listen 10.0.0.1:80 NameVirtualHost 10.0.0.1:80 <VirtualHost www.domain.com:80> DocumentRoot /var/www/html/domain/htdocs ServerName www.domain.com ServerAlias domain.com ErrorLog /var/www/html/domain/logs/www.domain.com-error_log CustomLog /var/www/html/domain/logs/www.domain.com-access_log common </VirtualHost> <VirtualHost www.other.com:80> DocumentRoot /var/www/html/other/htdocs ServerName www.other.com ServerAlias other.com ErrorLog /var/www/html/domain/logs/www.other.com-error_log CustomLog /var/www/html/domain/logs/www.other.com-access_log common </VirtualHost> #################################### # ssl.conf is included in httpd.conf #################################### Listen 10.0.0.2:443 <VirtualHost secure.domain.com:443> DocumentRoot "/var/www/html/ssl" ServerName secure.domain.com ServerAdmin root@localhost ErrorLog logs/ssl_error_log TransferLog logs/ssl_access_log # Bunch of SSL specific (ciphers etc.) omitted </VirtualHost> Thanks in advance for any info. -- Brandon Applegate - CCIE 10273 PGP Key fingerprint: 7407 DC86 AA7B A57F 62D1 A715 3C63 66A1 181E 6996 "SH1-0151. This is the serial number, of our orbital gun." |
Linear Mode
