'Fwd: Re: [users@httpd] apache and ssl'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       apache-httpd-users
Subject:    Fwd: Re: [users@httpd] apache and ssl
From:       Dave Henderson <dhenderson () digital-pipe ! com>
Date:       2006-06-29 18:30:35
Message-ID: 20060629183035.79375.qmail () web606 ! biz ! mail ! mud ! yahoo ! com
[Download RAW message or body]

I found out that I had to add multiple NameVirtualHost definitions like the \
following:  
  NameVirtualHost 192.168.0.12:80
  NameVirtualHost 192.168.0.12:443
  
  and I also changed the virtual host section to use 192.168.0.12 instead  of the \
192.168.0.13 ip address.  Tried to go back to the ssl page  and..... it still failed. \
I am pulling my hair out!  This is  so frustrating!  Does anyone have any more \
information to share  with me?  
  Thanks,
  Dave
  
  

Dave Henderson <dhenderson@digital-pipe.com> wrote:  Date: Thu, 29 Jun 2006 07:30:50 \
                -0700 (PDT)
From: Dave Henderson <dhenderson@digital-pipe.com>
To: users@httpd.apache.org
Subject: Re: [users@httpd] apache and ssl

  Ok, if I try to separate them, I will have to modify my NameVirtualHost definition \
file to something like:  
  NameVirtualHost: 192.168.0.12:*
  or
  NameVirtualHost: 192.168.0.12
  
  but if I do that, I get error messages when I try to stop and restart the server:
  
  [Thu Jun 29 10:27:31 2006] [error] VirtualHost 192.168.0.12:80 --  mixing * ports \
and non-* ports with a NameVirtualHost address is not  supported, proceeding with \
undefined results  
  Do I need to modify my "Listen" definition to be something like:
  
  Listen 192.168.0.12:80
  Listen 192.168.0.12:443
  
  Thanks,
  Dave
  
  (Sorry for direct response, I didn't know you were being sent an email as well)

Pid <p@pidster.com> wrote:  Date: Thu, 29 Jun 2006 15:06:29 +0100
From: Pid <p@pidster.com>
To:   Dave Henderson <dhenderson@digital-pipe.com>
Subject: Re: [users@httpd] apache and ssl

  I don't think you gain anything by separating the IPs if they're
actually on one physical connection.

(reply to the list only please)



