topic Setup virtual host with apache and ssl in Operating System - HP-UX

Setup virtual host with apache and ssl

David Woodroffe — Mon, 12 Jun 2006 22:41:10 GMT

I am attempting to establish a number of virtual web hosts using ssl and apache. I can't seem to get ssl to work on any but the "main" host.
I am using:
HP-UX 11i v1, and the HP apache depot for version 2.0.55. The system has two network cards with one of them with two ip addresses 139.x.y.z1 and 139.x.y.z2

I can start the web server in ssl mode using ../bin/apachectl startssl.

All but the main web can only be contacted with a url like http://139.x.y.z1:443. Using a url like https:/139.x.y.z1 gives an empty page and no apparent error message. The main web service can be contacted through the other network card with something like https://139.x.y1.z3. I was also trying to trap any other access and not give any access.

I have included what I think are the relevant parts of the httpd.conf file. Any assistance greatly appreciated.

#----------------------
# httpd.conf bits
Listen 139.x.y.z1:443
Listen 139.x.y.z2:443
# .....

#------------------
#

DocumentRoot /opt/hpws/apache/htdocs
ErrorLog logs/default_error_log
TransferLog logs/default_access_log

Options none
Order deny,allow
Deny from all

#---

DocumentRoot /opt/hpws/apache/htdocs
ServerName 139.x.y.z1
ServerAlias hp4
ErrorLog logs/hp4_error_log
TransferLog logs/hp4_access_log

#---

# ServerAdmin root@hp4.usq.edu.au
DocumentRoot /opt/hpws/apache/hpweb4
ServerName 139.x.y.z2
ServerAlias hpweb4
ErrorLog logs/hpweb4_error_log
TransferLog logs/hpweb4_access_log

Options Indexes FollowSymLinks
Order allow,deny
Allow from all

#------------------

Re: Setup virtual host with apache and ssl

Matti_Kurkela — Tue, 13 Jun 2006 03:00:01 GMT

"apachectl startssl" only _allows_ you to use SSL, it does not _make_ the Apache servers use SSL. For that, you need some more configuration.

Apache can handle having several SSL and non-SSL virtual hosts inside one Apache instance. You need to add the directive "SSLEngine on" for each SSL virtual host. You also need to specify a SSL certificate for them: the directive is "SSLCertificateFile /some/where/certificate.pem". You also need the private key for each certificate, which can be attached to the certificate or it can be a separate .pem file.

With the OpenSSL tools, you can create a certificate for free, but it will be "untrusted" unless the browser is explicitly configured to trust that certificate. To get a certificate that will be trusted by any Web browser, you need to buy one from a Certification Authority like VeriSign.

Currently, what you have is a simple set of HTTP virtual hosts in a non-standard port (i.e. 443).

If you try an URL like https://139.x.y.z1, the browser tries to start up a SSL negotiation, which looks like a bunch of gibberish from a HTTP server viewpoint. The browser, on the other hand, sees the server's plain-HTTP error message as "some data that is not a valid SSL session". Because the SSL session did not get established, the only possible error message is going to be the browser's "could not establish a SSL connection", when the browser finally gives up on trying.

In case you are trying name-based virtual hosting (several virtual hosts in the same IP address and TCP port), it does not work at all with HTTPS.
Basically, you have a chicken-and-egg problem: you need to know which virtual host the client wants to be able to offer the correct certificate, but that knowledge is in the SSL-secured HTTPS request, which won't even get sent before the SSL encryption session is established.

Re: Setup virtual host with apache and ssl

David Woodroffe — Tue, 13 Jun 2006 17:27:24 GMT

Hi Matti,
Thanks for the info. Just what I needed. It is all so straight forward with the right key.
I have simply taken bits from ../conf/ssl./conf and included them with each virtual host and all work great.
Thankyou for your quick response.
David

Re: Setup virtual host with apache and ssl

David Woodroffe — Tue, 13 Jun 2006 17:30:24 GMT

Reply indicated the correct solution to the problem.