Is it possible for Apache (2.0) to serve up two SSL certificates when Mongrel and Rails are involved?
Here's the situation... I've got a server with two sites on it: foo.com and bar.com. Both have self-signed SSL certificates (from GoDaddy) and both have their own IP address. Here's the relevant Apache config settings:
<VirtualHost 192.168.100.17:443>
ServerName secure.foo.com
DocumentRoot /var/www/client/foo/current
ProxyPass / http://127.0.0.1:3002/
ProxyPassReverse / http://127.0.0.1:3002/
ProxyPreserveHost on
RequestHeader set X_FORWARDED_PROTO 'https'
SSLEngine on
SSLCertificateFile /etc/httpd/conf/ssl.crt/secure.foo.com.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/secure.foo.com.key
SSLCertificateChainFile /etc/httpd/conf/ssl.crt/gd_intermediate_bundle.crt
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
ErrorLog /var/www/client/foo/current/log/ssl_error_log
TransferLog /var/www/client/foo/current/log/ssl_access_log
LogLevel warn
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
RewriteEngine On
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
<VirtualHost 192.168.100.16:443>
ServerName secure.bar.com
DocumentRoot /var/www/sites/bar/secure
ProxyPass / http://127.0.0.1:3003/
ProxyPassReverse / http://127.0.0.1:3003/
ProxyPreserveHost on
RequestHeader set X_FORWARDED_PROTO 'https'
SSLEngine on
SSLCertificateFile /etc/httpd/conf/ssl.crt/secure.bar.com.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/secure.bar.com.key
SSLCertificateChainFile /etc/httpd/conf/ssl.crt/gd_intermediate_bundle.crt
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
ErrorLog /var/log/httpd/bar.com/ssl_error_log
TransferLog /var/log/httpd/bar.com/ssl_access_log
LogLevel warn
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
If I go to a page on secure.foo.com that should be secure (e.g. https://secure.foo.com/login), I get a warning that the certificate is for secure.BAR.com. But if I view the certificate it's for secure.FOO.com.
This is only happening in Firefox. No warnings in MSIE.
My theory is that Apache is serving up the correct certificate (for secure.foo.com) but then somehow the certificate for secure.bar.com is also sent. (I'm assuming MSIE doesn't throw an error because it simply ignores the second one.)
I'd like to blame the situation on Mongrel, but Mongrel doesn't "do" SSL. I'd also like to blame it on Rails, but all Rails does is check to see if a page is supposed to be encrypted and if it isn't, just redirect it to a secure connection.
Has anyone seen anything like this before? Any ideas what the problem could be?
UPDATE: Commenting out the following lines in the Apache config takes down the site, of course, but results in a correct SSL "handshake":
ProxyPass / http://127.0.0.1:3002/
ProxyPassReverse / http://127.0.0.1:3002/
ProxyPreserveHost on