Dave Henderson wrote:
> I do have two NameVirtualHost definitions:
> 
> NameVirtualHost 192.168.0.12:80
> NameVirtualHost 192.168.0.13:443
> 
> On my firewall, I have port 80 traffic going to 192.168.0.12 and 443
> traffic going to 192.168.0.13.  Both ip's are used on the same server by
> way of assigning multiple ip addresses to one nic.  Should I change my
> vhost definitions to use on the 192.168.0.12 ip address instead of using
> the two shown above?
> 
> Thanks,
> Dave
> 
> 
> 
> */Pid /* wrote:
> 
> Does anyone else think that this is wrong?
> 
> SSLCertificateFile /etc/apache2/ssl/certs/sitename.com.crt
> SSLCertificateKeyFile /etc/apache2/ssl/keys/sitename.com.key
> > > SSLCACertificateFile /etc/apache2/ssl/root/sitename.com.crt
> 
> It looks like you're telling it that the Certificate Authority is the
> same file as the Certificate itself. I could be wrong tho.
> 
> 
> 
> As regards to the VHost defs: it depends what you've got in front of the
> server in the way of DNS or loadbalancers.
> 
> Your domain name can only resolve to point at one IP address (unless
> you're using load balancers or proxies etc etc). So any request for the
> SSL port of demo.sitename.com is going to arrive at the same IP as the
> port 80 connection.
> 
> http://demo.sitename.com > IP1
> https://demo.sitename.com > Still IP1
> 
> 
> (Have you set   "NameVirtualHost" or not?)
> 
> 
> 
> Dave Henderson wrote:
> > I am wondering if the virtual host definitions are wrong. Can I do the
> > following (even though the ServerName options have the same
> value)? Can
> > I use the IP addresses like I have done below?
> > 
> > 
> > 
> > ServerAdmin webmaster@sitename.com
> > ServerName demo.sitename.com
> > DocumentRoot /var/www/sitename.com/demo
> > 
> > # This should be changed to whatever you set DocumentRoot to.
> > 
> > Options Indexes Includes
> > AllowOverride Options
> > Order allow,deny
> > Allow from all
> > 
> > ErrorLog /var/log/apache2/sitename.com/demo/error.log
> > CustomLog /var/log/apache2/sitename.com/demo/access.log common
> > CustomLog /var/log/apache2/sitename.com/demo/referer.log referer
> > CustomLog /var/log/apache2/sitename.com/demo/agent.log agent
> > 
> > # Possible values: debug, info, notice, warn, error, crit,
> > alert, emerg.
> > LogLevel warn
> > 
> > ServerSignature On
> > 
> > 
> > 
> > 
> > ServerAdmin webmaster@sitename.com
> > ServerName demo.sitename.com
> > DocumentRoot /var/www/sitename.com/demo/ssl
> > 
> > # SSL specifications
> > SSLEngine On
> > SSLCertificateFile /etc/apache2/ssl/certs/sitename.com.crt
> > SSLCertificateKeyFile /etc/apache2/ssl/keys/sitename.com.key
> > SSLCACertificateFile /etc/apache2/ssl/root/sitename.com.crt
> > SSLCipherSuite SSLv2:+HIGH:+MEDIUM
> > SetEnvIf User-Agent   ".*MSIE.*" nokeepalive ssl-unclean-shutdown
> > 
> > # SSLVerifyClient require
> > # SSLVerifyDepth 1
> > # CustomLog /var/log/apache2/ssl \ "%t %h %{SSL_PROTOCOL}x
> > %{SSL_CIPHER}x$
> > #
> > # SSLCipherSuite SSLv2:+HIGH:+MEDIUM
> > # SSLVerifyClient require
> > # SSLVerifyDepth 1
> > #
> > 
> > # This should be changed to whatever you set DocumentRoot to.
> > 
> > Options Indexes Includes
> > AllowOverride Options
> > Order allow,deny
> > Allow from all
> > 
> > ErrorLog /var/log/apache2/sitename.com/demo/error.log
> > CustomLog /var/log/apache2/sitename.com/demo/access.log common
> > CustomLog /var/log/apache2/sitename.com/demo/referer.log referer
> > CustomLog   /var/log/apache2/sitename.com/demo/agent.log agent
> > 
> > # Possible values: debug, info, notice, warn, error, crit,
> > alert, emerg.
> > LogLevel warn
> > 
> > ServerSignature On
> > 
> > 
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server
> Project.
> See for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
> 
> 


[Attachment #3 (text/html)]

