Apache2/SSL and Name Based Virtual Hosts
From Gentoo Linux Wiki
|
Apache2 TOC | |
| |
 It has been suggested that this page or section be merged to Apache2/Virtual Hosts. (Discuss)
|
Historically, if you wanted to host multiple SSL enabled Web sites, you had to have a globally unique IP address for each site. With the advent of SNI, however, this is no longer necessary. This article will explain how to enable SNI. It is assumed that you have some working knowledge about Apache 2.
Contents |
[edit] What is SNI?
SNI is a three letter acronym that stands for Server Name Indication. Previously, when a browser connected to a SSL enabled site it just transmitted which encryption mechanisms it was capable of handling. With SNI, the browser now transmits not only which encryption mechanisms it is capable of handling, but also which site it is trying to connect.
[edit] Supported Browsers
SNI has only recently gained support in browsers. The browsers that have been confirmed to support SNI are:
- Opera 8.0+
- Firefox 2+
- Internet Explorer 7+
- Safari 3.2.1+
[edit] Use mod_gnutls or mod_ssl?
There is a separate Apache module called mod_gnutls that supports SNI on an unpatched Apache as part of its SSL implementation. However, the default SSL module, mod_ssl, that ships with Apache 2.2.8 includes support for SNI, so mod_gnutls is not required.
It's a matter of personal choice when it comes to which module to use. As of this writing, mod_gnutls is new and, therefore, considered an unproven method of enabling SSL while mod_ssl is considered a proven method. Furthermore, mod_gnutls has a different syntax for specifying SSL parameters than mod_ssl.
For further information on mod_gnutls, visit the OutOfOrder.cc project page.
[edit] Enabling SSL
Before you install Apache, check that the SSL use flag is set.
Use Flags: ssl (?)
Then proceed with the installation.
Once Apache has been installed, the start up script configuration file, /etc/conf.d/apache2, needs to be edited to enable virtual hosts and SSL by adding -D DEFAULT_VHOST -D SSL -D SSL_DEFAULT_VHOST on the APACHE2_OPTS line. If you prefer to activate the GNUTLS module, use -D DEFAULT_VHOST -D GNUTLS -D GNUTLS_DEFAULT_VHOST options instead. SSL and GNUTLS are mutually exclusive modules; you may only run one or the other.
... # Here are the options available in the default configuration: # # AUTH_DIGEST Enables mod_auth_digest # AUTHNZ_LDAP Enables authentication through mod_ldap (available if USE=ldap) # CACHE Enables mod_cache # DAV Enables mod_dav # ERRORDOCS Enables default error documents for many languages. # INFO Enables mod_info, a useful module for debugging # LANGUAGE Enables content-negotiation based on language and charset. # LDAP Enables mod_ldap (available if USE=ldap) # MANUAL Enables /manual/ to be the apache manual (available if USE=docs) # MEM_CACHE Enables default configuration mod_mem_cache # PROXY Enables mod_proxy # SSL Enables SSL (available if USE=ssl) # SUEXEC Enables running CGI scripts (in USERDIR) through suexec. # USERDIR Enables /~username mapping to /home/username/public_html # # # The following two options provide the default virtual host for the HTTP and # HTTPS protocol. YOU NEED TO ENABLE AT LEAST ONE OF THEM, otherwise apache # will not listen for incomming connections on the approriate port. # # DEFAULT_VHOST Enables name-based virtual hosts, with the default # virtual host being in /var/www/localhost/htdocs # SSL_DEFAULT_VHOST Enables default vhost for SSL (you should enable this # when you enable SSL) # APACHE2_OPTS="-D LANGUAGE -D ERRORDOCS -D DEFAULT_VHOST -D SSL -D SSL_DEFAULT_VHOST -D PHP5" ...
[edit] Obtaining SSL Certificates
There are several options to obtain SSL Certificates for the Web server. For simple testing purposes, OpenSSL is capable of creating certificates. For production servers, however, a certificate from a reputable authority, such as Thawte or VeriSign, is required to prevent users from seeing a warning about untrustworthy certificates. There are two popular organizations that provide free (as in beer) SSL Certificates: CAcert.org and StartCom's StartSSL. However, no mainstream browser recognizes CAcert as a trusted certificate authority, the result being that many users will see the same warning as if you signed the certificate yourself.
