HOWTO SSL Enabled, Name Based Virtual Hosts with Apache

From Gentoo Linux Wiki

This article is part of the HOWTO series.

Installation • Kernel & Hardware • Networks • Portage • Software • System • X Server • Gaming • Non-x86 • Emulators • Misc

Apache2 Series

Main

Installing Apache 2

Modules

mod_ssl (for encrypted https)
mod_php (PHP Support)
mod_ftpd (FTP Support)
mod_perl (Perl Support)
mod_python (Python Support)
mod_jk (JSP & Servlet Support)
mod_security (intrusion detection)
mod_vhost_alias (Dynamic virtual hosting)
mod_deflate (deflate compression)
mod_fcgid and mod_suexec (Secure execution of external applications that support fastcgi)

Addons & Tunnels

Ruby on Rails

Tips

Using cacert.org SSL certificates with Apache

Configuring

Other

edit

[edit] Introduction

In the past, it was only possible to have one SSL enabled site per IP address. With the advent of SNI, however, that is no longer true.

This article assumes that the reader has some working knowledge of Apache 2.

[edit] What is SNI?

SNI is a three letter acronym that stands for Server Name Indication. Previously, when a browser connected to a SSL enabled site it just transmitted which encryption mechanisms it was capable of handling. With SNI, the browser now transmits not only which encryption mechanisms it is capable of handling, but also which site it is trying to connect.

Warning: Bear in mind, that SNI is still considered experimental at the time of this writing.

[edit] Supported Browsers

SNI has only recently gained support in browsers. The browsers that have been confirmed to support SNI are:

Firefox 2.0.0.12
Firefox 3.0b3
Internet Explorer 7.0.5730.11 on Microsoft Windows XP MCE 2005

[edit] Use mod_gnutls or mod_ssl?

There is a separate Apache module called mod_gnutls that supports SNI on an unpatched Apache as part of its SSL implementation. However, the default SSL module, mod_ssl, that ships with Apache 2.2.8 includes support for SNI, so mod_gnutls is not required.

It's a matter of personal choice when it comes to which module to use. As of this writing, mod_gnutls is new and, therefore, considered an unproven method of enabling SSL while mod_ssl is considered a proven method. Furthermore, mod_gnutls has a different syntax for specifying SSL parameters than mod_ssl.

For further information on mod_gnutls, visit the OutOfOrder.cc project page.

[edit] Enabling SSL and SNI

To enable SSL and SNI, the corresponding USE Flags must be set. Either edit /etc/make.conf and add ssl and sni to the USE line and then emerge apache, or set them in /etc/portage/package.use, like so:

# echo www-servers/apache ssl sni >> /etc/portage/package.use
# emerge apache

Once Apache is installed, the start up script configuration file /etc/conf.d/apache2 needs to be edited to enable virtual hosts and SSL by adding -D DEFAULT_VHOST -D SSL -D SSL_DEFAULT_VHOST on the APACHE2_OPTS line.

File: /etc/conf.d/apache2

...
# Here are the options available in the default configuration:
#
#  AUTH_DIGEST  Enables mod_auth_digest
#  AUTHNZ_LDAP  Enables authentication through mod_ldap (available if USE=ldap)
#  CACHE        Enables mod_cache
#  DAV          Enables mod_dav
#  ERRORDOCS    Enables default error documents for many languages.
#  INFO         Enables mod_info, a useful module for debugging
#  LANGUAGE     Enables content-negotiation based on language and charset.
#  LDAP         Enables mod_ldap (available if USE=ldap)
#  MANUAL       Enables /manual/ to be the apache manual (available if USE=docs)
#  MEM_CACHE    Enables default configuration mod_mem_cache
#  PROXY        Enables mod_proxy
#  SSL          Enables SSL (available if USE=ssl)
#  SUEXEC       Enables running CGI scripts (in USERDIR) through suexec.
#  USERDIR      Enables /~username mapping to /home/username/public_html
#
#
# The following two options provide the default virtual host for the HTTP and
# HTTPS protocol. YOU NEED TO ENABLE AT LEAST ONE OF THEM, otherwise apache
# will not listen for incomming connections on the approriate port.
#
#  DEFAULT_VHOST      Enables name-based virtual hosts, with the default
#                     virtual host being in /var/www/localhost/htdocs
#  SSL_DEFAULT_VHOST  Enables default vhost for SSL (you should enable this
#                     when you enable SSL)
#
APACHE2_OPTS="-D LANGUAGE -D ERRORDOCS -D DEFAULT_VHOST -D SSL -D SSL_DEFAULT_VHOST -D PHP5"
...

