Software Development

About

This is the default template for Pivot. You can change this text by editing the file frontpage_template.html in your pivot/templates/ folder. You can do this by directly editing the file, or you can go to Administration » Templates in the Pivot interface.

The image in the header is © Andreas Reinhold.

Links

Pivot Homepage
Pivot Forums
Pivotstyles
Pivot Help

Search!

Last Comments

Sherry (Job Fairs): I have never been to a jo…
Bob (Pivot 1.40.1..): Hi! And this is what a co…

Stuff

« Job Fairs | Home | ASP Programming »

Securing a name based apache server

04 02 09 - 13:13 The Apache server is an extremely capable system, and I've been using it to serve up several web sites. I've been using the name based Virtual Hosting mechanism, which is quite simple and effective. But adding an https secure set of pages adds a whole new set of problems.

Apache can use a name based virtual server simply by setting up the configuration files (see name based virtual hosts). But one of the problems is that when the server responds to an https: interaction, there is no host visible in the header, it's encrypted. From instantssl:

"When I access my secure site (https), a certificate for another site is displayed

This problem occurs if you assign the same IP address to each host in
your config file. SSL does not support name based virtual hosting (host
headers are encrypted in SSL), so only the first certificate listed in
your config file will be sent."

So, we either host a single site, or give up on the idea of secured socket access. Right?

There are some definitive answers for the apache and ssl settings here. They are pretty specific:

"Why is it not possible to use Name-Based Virtual Hosting to identify different SSL virtual hosts?

Name-Based Virtual Hosting is a very popular method of identifying
different virtual hosts. It allows you to use the same IP address and
the same port number for many different sites. When people move on to
SSL, it seems natural to assume that the same method can be used to have
lots of different SSL virtual hosts on the same server.

It comes as rather a shock to learn that it is impossible.

The reason is that the SSL protocol is a separate layer which
encapsulates the HTTP protocol. So the SSL session is a separate
transaction, that takes place before the HTTP session has begun.
The server receives an SSL request on IP address X and port Y
(usually 443). Since the SSL request does not contain any Host:
field, the server has no way to decide which SSL virtual host to use.
Usually, it will just use the first one it finds, which matches the
port and IP address specified.

You can, of course, use Name-Based Virtual Hosting to identify many
non-SSL virtual hosts (all on port 80, for example) and then
have a single SSL virtual host (on port 443). But if you do this,
you must make sure to put the non-SSL port number on the NameVirtualHost
directive, e.g.

NameVirtualHost 192.168.1.1:80

Other workaround solutions include:

Using separate IP addresses for different SSL hosts.
Using different port numbers for different SSL hosts."

Rats.

Just so we don't forget how, you can find instructions for creating an SSL certificate here. This page describes both the 'self signed' certificate, as well as getting a cert from a root authority.

No comments

Trackback link:

Please enable javascript to generate a trackback url

Name:

Remember personal info?
Yes
No

Email:

URL:

Comment:

Emoticons / Textile

Comment moderation is enabled on this site. This means that your comment will not be visible on this site until it has been approved by an editor.

(Register your username / Log in)

Notify:		Yes, send me email when someone replies.
Hide email:		Yes, hide my email address.

Small print: All html tags except <b> and <i> will be removed from your comment. You can make links by just typing the url or mail-address.

Linkdump

» Quick links

A list of interesting links I've found in my cruising

No comments | ¶