I have a web server with two domains pointing to the same document root. I have separate SSL certs for the two domains. I want (almost) everything that comes to the site(s) to run under SSL. All works, but the config I have seems overlong and repetitive, and I wondered if I could simplify it?
I checked these answers:
Setting up SSL virtual hosts in Apache, Apache: Multiple Virtual Hosts w/ SSL Certificates?, https://www.howtoforge.com/hosting-multiple-ssl-web-sites-on-one-ip-address-with-apache-2.2-and-gnutls-debian-lenny
but although useful, they didn't seem to quite address this case.
I wondered if there's a way to break out the config into files that one can then include?
my ports.conf:
NameVirtualHost *:80
NameVirtualHost *:443
Listen 80
# If you add NameVirtualHost *:443 here, you will also have to change
# the VirtualHost statement in /etc/apache2/sites-available/default-ssl
# to
# Server Name Indication for SSL named virtual hosts is currently not
# supported by MSIE on Windows XP.
Listen 443
Listen 443
sites-available-default:
ServerAdmin xx@yy.com
ServerName yy.com
DocumentRoot /var/www
Options FollowSymLinks
AllowOverride None
# everything to run under ssl
RewriteEngine on
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
Options -Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
ErrorLog ${APACHE_LOG_DIR}/error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/access.log combined
ProxyRequests Off
Order deny,allow
Allow from all
ProxyPass /geoserver http://localhost:8080/geoserver
ProxyPreserveHost On
ProxyStatus On
default-ssl:
ServerAdmin xx@yy.com
ServerName yy.com:443
DocumentRoot /var/www
Options FollowSymLinks
AllowOverride None
Options -Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
ErrorLog ${APACHE_LOG_DIR}/error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/yy.com.crt
SSLCertificateKeyFile /etc/apache2/ssl/yy.com.key
# Server Certificate Chain:
SSLCertificateChainFile /etc/apache2/ssl/intermediate.crt
# Certificate Authority (CA):
SSLOptions +StdEnvVars
SSLOptions +StdEnvVars
# SSL Protocol Adjustments:
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
# MSIE 7 and newer should be able to use keepalive
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
The second site's ssl.conf:
ServerAdmin xx@zz.com
ServerName zz.com
ServerAlias www.zz.com
DocumentRoot /var/www
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/zz.com.crt
SSLCertificateKeyFile /etc/apache2/ssl/zz.com.key
# Server Certificate Chain:
SSLCertificateChainFile /etc/apache2/ssl/zz.com/intermediate.crt
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
SSLOptions +StdEnvVars
SSLOptions +StdEnvVars
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
# MSIE 7 and newer should be able to use keepalive
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
Any help appreciated.
Mini
No comments:
Post a Comment