Mittwoch, 29. Dezember 2010

Using SSL with virtual hosts

SSL with virtual hosts

The 1st important thing to know is that SSL does not work well with virtual hosts. If you host multiple domains on one server, you need to have a seperate public IP address for every domain which should support SSL.

Reconfiguring non-SSL Virtual Hosts

As mentioned above, every SSL-Domain needs its own IP Address. The 1st thing you need to change is your Nameserver to point each domain to its unique IP. Secondly, edit the existing VirtualHost entries of the respective domains to listen to new IP addresses only.

Example: You are running example.com, example1.com and example2.com on your server with IP 1.2.3.4. The configuration so far looks like this.

<VirtualHost 1.2.3.4:80>
ServerName example.com

</VirtualHost>

<VirtualHost 1.2.3.4:80>
ServerName example1.com

</VirtualHost>

<VirtualHost 1.2.3.4:80>
ServerName example2.com

</VirtualHost>

All virtualhosts using the same IP Address. Now you want to have example2.com to support SSL and you got an additional IP 1.2.3.10. You need to modify your nameserver to map example2.com to 1.2.3.10 and modify the existing configration to

<VirtualHost 1.2.3.4:80>
ServerName example.com

</VirtualHost>

<VirtualHost 1.2.3.4:80>
ServerName example1.com

</VirtualHost>

<VirtualHost 1.2.3.10:80>
ServerName example2.com

</VirtualHost>

Configuring SSL Virtual Hosts

For the new SSL websites, I created a new site configuratino file in the apache sites-available directory which holds configuration for all SSL domains. I named it ssl-sites. Start the file with naming all IP-Addresses that should run a SSL supported domain. In our example, this is only 1.2.3.10

NameVirtualHost 1.2.3.10:443 # for example2.com

Then, the virtualhost definitions follows. You can just copy the virtualhost defintion for example2.com from your existing configu and modify it to listen to port 443.

<VirtualHost 1.2.3.10:443>
ServerName example2.com

</VirtualHost>

Additionally, you need to add the SSL configuration, especially to configure the certificates and key files.

<VirtualHost 1.2.3.10:443>
ServerName example2.com
# SSL DIrectives
SSLEngine On
SSLCipherSuite HIGH:MEDIUM
SSLCertificateFile /etc/apache2/ssl/example2.com.crt
SSLCertificateKeyFile /etc/apache2/ssl/example2.com.key
SSLCertificateChainFile /etc/apache2/ssl/intermediate.pem
SSLCACertificateFile /etc/apache2/ssl/ca.pem
...
</VirtualHost>

Enable the site

If you did it like I did, you need only to enable the new configuration file by

a2ensite ssl-sites
/etc/init.d/apache2 restart

Done! Now you can reach your domain via SSL

Keine Kommentare: