On Tue, Nov 6, 2012 at 10:15 AM, Igor Cicimov <icici...@gmail.com> wrote:
> On Tue, Nov 6, 2012 at 10:09 AM, Ben Johnson <b...@indietorrent.org> wrote: > >> >> >> On 11/5/2012 4:46 PM, Igor Cicimov wrote: >> > >> > On 06/11/2012 6:03 AM, "Phusion" <phusio...@gmail.com >> > <mailto:phusio...@gmail.com>> wrote: >> >> >> >> I am in need of some assistance. The server is running Apache >> > 2.2.15-15 on Red >> >> Hat Enterprise Linux Server 6.3 x86_64. The configuration currently >> > has the >> >> following which works. We have a wildcard SSL certificate for >> > *.domain.com <http://domain.com>. We >> >> have all these on one NIC with the same IP address. I need to host a >> > website >> >> for another domain with that domain having another wildcard SSL >> > certificate. I >> >> know that I could either make a virtual IP address through aliasing or >> > have >> >> another NIC with another IP address. Maybe, I need to change to use a >> >> combination of name-based virtual hosts and IP-based virtual hosts. >> >> >> >> Listen 80 >> >> NameVirtualHost *:80 >> >> NameVirtualHost *:443 >> >> <VirtualHost *:80> >> >> ServerName www.domain.com <http://www.domain.com> >> >> Redirect / https://www.domain.com/ >> >> </VirtualHost> >> >> <VirtualHost *:443> >> >> ServerName www.domain.com <http://www.domain.com> >> >> DocumentRoot /data/websites/domain/www >> >> </VirtualHost> >> >> <VirtualHost *:80> >> >> ServerName beta.domain.com <http://beta.domain.com> >> >> Redirect / https://beta.domain.com/ >> >> </VirtualHost> >> >> <VirtualHost *:443> >> >> ServerName beta.domain.com <http://beta.domain.com> >> >> DocumentRoot /data/websites/domain/beta >> >> </VirtualHost> >> >> <VirtualHost *:80> >> >> ServerName www.domain.net <http://www.domain.net> >> >> Redirect / https://www.domain.com/ >> >> </VirtualHost> >> >> <VirtualHost *:443> >> >> ServerName www.domain.net <http://www.domain.net> >> >> DocumentRoot /data/websites/domain/www >> >> Redirect / https://www.domain.com/ >> >> </VirtualHost> >> >> <VirtualHost *:80> >> >> ServerName www.mydomain.com <http://www.mydomain.com> >> >> Redirect / https://www.mydomain.com/ >> >> </VirtualHost> >> >> <VirtualHost *:443> >> >> ServerName www.mydomain.com <http://www.mydomain.com> >> >> DocumentRoot /data/websites/domain/www >> >> Redirect / https://www.domain.com/ >> >> </VirtualHost> >> >> >> >> The new domain could be called domain2.com <http://domain2.com>. >> >> >> >> <VirtualHost *:80> >> >> ServerName www.domain2.com <http://www.domain2.com> >> >> Redirect / https://www.domain2.com/ >> >> </VirtualHost> >> >> <VirtualHost *:443> >> >> ServerName www.domain2.com <http://www.domain2.com> >> >> DocumentRoot /data/websites/domain2/www >> >> </VirtualHost> >> > >> > You can do ssl name virtual hosts starting with SNI support in all >> > modern browsers and apache 2.2.12. All you need to do is point each >> > virtual host to its wildcard domain cert. If that was the question... >> >> One important caveat regarding Server Name Indication (SNI): any >> user-agent (browser, device, etc.) that doesn't implement SNI (IE on >> Windows XP, for example) will be directed to the first virtual host that >> is defined in your Apache configuration. This could have unwanted or >> unintended consequences, so beware... especially if you cannot easily >> re-order the entries manually. >> >> -Ben >> > > Another point here: > > http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslstrictsnivhostcheck > > > >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org >> For additional commands, e-mail: users-h...@httpd.apache.org >> >> > Also this might help too: Prerequisites to use SNI - Use OpenSSL 0.9.8f or later - Build OpenSSL with the TLS Extensions option enabled (option enable-tlsext; OpenSSL 0.9.8k and later has this enabled by default). - Apache must have been built with that OpenSSL (./configure --with-ssl=/path/to/your/openssl). In that case, mod_ssl will automatically detect the availability of the TLS extensions and support SNI. - Apache must use that OpenSSL at run-time, which might require setting LD_LIBRARY_PATH or equivalent to point to that OpenSSL, maybe in bin/envvars. (You'll get unresolved symbol errors at Apache startup if Apache was built with SNI but isn't finding the right openssl libraries at run-time.)