As of September 24, 2009, StartSSL is recognized by all major browsers as a reputable certificate authority.
[edit] Configuring Name Based SSL Virtual Hosts
Defining name based SSL virtual hosts is similar to defining standard name based virtual hosts. The exceptions being the port number and the certificate files. Two sample configurations are included here to help get you started.
All the options that are normally used for a SSL enabled site may also be used for a name based SSL virtual host. To avoid users seeing warnings, each site should have its own certificate and key file. For more information on available configuration options, visit Apache's Web site for mod_ssl, and/or OutOfOrder.cc for mod_gnutls.
[edit] Using mod_ssl
<IfDefine SSL>
<IfDefine SSL_DEFAULT_VHOST>
<IfModule ssl_module>
Listen 443
NameVirtualHost *:443
<VirtualHost *:443>
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/server.crt
SSLCertificateKeyFile /etc/apache2/ssl/server.key
ServerName domain.tld
SSLOptions StrictRequire
SSLProtocol all -SSLv2
DocumentRoot /path/to/ssl/enabled/site
<Directory /path/to/ssl/enabled/site/>
SSLRequireSSL
Order Deny,Allow
Allow from All
</Directory>
</VirtualHost>
<VirtualHost *:443>
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/otherserver.crt
SSLCertificateKeyFile /etc/apache2/ssl/otherserver.key
ServerName otherdomain.tld
SSLOptions StrictRequire
SSLProtocol all -SSLv2
DocumentRoot /path/to/other/ssl/enabled/site
<Directory /path/to/other/ssl/enabled/site/>
SSLRequireSSL
Order Deny,Allow
Allow from All
</Directory>
</VirtualHost>
</IfModule>
</IfDefine>
</IfDefine>[edit] Using mod_gnutls
<IfDefine GNUTLS>
<IfDefine GNUTLS_DEFAULT_VHOST>
<IfModule gnutls_module>
Listen 443
NameVirtualHost *:443
<VirtualHost *:443>
GnuTLSEnable on
GnuTLSExportCertificates on
GnuTLSCacheTimeout 500
GnuTLSCertificateFile /etc/apache2/ssl/server.crt
GnuTLSClientCAFile /etc/apache2/ssl/certificates/CA-bundle.crt
GnuTLSKeyFile /etc/apache2/ssl/keys/server.key
ServerName domain.tld
GnuTLSPriorities NORMAL:!DHE-RSA:!DHE-DSS:!AES-256-CBC:%COMPAT
DocumentRoot /path/to/ssl/enabled/site
<Directory /path/to/ssl/enabled/site/>
Order Deny,Allow
Allow from All
</Directory>
</VirtualHost>
<VirtualHost *:443>
GnuTLSEnable on
GnuTLSExportCertificates on
GnuTLSCacheTimeout 500
GnuTLSCertificateFile /etc/apache2/ssl/otherserver.crt
GnuTLSClientCAFile /etc/apache2/ssl/certificates/CA-bundle.crt
GnuTLSKeyFile /etc/apache2/ssl/keys/otherserver.key
ServerName otherdomain.tld
GnuTLSDHFile /etc/apache2/dh.params
GnuTLSPriorities NORMAL:!AES-256-CBC:%COMPAT
DocumentRoot /path/to/other/ssl/enabled/site
<Directory /path/to/other/ssl/enabled/site/>
Order Deny,Allow
Allow from All
</Directory>
</VirtualHost>
</IfModule>
</IfDefine>
</IfDefine>[edit] Starting Apache
Now, start or restart the Apache Server.
Or:
And remember, if you want to have Apache start at boot time, run:
[edit] Recommended Reading
[edit] Books
- Apache: The Definitive Guide by Ben Laurie & Peter Laurie, published by O'Reilly Media, Inc.
- What's New in Apache Web Server 2.2? by Rich Bowen, published by O'Reilly Media, Inc.