I found out that I had to add multiple NameVirtualHost definitions like the \
following:<br>  <br>  NameVirtualHost 192.168.0.12:80<br>  NameVirtualHost \
192.168.0.12:443<br>  <br>  and I also changed the virtual host section to use \
192.168.0.12 instead  of the 192.168.0.13 ip address.&nbsp; Tried to go back to the \
ssl page  and..... it still failed.&nbsp; I am pulling my hair out!&nbsp; This is  so \
frustrating!&nbsp; Does anyone have any more information to share  with me?<br>  <br> \
Thanks,<br>  Dave<br>  <br>  <br><br><b><i>Dave Henderson \
&lt;dhenderson@digital-pipe.com&gt;</i></b> wrote:<blockquote class="replbq" \
style="border-left: 2px solid rgb(16, 16, 255); margin-left: 5px; padding-left: \
5px;">  Date: Thu, 29 Jun 2006 07:30:50 -0700 (PDT)<br>From: Dave Henderson \
&lt;dhenderson@digital-pipe.com&gt;<br>To: users@httpd.apache.org<br>Subject: Re: \
[users@httpd] apache and ssl<br><br>  Ok, if I try to separate them, I will have to \
modify my NameVirtualHost definition file to  something like:<br>  <br>  \
NameVirtualHost: 192.168.0.12:*<br>  or<br>  NameVirtualHost: 192.168.0.12<br>  <br>  \
but if I do that, I get error messages when I try to stop and restart the server:<br> \
<br>  [Thu Jun 29 10:27:31 2006] [error] VirtualHost 192.168.0.12:80 --  mixing * \
ports and non-* ports with a NameVirtualHost address is not  supported, proceeding \
with undefined results<br>  <br>  Do I need to modify my "Listen" definition to be \
something like:<br>  <br>  Listen 192.168.0.12:80<br>  Listen 192.168.0.12:443<br>  \
<br>  Thanks,<br>  Dave<br>  <br>  (Sorry for direct response, I didn't know you were \
being sent an email as well)<br><br><b><i>Pid &lt;p@pidster.com&gt;</i></b> \
wrote:<blockquote class="replbq" style="border-left: 2px solid rgb(16, 16, 255); \
margin-left: 5px; padding-left: 5px;">  Date: Thu, 29 Jun 2006 15:06:29 \
+0100<br>From: Pid &lt;p@pidster.com&gt;<br>To:   Dave Henderson \
&lt;dhenderson@digital-pipe.com&gt;<br>Subject: Re: [users@httpd] apache  and \
ssl<br><br>  I don't think you gain anything by separating the IPs if \
they're<br>actually on one physical connection.<br><br>(reply to the list only \
please)<br><br><br><br>Dave Henderson wrote:<br>&gt; I do have two NameVirtualHost \
definitions:<br>&gt; <br>&gt; NameVirtualHost 192.168.0.12:80<br>&gt; NameVirtualHost \
192.168.0.13:443<br>&gt; <br>&gt; On my firewall, I have port 80 traffic going to \
192.168.0.12 and 443<br>&gt; traffic going to 192.168.0.13.  Both ip's are used on \
the same server by<br>&gt; way of assigning multiple ip addresses to one nic.  Should \
I change my<br>&gt; vhost definitions to use on the 192.168.0.12 ip address instead \
of using<br>&gt; the two shown above?<br>&gt; <br>&gt; Thanks,<br>&gt; Dave<br>&gt; \
<br>&gt; <br>&gt; <br>&gt; */Pid <div @pidster.com="">/* wrote:<br>&gt; <br>&gt;     \
Does anyone else think that this is wrong?<br>&gt; <br>&gt;       SSLCertificateFile \
/etc/apache2/ssl/certs/sitename.com.crt<br>&gt;     SSLCertificateKeyFile  \
/etc/apache2/ssl/keys/sitename.com.key<br>&gt;     &gt;&gt; SSLCACertificateFile \
/etc/apache2/ssl/root/sitename.com.crt<br>&gt; <br>&gt;     It looks like you're \
telling it that the Certificate Authority is the<br>&gt;     same file as the \
Certificate itself. I could be wrong tho.<br>&gt; <br>&gt; <br>&gt; <br>&gt;     As \
regards to the VHost defs: it depends what you've got in front of the<br>&gt;     \
server in the way of DNS or loadbalancers.<br>&gt; <br>&gt;     Your domain name can \
only resolve to point at one IP address (unless<br>&gt;     you're using load \
balancers or proxies etc etc). So any request for the<br>&gt;     SSL port of \
demo.sitename.com is going to arrive at the same IP as the<br>&gt;     port 80 \
connection.<br>&gt; <br>&gt;     http://demo.sitename.com &gt; IP1<br>&gt;     \
https://demo.sitename.com &gt; Still IP1<br>&gt; <br>&gt; <br>&gt;     (Have you set  \
