Apache Name Virtual Host with SSL [closed]

Asked 5/2, 2009 at 18:50 Answered 17/11, 2023 at 14:43

I am attempting to setup our servers to allow traffic over SSL. I am aware that SSL does not work with Name Virtual Host, but we have all of our Apache servers on virtual machines with dedicated private IPs. We have a primary virtual machine that has mod_proxy setup to route traffic to the appropriate VMs.

However, in order to route HTTPS traffic we need to have the certificate installed on the proxy as well as the VMs. We have a wildcard certificate that can be used across all of our hosts. Everything appears to work properly, but I receive the following in the Apache logs for the proxy:

[warn] Init: SSL server IP/port conflict: host1.example.com:443 (/etc/apache2/sites-enabled/host1:1) vs. host2.example.com:443 (/etc/apache2/sites-enabled/host2:1)

There is one of these error message for each host we have setup on the proxy. Our Virtual Host setup for the proxy is posted below:

<VirtualHost ipaddress:443>
    ServerName host1.example.com
    ProxyPreserveHost On
    ProxyRequests Off
    ProxyPass / https://privateip:443/
    ProxyPassReverse / https://privateip:443/

    SSLProxyEngine on
    SSLEngine on
    SSLCertificateFile /etc/ssl/certs/server.crt
    SSLCertificateKeyFile /etc/ssl/private/server.key
</VirtualHost>

Is there any way that I can get this to work?

Skylab answered 5/2, 2009 at 18:50 Comment(3)

Make sure you generate a certificate with the proper Common Name or it will work in some browsers and not in IE – Bordelaise 25/1, 2013 at 4:48

I voted to close this question because it is not a programming question. Questions about managing your servers can be asked on Server Fault. In the future, please ask questions like this there. – Meatiness 17/11, 2023 at 16:14

@StephenOstermiller this question was asked 14 years ago. Server Fault didn't exist. – Skylab 18/11, 2023 at 17:55

It sounds like Apache is warning you that you have multiple <VirtualHost> sections with the same IP address and port... as far as getting it to work without warnings, I think you would need to use something like Server Name Indication (SNI), a way of identifying the hostname requested as part of the SSL handshake. Basically it lets you do name-based virtual hosting over SSL, but I'm not sure how well it's supported by browsers. Other than something like SNI, you're basically limited to one SSL-enabled domain name for each IP address you expose to the public internet.

Of course, if you are able to access the websites properly, you'll probably be fine ignoring the warnings. These particular ones aren't very serious - they're mainly an indication of what to look at if you are experiencing problems

Unclassical answered 5/2, 2009 at 20:42 Comment(3)

David, Thank you for your response. After doing some research I believe this would be the way to go. However, there is limited support for SNI under Windows XP. I think I will try this anyway since I am using a wildcard cert. If this does not work, I guess I will have to ignore the errors for now. – Skylab 6/2, 2009 at 13:31

PS: Most sites seem to refer to this as Server Name Indication, not Identification. – Skylab 6/2, 2009 at 13:32

Ah, my bad... I really just remembered the acronym, SNI. I'll edit the post. – Unclassical 6/2, 2009 at 18:42

As far as I know, Apache supports SNI since Version 2.2.12 Sadly the documentation does not yet reflect that change.

Go for http://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI until that is finished

Airlike answered 15/2, 2010 at 9:16 Comment(0)

You may be able to replace the:

VirtualHost ipaddress:443

with

VirtualHost *:443

You probably need todo this on all of your virt hosts.

It will probably clear up that message. Let the ServerName directive worry about routing the message request.

Again, you may not be able to do this if you have multiple ip's aliases to the same machine.

Middy answered 5/2, 2009 at 22:29 Comment(1)

Harold, Thank you for your response. I attempted this earlier and it made no difference. – Skylab 6/2, 2009 at 13:28

The VirtualHost would look like this:

NameVirtualHost IP_Address:443

<VirtualHost IP_Address:443>
    SSLEngine on
    SSLCertificateFile /etc/pki/tls/certs/ca.crt    # Where "ca" is the name of the Certificate
    SSLCertificateKeyFile /etc/pki/tls/private/ca.key
    ServerAdmin [email protected]
    DocumentRoot /var/www/html
    ServerName www.example.com
    ErrorLog logs/www.example.com-error_log
    CustomLog logs/www.example.com-access_log common
</VirtualHost>

Footnote answered 21/12, 2016 at 10:30 Comment(0)

First you need NameVirtualHost ip:443 in you config file! You probably have one with 80 at the end, but you will also need one with 443.

Second you need a *.domain certificate (wildcard) (it is possible to make one)

Third you can make only something.domain webs in one ip (because of the certificate)

Keel answered 1/10, 2011 at 19:14 Comment(1)

one of your port numbers are wrong, and i can't fix it 6 char min edit. – Bordelaise 25/1, 2013 at 4:0

You MUST add below part to enable NameVirtualHost functionality with given IP.

NameVirtualHost IP_Address:443

Drexler answered 26/7, 2018 at 6:26 Comment(1)

I made sure to leave #Include conf/extra/httpd-ssl.conf commented out in httpd.conf, and then this worked in httpd-vhosts.conf: NameVirtualHost *:443 (linebreak) Listen 443 (linebreak)<VirtualHost *:443> (linebreak) SSLEngine On (linebreak) ... – Jehiah 11/6, 2020 at 18:31

Apache doesn't support SSL on name-based virtual host, only on IP based Virtual Hosts.

Source: Apache 2.2 SSL FAQ question Why is it not possible to use Name-Based Virtual Hosting to identify different SSL virtual hosts?

Unlike SSL, the TLS specification allows for name-based hosts (SNI as mentioned by someone else), but Apache doesn't yet support this feature. It supposedly will in a future release when compiled against openssl 0.9.8.

Also, mod_gnutls claims to support SNI, but I've never actually tried it.

Humdrum answered 12/2, 2009 at 17:31 Comment(2)

Looks like this answer is a bit outdated – Indo 2/9, 2016 at 7:59

You are absolutely right Name based SSL wont work. Good Link. – Idler 6/2, 2017 at 12:53

I created /var/www/example.com to contain the content that I wanted to display. Then I created /etc/apache2/sites-available/example.com-le-ssl.conf with the following content:

<IfModule mod_ssl.c>
  <VirtualHost *:443>
    ServerAdmin webmaster@localhost
    ServerName example.com
    ServerAlias www.example.com
    DocumentRoot /var/www/example.com
    ErrorLog /error.log
    CustomLog /access.log combined
  </VirtualHost>
</IfModule>

I enabled the site using a2ensite example.com-le-ssl.conf and after that, I activated the new configuration with systemctl reload apache2.

I posted this solution with some screenshots and extra details at my blog https://jaimemontoya.com/blog/2023/11/17/13/08/.

Curley answered 17/11, 2023 at 14:43 Comment(0)

Recommended topics

Hot tags