14

I've got quite a big VirtualHost definition which I don't want to duplicate just so the site will also run over HTTPS.

Here's what I want to do:

<VirtualHost *>
    ServerName example.com

    <If port=443>
        SSLEngine on
        SSLCertificateFile ...
        SSLCertificateKeyFile ...
        SSLCertificateChainFile ...
    </If>

    (other config)

</VirtualHost>

Is there some way to do this?
Am I missing some other method of not duplicating the config?

Jake
  • 619
  • 4
  • 7
  • 17

4 Answers4

13

The current stable version of the Apache(2.2) doesn't have that feature, but the 2.4 does have the IF directive.

You have to create two VirtualHosts for now, but you can set some stuff through environment or apache global variables and use that in your virtualhost config (setting the documentroot for example). This way if you want to change that you can do it with just one line of modification.

Of course, you can use include to do something like this:

<VirtualHost *:80>
        include /etc/apache2/vhost.conf.d/site1
</VirtualHost>

<VirtualHost *:443>
        include /etc/apache2/vhost.conf.d/site1
        include /etc/apache2/vhost.conf.d/site1-ssl
</VirtualHost>

ps: SNI will be mainstream years before the IPv6 adaptation. All of the mainstream browser support it already assuming you are on a supported OS.

edit: as fooquency spotted you can't put SSLEngine On to an If block so my answer is wrong.

Tyrael
  • 176
  • 1
  • 5
  • 10
    Attempting to put `SSLEngine On` in an `` will give `SSLEngine not allowed here`, so the suggested use-case at the start of this answer sadly doesn't appear to be possible. This seems to be because the requirement that "Only directives that support the directory context can be used within this configuration section." [(ref)](http://httpd.apache.org/docs/2.4/mod/core.html#if) and `SSLEngine` is `server config, virtual host` [(ref)](http://httpd.apache.org/docs/current/mod/mod_ssl.html#sslengine), not directory. – fooquency Aug 28 '14 at 18:24
3

No. You can move most things to the Global config and inherit it in the VirtualHost.

Chris S
  • 77,337
  • 11
  • 120
  • 212
  • 1
    Unfortunately I have a few VirtualHosts, each with different config and most needing to work over HTTP and HTTPS. – Jake Dec 16 '10 at 01:25
  • 1
    As unhelpful as this answer is, it's the only correct one. Please move to a web server that doesn't suck. :) – intgr Nov 10 '15 at 09:19
3

This was answered in another question. Use an Include statement. Worked like a charm for me:

Serve http (port 80) and https (port 443) on same VirtualHost

# Acme Co
<VirtualHost 192.168.56.101:80>
        Include /usr/local/apache2/conf/main-acme.conf
</VirtualHost>

###* SSL
<VirtualHost 192.168.56.101:443>
        Include /usr/local/apache2/conf/main-acme.conf
        SSLEngine On
</VirtualHost>
Kevin Parker
  • 144
  • 5
2

For SSL virtual hosts, you either have to use a second port ala

<VirtualHost *:443>
    ServerName abc.com
</VirtualHost>
<VirtualHost *:4443>
    Servername def.com
</VirtualHost>

or you have to use separate IPs

<VirtualHost 192.168.0.1:443>
    ServerName abc.com
</VirtualHost>
<VirtualHost 192.168.0.2:443>
    Servername def.com
</VirtualHost>

There's actaully a very good explanation in the Apache SSL docs http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html

Search down for "Why can't I use SSL with name-based/non-IP-based virtual hosts?"

Paul S
  • 186
  • 4
  • 2
    Be aware of this for the future, though: http://en.wikipedia.org/wiki/Server_Name_Indication – mattdm Dec 16 '10 at 01:39
  • Ironically, by the time SNI is widely-accepted enough to be safely used for the majority of virtual hosting sites, IPv6 will probably be commonplace enough to make it irrelevant. – jgoldschrafe Dec 16 '10 at 03:23
  • 5
    @jgoldschrafe Hi 2010, it's future speaking here! Recent [caniuse](http://caniuse.com/usage_table.php) shows non-SNI browsers are <2% worldwide. From the first world it's probably much much less. IPv4 still alive and well :) – kubanczyk Dec 04 '15 at 22:43
  • 2
    @kubanczyk Got me! :) – jgoldschrafe Dec 08 '15 at 01:02
  • 1
    @jgoldschrafe Even with IPv6 I would still prever SNI over assigning blocks of addresses to a single machine, as IPs are mainly for routing and it is easier to manage that way. – Bachsau Feb 29 '20 at 11:46