This is probably the wrong forum for mod_ssl/apache configuration. In
the future, you'll get better responses if you direct your questions at
an apache list or newsgroup.
gianni dalmasso wrote:
- about virtual hosting : maybe i didn't understtod weel; what i know is
the , for the intrinsec behaviour of the SSL protocol, the web server
cannot understand which host is called during the initial handshaking;
it can be done only with different IP address and/or different ports.So
you say i can define different virtual hosts like </Virtual HOst
aa.bb.cc.dd:443> and that apache serves correctly
SSL virtual hosts must be on different IP addresses and/or ports.
Virtual hosts do not allow you to bypass this restriction. But, your
issue is really one of configuration.
For example, I use name-based virtual hosts almost exclusively, even on
a machine with multiple IP addresses. This allows me to disassociate the
default host from any of the other sites I host. In a very simplified
config, this is what it might look like:
NameVirtualHost *:80
<VirtualHost _default_:80>
ServerName server.example.net
ServerAdmin [EMAIL PROTECTED]
DocumentRoot /var/www/hosts/default
<Directory /var/www/hosts/default>
Order allow,deny
Deny from all
</Directory>
ErrorDocument 403 "Requests without a Host header are forbidden."
</VirtualHost>
<VirtualHost *:80>
ServerName www.example.com
ServerAdmin [EMAIL PROTECTED]
DocumentRoot /var/www/hosts/www.example.com/site
</VirtualHost>
This way, any requests to the IP address or "real" name of the server
are refused. Note that the error message is technically incorrect, but
the only people I care about seeing it are users that tried to access a
virtual host using an ancient browser or other method that doesn't
support sending the Host header. It also keeps my virtual host logs free
of garbage from worms and spambots.
Non-SSL name-based virtual hosts can share the same IP/port, but this
configuration isn't extensible to SSL virtual hosts to provide
separation between hosts. In a typical setup, all host names that
resolve to the IP will get the SSL virtual host defined for that IP. But
with proper planning, you can still take advantage of the Host header to
achieve your goal.
Assuming you've already got your SSL host working using only a slightly
modified version of the SSL config file included with apache, you can
put something like this in the virtual host container:
<VirtualHost _default_:443>
ServerName www.example.com
ServerAdmin [EMAIL PROTECTED]
DocumentRoot "/var/www/hosts/www.example.com/secure"
SetEnvIfNoCase Host ^www.example.com$ ok
<Location />
Order Deny,Allow
Deny from all
Allow from env=ok
</Location>
...
</VirtualHost>
This will deny any request that does not include a Host header that
matches www.example.com. Note that SSL negotiation still takes place,
it's just that apache won't serve up any pages. For this reason, it
successfully blocks any https requests directly to the IP address, but
doesn't really provide protection against worms crawling networks for
mod_ssl/openssl exploits (trying to remain OT, here). There are other
caveats and approaches, but this one is scalable where the server is
limited to one IP address, has multiple name-based virtual hosts, and a
single SSL virtual host on port 443.
Hope this helps. YMMV.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