[edit] Obtaining SSL Certificates

There are several options to obtain SSL Certificates for the Web server. For simple testing purposes, OpenSSL is capable of creating certificates. For production servers, however, a certificate from a reputable authority is required to prevent users from seeing a warning message, such as Thawte or VeriSign. There are two popular organizations that provide free -- free as in beer -- SSL Certificates: CAcert.org and StartCom. Of these two, StartCom is only missing support from two major browsers: Internet Explorer and Opera.

[edit] Configuring Name Based SSL Virtual Hosts

Defining name based SSL virtual hosts is similar to defining standard name based virtual hosts. The exceptions being the port number and the certificate files. Two sample configurations are included here to help get you started.

All the options that are normally used for a SSL enabled site may also be used for a name based SSL virtual host. To avoid users seeing warnings, each site should have its own certificate and key file. For more information on available configuration options, visit Apache's Web site for mod_ssl, and/or OutOfOrder.cc for mod_gnutls.

Warning: If a user's browser does not support SNI then the first SSL site in the configuration file will be displayed. It is recommended that the first entry is to a page that informs the user what the server requires for use.

[edit] Using mod_ssl

File: /etc/apache2/vhosts.d/00_default_ssl_vhost.conf

<IfDefine SSL>
  <IfDefine SSL_DEFAULT_VHOST>
    <IfModule ssl_module>

      Listen 443
      NameVirtualHost *:443

      <VirtualHost *:443>
        SSLEngine on
        SSLCertificateFile /etc/apache2/ssl/server.crt
        SSLCertificateKeyFile /etc/apache2/ssl/server.key

        ServerName domain.tld
        SSLOptions StrictRequire
        SSLProtocol all -SSLv2

        DocumentRoot /path/to/ssl/enabled/site
        <Directory /path/to/ssl/enabled/site/>
          SSLRequireSSL
          Order Deny,Allow
          Allow from All
        </Directory>
      </VirtualHost>

      <VirtualHost *:443>
        SSLEngine on
        SSLCertificateFile /etc/apache2/ssl/otherserver.crt
        SSLCertificateKeyFile /etc/apache2/ssl/otherserver.key

        ServerName otherdomain.tld
        SSLOptions StrictRequire
        SSLProtocol all -SSLv2

        DocumentRoot /path/to/other/ssl/enabled/site
        <Directory /path/to/other/ssl/enabled/site/>
          SSLRequireSSL
          Order Deny,Allow
          Allow from All
        </Directory>
      </VirtualHost>

    </IfModule>
  </IfDefine>
</IfDefine>

[edit] Using mod_gnutls

FIXME: SAMPLE CONFIGURATION FILE NEEDED WITH THE SAME FUNCTIONALITY AS THE SAMPLE ABOVE.

[edit] Starting Apache

Now, start or restart the Apache Server.

# /etc/init.d/apache2 start

# /etc/init.d/apache2 restart

[edit] Recommended Reading

[edit] Books

Apache: The Definitive Guide by Ben Laurie & Peter Laurie, published by O'Reilly Media, Inc.

What's New in Apache Web Server 2.2? by Rich Bowen, published by O'Reilly Media, Inc.

Retrieved from "http://www.gentoo-wiki.com/HOWTO_SSL_Enabled%2C_Name_Based_Virtual_Hosts_with_Apache"

Category: Apache2