Re: SSL Client Auth with Virtual Hosts

Hoda Nadeem schrieb:
> Eckard and All,
>
> Does anybody know if there is any work around to get the following
> scenario to work?
>
> 1 IP Address
> 2 domain names attached to the same server IP address
> 2 SSL virtual hosts: 1 with client authentication, 1 without client
> authentication
>
> I need to try to avoid using a second IP address for the same server.
> Some folks are insisting that there must be a way to get the scenario to
> work.

Hi,

maybe you should reach your goal with some mod_rewrite tricks. The
points mentioned at http://www.modssl.org/docs/2.8/ssl_faq.html#vhosts
are still valid, only one vhost per ip. You could give mod_rewrite a
try to push clients to different directories which are configured for
secure and public ssl access.

Try something like this:

ServerName www.vhost1.com
ServerAlias www.vhost2.com

SSLEngine on
SSLVerifyClient none
SSLCACertificateFile conf/ssl.crt/ca.crt

<Location /ssl/securedir>
SSLVerifyClient require
SSLVerifyDepth 1
</Location>

RewriteEngine on
#RewriteLogLevel 7
#RewriteLog logs/RewriteLog
#RewriteCond %{SERVER_NAME}
RewriteCond %{HTTP_HOST} www.vhost1.com
RewriteRule ^(/index.htm)|(/)|()$ /ssl/securedir [R,L]

RewriteCond %{HTTP_HOST} www.vhost2.com
RewriteRule ^(/index.htm)|(/)|()$ /ssl/public [R,L]

This would just be a starting switch, modify the regexp to push all
desired content into the matching secure location (see
http://www.modssl.org/docs/2.8/ssl_howto.html#ToC6). I personally did
not try this, but if this does not work maybe mod_setenvif can be used
to distinguish the different names.

Greetings from Germany,
Eckard
__________________________________________________ ____________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org