SSL Part 1: Multi-Websites 2

Revision as of 17:46, 9 June 2008 by Ric (talk | contribs) (New page: <span id="top"></span> <div style="padding:0;margin:0; border-bottom:3px inset #000000"> {| | MPG UniCenter || SSL Part 1 Extra: Home ...)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

mod_ssl Multi-Websites 2
Uniform Server 3.5-Apollo

Securing multi-websites using virtual hosts on a single IP address.

You may prefer to run your SSL sites on the same IP address, but using different ports. There is a problem with this method users of your sites will have to specify the port number in the URL this is not the case when using the default port. You may find this method acceptable hence the reason for including it. Normally a user reaches a secure site from an un-secured page using a link, if you use this method adding a port number to the link will not be a problem for a user.

Basic Structure

The global SSL section remains unchanged remember to add as may listening ports as there are virtual hosts, make sure you do not select a port that is in use otherwise Apache will not start.

################################## Global SSL ######################################
Listen 453
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
SSLPassPhraseDialog builtin
SSLSessionCache shmcb:logs/ssl_scache(512000)
SSLSessionCacheTimeout 300
SSLMutex default
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin

The first line instructs Apache to listen on port 453 corresponding to the virtual host defined below. When selecting ports make sure they are not in use on your machine otherwise Apache will not start.

Each new Vhost must have a corresponding listening port.

Each virtual host will look similar to this:

########### SSL Virtual Host ############################
NameVirtualHost *:453

This instructs Apache the following Vhost block is associated with any IP address (* wildcard) on port 453.

<VirtualHost _default_:453>
ServerName site4.unicenter.gotdns.org
DocumentRoot /www/site4
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL 
SSLProtocol all -SSLv2
SSLCertificateFile conf/ssl.crt/server.crt
SSLCertificateKeyFile conf/ssl.key/server.key
</VirtualHost>

There is only one Vhost associate with this block hence we make it the default note the port number must be included.

Each block contains the SSL directives, if you wish to add authentication see previous page for details.

Top

Complete example

For this example I am using sites as defined on the previous page. If you wish you can add authentication blocks.

To save typing use file 'ssl.conf3.txt' (see folder www/test_multi) rename it ssl.conf and edit to your specific requirements.

I have highlighted changes in bold:

  New  

#################### Global SSL ########################
Listen 453
Listen 454
Listen 455
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
SSLPassPhraseDialog builtin
SSLSessionCache shmcb:logs/ssl_scache(512000)
SSLSessionCacheTimeout 300
SSLMutex default
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin

########### SSL Virtual Host ############################

NameVirtualHost *:453
<VirtualHost _default_:453>
  ServerName site4.unicenter.gotdns.org
  DocumentRoot /www/site4
  SSLEngine on
  SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL 
  SSLProtocol all -SSLv2
  SSLCertificateFile conf/ssl.crt/server.crt
  SSLCertificateKeyFile conf/ssl.key/server.key
</VirtualHost>

NameVirtualHost *:454
<VirtualHost _default_:454>
  ServerName site5.unicenter.gotdns.org
  DocumentRoot /www/site5
  SSLEngine on
  SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
  SSLProtocol all -SSLv2
  SSLCertificateFile conf/ssl.crt/server.crt
  SSLCertificateKeyFile conf/ssl.key/server.key
</VirtualHost>

NameVirtualHost *:455
<VirtualHost _default_:455>
  ServerName site6.unicenter.gotdns.org
  DocumentRoot /www/site6
  SSLEngine on
  SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
  SSLProtocol all -SSLv2
  SSLCertificateFile conf/ssl.crt/server.crt
  SSLCertificateKeyFile conf/ssl.key/server.key
</VirtualHost>

Note: The virtual hosts may have different certificates and keys specified, this will provide each site with both authentication and encryption.

Top

Test

Save the file, restart your servers and run the following tests, note the results:

  1. Type https://site4.unicenter.gotdns.org:453 into your browser
  2. Type https://site5.unicenter.gotdns.org:454 into your browser
  3. Type https://site6.unicenter.gotdns.org:455 into your browser
  4. Type https://fred.unicenter.gotdns.org/ into your browser

All the sites require a port number test 4 defaults to 443.

Note: Before repeating a test always re-start your browser (clears the sessions)

Conclusion

In this extra information section I have shown you how easy it is to use mod_ssl to secure a personal web server. If you want to go to the trouble and expense you can use real signed certificates, there is a lot of information on the Internet describing this process.

While writing the virtual host sections I inadvertently introduced several syntax errors that prevented Apache from running, on the final page I describe a few debugging techniques.

Top


  Ric