SSL and Apache

Alex Dean alex at crackpot.org
Thu Mar 9 12:07:29 MST 2006 

On Mar 9, 2006, at 11:49 AM, Carl Parrish wrote:

> Alex Dean wrote:
>
>> It's not so bad.  The main things are :
>>
>>  - You can't have more than 1 SSL site per IP:port combination.
>>  - You have to specify a port for every virtual host (80, 443, or   
>> otherwise) in the <VirtualHost>.  There are differences in using   
>> named virtual hosts vs. ip-based virtual hosts that can be  
>> confusing,  but if you only have 1 IP <VirtualHost *:80> or  
>> <VirtualHost *:443>  will do fine.
>>
>> The only directives you need in the VirtualHost are :
>> SSLEngine On
>> SSLCertificateFile file.crt
>> SSLCertificateKeyFile file.key
>>
>> Other directives may be desireable/useful, but those 3 will make  
>> it  'go'.
>>
>> alex
>> .
>>
> Alex,
> I currently only have one IP on this computer but I need to set up  
> 3 secure virtual hosts. Would it be better / safer / easier to  
> change ip addresses or port numbers for the others? I've added IP  
> addresses before so its not *that* big of a deal but please keep in  
> mind I'm more of a programmer than a system admin.

Me, too. :)  I've learned Apache configuration out of necessity.

 From a web-only perspective, I'd say that if you've got the extra  
IPs, use 'em.  Non-standard ports are hard for users and search  
engines.  But setting up extra IPs is work in itself (router/firewall  
stuff you wouldn't need to do with only 1 IP).  If these are private  
sites with small userbases, 3 goofy ports on a single IP is probably  
no big deal.  I don't think either approach has any specific security  
implications, since the encryption is the same either way.  (But the  
more security-knowlegeable on this list might know something I don't  
in this respect.)

'apachectl configtest' is really useful.  If you don't get anything  
from 'configtest' and it's still not working, skim through the apache  
error logs.  'configtest' only knows about syntax errors, so  
underlying ssl problems (like an incorrect key file) won't be caught  
until you actually restart the server.  If you do have problems, be  
sure to check both your main log and the virtual-host specific ones.   
If you have to do this a lot, it can be nice to have a 2nd console  
window open running 'tail -f /your/apache/error.log'.  You'll see the  
new log entries as they are written.

alex
.

More information about the PLUG-discuss mailing list