"NameVirtualHost" or not?)<br>&gt; <br>&gt; <br>&gt; <br>&gt;     Dave Henderson \
wrote:<br>&gt;  &gt; I am wondering if the virtual host definitions are wrong. Can I \
do the<br>&gt;     &gt; following (even though the ServerName options have the \
same<br>&gt;     value)? Can<br>&gt;     &gt; I use the IP addresses like I have done \
below?<br>&gt;     &gt;<br>&gt;     &gt;<br>&gt;     &gt;<br>&gt;     &gt; \
ServerAdmin webmaster@sitename.com<br>&gt;     &gt; ServerName \
demo.sitename.com<br>&gt;     &gt; DocumentRoot /var/www/sitename.com/demo<br>&gt;    \
&gt;<br>&gt;     &gt; # This should be changed to whatever you set DocumentRoot \
to.<br>&gt;     &gt;<br>&gt;     &gt; Options Indexes Includes<br>&gt;     &gt; \
AllowOverride Options<br>&gt;     &gt; Order allow,deny<br>&gt;     &gt; Allow from \
all<br>&gt;     &gt;<br>&gt;     &gt; ErrorLog \
/var/log/apache2/sitename.com/demo/error.log<br>&gt;     &gt; CustomLog \
/var/log/apache2/sitename.com/demo/access.log common<br>&gt;       &gt; CustomLog \
/var/log/apache2/sitename.com/demo/referer.log referer<br>&gt;     &gt;  CustomLog \
/var/log/apache2/sitename.com/demo/agent.log agent<br>&gt;     &gt;<br>&gt;     &gt; \
# Possible values: debug, info, notice, warn, error, crit,<br>&gt;     &gt; alert, \
emerg.<br>&gt;     &gt; LogLevel warn<br>&gt;     &gt;<br>&gt;     &gt; \
ServerSignature On<br>&gt;     &gt;<br>&gt;     &gt;<br>&gt;     &gt;<br>&gt;     \
&gt;<br>&gt;     &gt; ServerAdmin webmaster@sitename.com<br>&gt;     &gt; ServerName \
demo.sitename.com<br>&gt;     &gt; DocumentRoot \
/var/www/sitename.com/demo/ssl<br>&gt;     &gt;<br>&gt;     &gt; # SSL \
specifications<br>&gt;     &gt; SSLEngine On<br>&gt;     &gt; SSLCertificateFile \
/etc/apache2/ssl/certs/sitename.com.crt<br>&gt;     &gt; SSLCertificateKeyFile \
/etc/apache2/ssl/keys/sitename.com.key<br>&gt;     &gt; SSLCACertificateFile \
/etc/apache2/ssl/root/sitename.com.crt<br>&gt;     &gt; SSLCipherSuite \
SSLv2:+HIGH:+MEDIUM<br>&gt;     &gt; SetEnvIf User-Agent   ".*MSIE.*" nokeepalive \
ssl-unclean-shutdown<br>&gt;     &gt;<br>&gt;     &gt; #  SSLVerifyClient \
require<br>&gt;     &gt; # SSLVerifyDepth 1<br>&gt;     &gt; # CustomLog \
/var/log/apache2/ssl \ "%t %h %{SSL_PROTOCOL}x<br>&gt;     &gt; \
%{SSL_CIPHER}x$<br>&gt;     &gt; #<br>&gt;     &gt; # SSLCipherSuite \
SSLv2:+HIGH:+MEDIUM<br>&gt;     &gt; # SSLVerifyClient require<br>&gt;     &gt; # \
SSLVerifyDepth 1<br>&gt;     &gt; #<br>&gt;     &gt;<br>&gt;     &gt; # This should \
be changed to whatever you set DocumentRoot to.<br>&gt;     &gt;<br>&gt;     &gt; \
Options Indexes Includes<br>&gt;     &gt; AllowOverride Options<br>&gt;     &gt; \
Order allow,deny<br>&gt;     &gt; Allow from all<br>&gt;     &gt;<br>&gt;     &gt; \
ErrorLog /var/log/apache2/sitename.com/demo/error.log<br>&gt;     &gt; CustomLog \
/var/log/apache2/sitename.com/demo/access.log common<br>&gt;     &gt; CustomLog \
/var/log/apache2/sitename.com/demo/referer.log referer<br>&gt;     &gt; CustomLog   \
/var/log/apache2/sitename.com/demo/agent.log agent<br>&gt;     &gt;<br>&gt;     &gt; \
# Possible values:  debug, info, notice, warn, error, crit,<br>&gt;     &gt; alert, \
emerg.<br>&gt;     &gt; LogLevel warn<br>&gt;     &gt;<br>&gt;     &gt; \
ServerSignature On<br>&gt;     &gt;<br>&gt;     &gt;<br>&gt; <br>&gt;     \
---------------------------------------------------------------------<br>&gt;     The \
official User-To-User support forum of the Apache HTTP Server<br>&gt;     \
Project.<br>&gt;     See for more info.<br>&gt;     To unsubscribe, e-mail: \
users-unsubscribe@httpd.apache.org<br>&gt;     " from the digest: \
users-digest-unsubscribe@httpd.apache.org<br>&gt;     For additional commands, \
e-mail: users-help@httpd.apache.org<br>&gt; <br>&gt; \
<br></div></blockquote><br></blockquote><br>



[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic