RE: SSL Client Auth with Virtual Hosts

A team member was able to find a working solution (issue: single IP, two
domains, one domain requires client auth, the other domain plain SSL,
both functional with same apache instance using virtual hosts):

NameVirtualHost <ip-address>:443

<Virtualhost <ip-address>:443>

ServerAdmin adsfasfsa@asdfasfds.com
DocumentRoot /var/www
ServerName <domain 1>=20
ErrorLog /var/log/httpd/error_log
CustomLog /var/log/httpd/access_log common
=20
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
=20
SSLEngine on
SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key
=20
<Location "/">
SSLVerifyClient require
SSLVerifyDepth 5=20
SSLCACertificateFile /etc/httpd/conf/ssl.crt/server-calist.crt
SSLOptions +StdEnvVars +ExportCertData +OptRenegotiate
</Location>

</VirtualHost>

<Virtualhost <ip-address>:443>

ServerAdmin adsfasfsa@asdfasfds.com
DocumentRoot /var/www
ServerName <domain 2>
ErrorLog /var/log/httpd/error_log
CustomLog /var/log/httpd/access_log common
=20
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
=20
SSLEngine on
SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key

</VirtualHost>

=20

-----Original Message-----
From: owner-modssl-users@modssl.org
[mailto:owner-modssl-users@modssl.org] On Behalf Of Eckard Wille
Sent: Tuesday, June 14, 2005 3:06 AM
To: modssl-users@modssl.org
Subject: Re: SSL Client Auth with Virtual Hosts

Hoda Nadeem schrieb:
> Eckard and All,
>=20
> Does anybody know if there is any work around to get the following=20
> scenario to work?
>=20
> 1 IP Address
> 2 domain names attached to the same server IP address
> 2 SSL virtual hosts: 1 with client authentication, 1 without client=20
> authentication
>=20
> I need to try to avoid using a second IP address for the same server.
> Some folks are insisting that there must be a way to get the scenario=20
> to work.

Hi,

maybe you should reach your goal with some mod_rewrite tricks. The
points mentioned at http://www.modssl.org/docs/2.8/ssl_faq.html#vhosts
are still valid, only one vhost per ip. You could give mod_rewrite a try
to push clients to different directories which are configured for secure
and public ssl access.

Try something like this:

ServerName www.vhost1.com
ServerAlias www.vhost2.com

SSLEngine on
SSLVerifyClient none
SSLCACertificateFile conf/ssl.crt/ca.crt

<Location /ssl/securedir>
SSLVerifyClient require
SSLVerifyDepth 1
</Location>

RewriteEngine on
#RewriteLogLevel 7
#RewriteLog logs/RewriteLog
#RewriteCond %{SERVER_NAME}
RewriteCond %{HTTP_HOST} www.vhost1.com
RewriteRule ^(/index.htm)|(/)|()$ /ssl/securedir [R,L]

RewriteCond %{HTTP_HOST} www.vhost2.com
RewriteRule ^(/index.htm)|(/)|()$ /ssl/public [R,L]

This would just be a starting switch, modify the regexp to push all
desired content into the matching secure location (see
http://www.modssl.org/docs/2.8/ssl_howto.html#ToC6). I personally did
not try this, but if this does not work maybe mod_setenvif can be used
to distinguish the different names.

Greetings from Germany,
Eckard
__________________________________________________ ____________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org
__________________________________________________ ____________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org