Thursday, September 22, 2016

Apache SSL VirtualHosts on a single IP using UCC/SAN certificate



I need to host several Apache virtual hosts with SSL from a single IP.




Now - I understand that because SSL wraps around the HTTP request, there's no way to know which host is being requested until a public key has been sent to the client first. This essentially breaks the possibility of SSL virtual hosts using a standard SSL certificate.



I have obtained a Unified Communications Certificate (UCC), otherwise known as a Subject Alternative Name (SAN) certificate. This allows me to serve the same certificate for multiple domains.



I would like this to be the certificate served by Apache for any SSL request - and then have Apache resolve the virtual host as usual, once the encryption has been established.



How should I configure Apache for this? I have tried to research how this can be done, but all I can find are quotes which say that it is possible, but no specifics:






wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI




While Apache can renegotiate the SSL
connection later after seeing the
hostname in the request (and does),
that's too late to pick the right
server certificate to use to match the
request hostname during the initial
handshake, resulting in browser

warnings/errors about certificates
having the wrong hostname in them.




serverfault.com/questions/48334/apache-virtual-hosts-with-ssl




Incidentally, it is possible to have
multiple SSL-secured named virtual
hosts on a single IP address - I do it

on my website - but it produces all
sorts of warnings in the Apache logs,
and certificate warnings in the
browser. I certainly wouldn't
recommend it for a production site
that needs to look clean.
-David Jul 31 at 4:58




www.digicert.com/subject-alternative-name.htm





Virtual Host Multiple SSL sites on a single
IP address. Hosting multiple
SSL-enabled sites on a single server
typically requires a unique IP address
per site, but a certificate with
Subject Alternative Names can solve
this problem. Microsoft IIS 6 and
Apache are both able to Virtual Host

HTTPS sites using Unified
Communications SSL, also known as SAN
certificates.






Please help.


Answer



I tested this on my apache 2.2.14 instance and it worked fine:




Use the NameVirtualHost directive (to ports.conf):



NameVirtualHost *:443


define your vhosts:




  ServerName www.siteA.com

  DocumentRoot "/opt/apache22/htdocs/siteA"
  SSLCertificateFile "/path/to/my/cert"
  SSLCertificateKeyFile "/path/to/my/key"


  ServerName www.siteB.com
  DocumentRoot "/opt/apache22/htdocs/siteB"
  SSLCertificateFile "/path/to/my/cert"
  SSLCertificateKeyFile "/path/to/my/key"




I used this link as a resource.


-

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...