ok this is starting to make more sense as we go along ....
I went through all of this myself when setting up origionally
i found that i can not use vhosts easily with ssl / sni / sans etc
and san is a nightmare to manage everytime you make a cert change.
it was just more reliable to use individual config entries and sni and
proper certs for the domain.
also note certrs today handle the domain.com & www.domain.com in one
cert (or apache - never really did figure that out)
basically domain.com handles both with the ServerAlias
also (why i forgot about it) vhosts allows users to criss cross
directories data wise (ie all rights are users www:www) which is why i
went away from that type of config.
unless this has changed i ended up dumping vhosts config and went with
individual config entries per website.
examples below using *:80 & *:443 respectively
<VirtualHost *:80>
ServerName underconstruction.scom.ca
ServerAlias underconstruction.scom.ca
DocumentRoot /www/underconstruction.scom.ca
</VirtualHost>
<VirtualHost *:443>
ServerName underconstruction.scom.ca
ServerAlias underconstruction.scom.ca
DocumentRoot /www/underconstruction.scom.ca
SSLEngine on
SSLProtocol all
SSLCertificateKeyFile /www/scom.ca/ssl/scom.ca.key
SSLCertificateFile /www/scom.ca/ssl/scom.ca.crt
SSLCertificateChainFile /www/scom.ca/ssl/scom.ca.chain
</VirtualHost>
I know its long and drawn out in the config file which is why i wrote a
python script against a pgsql database to generate my config but IT DOES
WORK!
a better example (more secure) - this keeps all php scripts and users
from bleeding into other user directories. This is how onetoone, myself
and a bunch of other providers got hacked a few years back.
Mainly due to wordpress security issues.
vhosts is convient but not super secure.
<VirtualHost *:80>
ServerName video.guelph.eks.scom.ca
ServerAlias video.guelph.eks.scom.ca
DocumentRoot /www/video.guelph.eks.scom.ca
SuexecUserGroup www www
<Directory "/www/video.guelph.eks.scom.ca/wp-content/uploads/">
<Files "*.php">
Order Deny,Allow
Deny from All
</Files>
</Directory>
<Directory /www/video.guelph.eks.scom.ca>
php_admin_value open_basedir /www/video.guelph.eks.scom.ca:/var/log/
</Directory>
<Directory /www/video.guelph.eks.scom.ca>
php_admin_value sys_temp_dir /www/video.guelph.eks.scom.ca/tmp/
</Directory>
<Directory /www/video.guelph.eks.scom.ca>
php_admin_value session.save_path /www/video.guelph.eks.scom.ca/tmp/
</Directory>
<Directory /www/video.guelph.eks.scom.ca>
php_admin_value soap.wsdl_cache_dir /www/video.guelph.eks.scom.ca/tmp/
</Directory>
<Directory /www/video.guelph.eks.scom.ca>
php_admin_value upload_tmp_dir /www/video.guelph.eks.scom.ca/tmp
</Directory>
<Directory "/www/video.guelph.eks.scom.ca">
AllowOverride All
php_value session.save_path "/www/video.guelph.eks.scom.ca/"
</Directory>
</VirtualHost>
&
<VirtualHost *:443>
ServerName video.guelph.eks.scom.ca
ServerAlias video.guelph.eks.scom.ca
DocumentRoot /www/video.guelph.eks.scom.ca
SuexecUserGroup www www
<Directory "/www/video.guelph.eks.scom.ca/wp-content/uploads/">
<Files "*.php">
Order Deny,Allow
Deny from All
</Files>
</Directory>
<Directory /www/video.guelph.eks.scom.ca>
php_admin_value open_basedir /www/video.guelph.eks.scom.ca:/var/log/
</Directory>
<Directory /www/video.guelph.eks.scom.ca>
php_admin_value sys_temp_dir /www/video.guelph.eks.scom.ca/tmp/
</Directory>
<Directory /www/video.guelph.eks.scom.ca>
php_admin_value session.save_path /www/video.guelph.eks.scom.ca/tmp/
</Directory>
<Directory /www/video.guelph.eks.scom.ca>
php_admin_value soap.wsdl_cache_dir /www/video.guelph.eks.scom.ca/tmp/
</Directory>
<Directory /www/video.guelph.eks.scom.ca>
php_admin_value upload_tmp_dir /www/video.guelph.eks.scom.ca/tmp
</Directory>
<Directory "/www/video.guelph.eks.scom.ca">
AllowOverride All
php_value session.save_path "/www/video.guelph.eks.scom.ca/"
</Directory>
SSLEngine on
SSLProtocol all
SSLCertificateKeyFile /www/scom.ca/ssl/scom.ca.key
SSLCertificateFile /www/scom.ca/ssl/scom.ca.crt
SSLCertificateChainFile /www/scom.ca/ssl/scom.ca.chain
</VirtualHost>
Note I have a wildcard ssl cert but the file location setup is clearly
defined.
Happy Thursday !!!
Thanks - paul
Paul Kudla
Scom.ca Internet Services <http://www.scom.ca>
004-1009 Byron Street South
Whitby, Ontario - Canada
L1N 4S3
Toronto 416.642.7266
Main 1.866.411.7266
Fax 1.888.892.7266
On 5/19/2022 9:11 AM, Rainer Canavan wrote:
On Wed, May 18, 2022 at 11:53 PM Frank Gingras <thu...@apache.org> wrote:
Not sure if you saw the other answer on the other email:
// If you can't use a SAN, then you need to configure all your vhosts as
IP:443, whereas one vhost uses a separate IP, and the remainder uses the second
IP.
That sounds wrong to me. Apache should pick a matching certificate for
the hostname specified via SNI by the client, if any, or the first one
configured as a fallback (assuming the vhost IP / * specification
matches). Note that only vhosts with IP:port are considered, if any
are specified and match the request. You should be able to use *:443
for all vhosts.
Rainer
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
