Comments on: Configuring HTTPS with virtual hosts http://diymacserver.com Mon, 06 Feb 2012 16:07:33 +0000 hourly 1 http://wordpress.org/?v=3.2.1 By: billc108 http://diymacserver.com/installing-apache/configuring-https-with-virtual-hosts/comment-page-1/#comment-10281 billc108 Tue, 17 May 2011 05:17:48 +0000 http://diymacserver.com/installing-apache/configuring-https-with-virtual-hosts/#comment-10281 Hi Joe, Here's my entire httpd-ssl.conf file, scrubbed for publication, with most of the standard notes removed. Hope it helps. Email me through my site's contact page if you want to communicate directly. #replacing brackets with double parentheses (( # note: IP address for secure.domain1.com != IP for domain2.com Listen xxx.xxx.xxx.xxx:443 ## This is domain 1 - secure.domain1.com only Listen domain2.com:8443 ## This is domain 2 - no "secure." subdomain on this one. AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl .crl SSLPassPhraseDialog builtin SSLSessionCache "shmcb:/opt/local/apache2/logs/ssl_scache(512000)" SSLSessionCacheTimeout 300 SSLMutex "file:/opt/local/apache2/logs/ssl_mutex" SSLCipherSuite HIGH:!SSLv2:!ADH:!aNULL:!eNULL:!NULL:!kEDH ##################################### NameVirtualHost secure.domain1.com:443 ((VirtualHost secure.domain1.com:443)) DocumentRoot "/opt/local/apache2/htdocs/domain1/secure/" ServerName secure.domain1.com:443 ServerAdmin admin@domain1.com ErrorLog "/opt/local/apache2/logs/error_log" TransferLog "/opt/local/apache2/logs/access_log" SSLEngine on SSLCipherSuite HIGH:!SSLv2:!ADH:!aNULL:!eNULL:!NULL:!kEDH SSLCertificateFile "/opt/local/apache2/conf/secure.domain1.com.crt" SSLCertificateKeyFile "/opt/local/apache2/conf/secure.domain1.key" SSLCACertificateFile "/opt/local/apache2/conf/secure.domain1.com_ca.crt" SSLVerifyClient optional_no_ca SSLProtocol -ALL +SSLv3 +TLSv1 ((FilesMatch "\.(cgi|shtml|phtml|php)$")) SSLOptions +StdEnvVars ((/FilesMatch)) ((Directory "/opt/local/apache2/cgi-bin")) SSLOptions +StdEnvVars ((/Directory)) BrowserMatch ".*MSIE.*" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 CustomLog "/opt/local/apache2/logs/ssl_request_log" \ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" ((/VirtualHost)) ##################################### NameVirtualHost domain2.com:8443 ((VirtualHost domain2.com:8443)) DocumentRoot "/opt/local/apache2/htdocs/domain2/DMX/" ServerName domain2.com ServerAdmin admin@domain1.com ErrorLog "/opt/local/apache2/logs/error_log" TransferLog "/opt/local/apache2/logs/access_log" SSLEngine on SSLCipherSuite HIGH:!SSLv2:!ADH:!aNULL:!eNULL:!NULL:!kEDH SSLCertificateFile "/opt/local/apache2/conf/domain2.com.crt" SSLCertificateKeyFile "/opt/local/apache2/conf/domain2.key" SSLCACertificateFile "/opt/local/apache2/conf/domain2.com_ca.crt" SSLProtocol -ALL +SSLv3 +TLSv1 SSLVerifyClient optional_no_ca ((FilesMatch "\.(cgi|shtml|phtml|php)$")) SSLOptions +StdEnvVars ((/FilesMatch)) ((Directory "/opt/local/apache2/cgi-bin")) SSLOptions +StdEnvVars ((/Directory)) BrowserMatch ".*MSIE.*" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 CustomLog "/opt/local/apache2/logs/ssl_request_log" \ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" ((/VirtualHost)) Hi Joe,

Here’s my entire httpd-ssl.conf file, scrubbed for publication, with most of the standard notes removed. Hope it helps. Email me through my site’s contact page if you want to communicate directly.

#replacing brackets with double parentheses ((

# note: IP address for secure.domain1.com != IP for domain2.com

Listen xxx.xxx.xxx.xxx:443 ## This is domain 1 – secure.domain1.com only
Listen domain2.com:8443 ## This is domain 2 – no “secure.” subdomain on this one.

AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl

SSLPassPhraseDialog builtin

SSLSessionCache “shmcb:/opt/local/apache2/logs/ssl_scache(512000)”
SSLSessionCacheTimeout 300

SSLMutex “file:/opt/local/apache2/logs/ssl_mutex”

SSLCipherSuite HIGH:!SSLv2:!ADH:!aNULL:!eNULL:!NULL:!kEDH

#####################################

NameVirtualHost secure.domain1.com:443

((VirtualHost secure.domain1.com:443))
DocumentRoot “/opt/local/apache2/htdocs/domain1/secure/”
ServerName secure.domain1.com:443
ServerAdmin admin@domain1.com
ErrorLog “/opt/local/apache2/logs/error_log”
TransferLog “/opt/local/apache2/logs/access_log”
SSLEngine on
SSLCipherSuite HIGH:!SSLv2:!ADH:!aNULL:!eNULL:!NULL:!kEDH
SSLCertificateFile “/opt/local/apache2/conf/secure.domain1.com.crt”

SSLCertificateKeyFile “/opt/local/apache2/conf/secure.domain1.key”

SSLCACertificateFile “/opt/local/apache2/conf/secure.domain1.com_ca.crt”

SSLVerifyClient optional_no_ca

SSLProtocol -ALL +SSLv3 +TLSv1

((FilesMatch “\.(cgi|shtml|phtml|php)$”))
SSLOptions +StdEnvVars
((/FilesMatch))
((Directory “/opt/local/apache2/cgi-bin”))
SSLOptions +StdEnvVars
((/Directory))
BrowserMatch “.*MSIE.*” \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog “/opt/local/apache2/logs/ssl_request_log” \
“%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \”%r\” %b”
((/VirtualHost))

#####################################

NameVirtualHost domain2.com:8443

((VirtualHost domain2.com:8443))
DocumentRoot “/opt/local/apache2/htdocs/domain2/DMX/”
ServerName domain2.com
ServerAdmin admin@domain1.com
ErrorLog “/opt/local/apache2/logs/error_log”
TransferLog “/opt/local/apache2/logs/access_log”
SSLEngine on
SSLCipherSuite HIGH:!SSLv2:!ADH:!aNULL:!eNULL:!NULL:!kEDH

SSLCertificateFile “/opt/local/apache2/conf/domain2.com.crt”
SSLCertificateKeyFile “/opt/local/apache2/conf/domain2.key”
SSLCACertificateFile “/opt/local/apache2/conf/domain2.com_ca.crt”

SSLProtocol -ALL +SSLv3 +TLSv1

SSLVerifyClient optional_no_ca

((FilesMatch “\.(cgi|shtml|phtml|php)$”))
SSLOptions +StdEnvVars
((/FilesMatch))
((Directory “/opt/local/apache2/cgi-bin”))
SSLOptions +StdEnvVars
((/Directory))
BrowserMatch “.*MSIE.*” \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog “/opt/local/apache2/logs/ssl_request_log” \
“%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \”%r\” %b”
((/VirtualHost))

]]> By: Joe http://diymacserver.com/installing-apache/configuring-https-with-virtual-hosts/comment-page-1/#comment-10280 Joe Tue, 17 May 2011 02:02:16 +0000 http://diymacserver.com/installing-apache/configuring-https-with-virtual-hosts/#comment-10280 Hi billc108, Can you elaborate on your the solution? I'm trying to make it work however had no success so far. An example of the file structure would be good. Thanks! Hi billc108,

Can you elaborate on your the solution? I’m trying to make it work however had no success so far. An example of the file structure would be good. Thanks!

]]> By: billc108 http://diymacserver.com/installing-apache/configuring-https-with-virtual-hosts/comment-page-1/#comment-7673 billc108 Tue, 14 Sep 2010 23:34:33 +0000 http://diymacserver.com/installing-apache/configuring-https-with-virtual-hosts/#comment-7673 Jeff wrote: "One important note to this: You can only use one certificate for your entire apache server – you cannot, for example set up https://www.example1.com and https://www.example2.com and have different certificates for them. Apache (any version) will ignore all but the first SSLCertificateFile and SSLCertificateKeyFile directives it encounters." This is not entirely true. It is possible to set up an apache server - or at least, some of them - with more than one SSL cert on different IPs and ports. replacing brackets with double parentheses (( Listen example1.com:443 Listen example2.com:8443 #the server on port 443 follows the usual setup. NameVirtualHost example2.com:8443 ((VirtualHost example2.com:8443)) ServerName example2.com #etc.... I suspect that there are other, cleaner ways to do it as well. I just haven't dug them up yet. Jeff wrote:
“One important note to this: You can only use one certificate for your entire apache server – you cannot, for example set up https://www.example1.com and https://www.example2.com and have different certificates for them. Apache (any version) will ignore all but the first SSLCertificateFile and SSLCertificateKeyFile directives it encounters.”

This is not entirely true. It is possible to set up an apache server – or at least, some of them – with more than one SSL cert on different IPs and ports.

replacing brackets with double parentheses ((

Listen example1.com:443
Listen example2.com:8443

#the server on port 443 follows the usual setup.

NameVirtualHost example2.com:8443

((VirtualHost example2.com:8443))
ServerName example2.com

#etc….

I suspect that there are other, cleaner ways to do it as well. I just haven’t dug them up yet.

]]> By: David http://diymacserver.com/installing-apache/configuring-https-with-virtual-hosts/comment-page-1/#comment-7448 David Thu, 19 Aug 2010 12:15:20 +0000 http://diymacserver.com/installing-apache/configuring-https-with-virtual-hosts/#comment-7448 When I use "SSLEngine on" Apache will not start. No errors are thrown when I use "sudo /usr/local/apache2/bin/apachectl start", but the httpd process is not started, as shown by "sudo top" When I remove the "SSLEngine on", Apache is able to start. Help would be greatly appreciated. When I use “SSLEngine on”
Apache will not start. No errors are thrown when I use “sudo /usr/local/apache2/bin/apachectl start”, but the httpd process is not started, as shown by “sudo top”

When I remove the “SSLEngine on”, Apache is able to start.
Help would be greatly appreciated.

]]> By: Richard http://diymacserver.com/installing-apache/configuring-https-with-virtual-hosts/comment-page-1/#comment-6779 Richard Sat, 27 Mar 2010 14:32:45 +0000 http://diymacserver.com/installing-apache/configuring-https-with-virtual-hosts/#comment-6779 @Richard M. Thanks for pointing that one out. It's corrected. @Richard M. Thanks for pointing that one out. It’s corrected.

]]> By: Richard Mace http://diymacserver.com/installing-apache/configuring-https-with-virtual-hosts/comment-page-1/#comment-6777 Richard Mace Fri, 26 Mar 2010 16:47:24 +0000 http://diymacserver.com/installing-apache/configuring-https-with-virtual-hosts/#comment-6777 Richard, you have a typo in the httpd-ssl.conf file "from" listing. You have both listed as SSLCertificationKeyFile. You need to correct (SSLCertificateKeyFile “/etc/httpd/server.crt”) into (SSLCertificateFile “/etc/httpd/server.crt”) Richard, you have a typo in the httpd-ssl.conf file “from” listing. You have both listed as SSLCertificationKeyFile. You need to correct (SSLCertificateKeyFile “/etc/httpd/server.crt”) into (SSLCertificateFile “/etc/httpd/server.crt”)

]]> By: Richard http://diymacserver.com/installing-apache/configuring-https-with-virtual-hosts/comment-page-1/#comment-6440 Richard Wed, 27 Jan 2010 05:33:35 +0000 http://diymacserver.com/installing-apache/configuring-https-with-virtual-hosts/#comment-6440 @Roberto, maybe during the compile fase there was an error with SSL and the module didn't compile. Check the config.log for errors on SSL and check if the module is available in the modules directory. If it is there just put the line in httpd.conf. @Roberto, maybe during the compile fase there was an error with SSL and the module didn’t compile. Check the config.log for errors on SSL and check if the module is available in the modules directory. If it is there just put the line in httpd.conf.

]]> By: Roberto http://diymacserver.com/installing-apache/configuring-https-with-virtual-hosts/comment-page-1/#comment-6439 Roberto Wed, 27 Jan 2010 01:53:41 +0000 http://diymacserver.com/installing-apache/configuring-https-with-virtual-hosts/#comment-6439 Hi Richard question I dont have this line in my httpd.conf file: LoadModule ssl_module modules/mod_ssl.so So I cant uncomment it. How do I go about enabaling ssl_mod? Thanks in advance. Hi Richard question I dont have this line in my httpd.conf file:

LoadModule ssl_module modules/mod_ssl.so

So I cant uncomment it. How do I go about enabaling ssl_mod? Thanks in advance.

]]> By: Richard http://diymacserver.com/installing-apache/configuring-https-with-virtual-hosts/comment-page-1/#comment-1143 Richard Tue, 15 Jul 2008 19:59:21 +0000 http://diymacserver.com/installing-apache/configuring-https-with-virtual-hosts/#comment-1143 Sam in /etc/apache2 is the original configuration I didn't want to touch that. Same with the actual binaries, the diy install is in /usr/local just to not interfere with the original installation which might be overwritten by a update. If you want to start the original use the sharing pane in the system preference, otherwise use the <a href="/installing-apache/starting-apache-at-boot-on-leopard/" rel="nofollow">launchd script from the site</a> Sam in /etc/apache2 is the original configuration I didn’t want to touch that. Same with the actual binaries, the diy install is in /usr/local just to not interfere with the original installation which might be overwritten by a update.

If you want to start the original use the sharing pane in the system preference, otherwise use the launchd script from the site

]]> By: Sam http://diymacserver.com/installing-apache/configuring-https-with-virtual-hosts/comment-page-1/#comment-1140 Sam Tue, 15 Jul 2008 11:28:49 +0000 http://diymacserver.com/installing-apache/configuring-https-with-virtual-hosts/#comment-1140 Why you are using /etc/httpd... isn't this an apache2 config? shouldn't it be /etc/apache2? With the diy setup, the Apache install on /usr/sbin is still there. Where do you set which apache is going to run on start? Maybe I haven't dug deep enough... I'm guessing it's a launchd thing. Why you are using /etc/httpd… isn’t this an apache2 config? shouldn’t it be /etc/apache2?

With the diy setup, the Apache install on /usr/sbin is still there. Where do you set which apache is going to run on start? Maybe I haven’t dug deep enough… I’m guessing it’s a launchd thing.

]]>