1

Goals:

  • If the user support SNI and hit myurl1.server.com (https) or myurl2.server.com (https) it will match the right vhost. (the last 2 vhosts)
  • If the user does not support SNI and hit myurl1.server.com (https) or myurl2.server.com (https) it will be catch by the fallback vhost (the first on port 443). It contains the SAN certificate and it will hit the server again to do the match. This time it will hit the last 2 vhost.
  • If the user enter an unknown url with either http or https it will be catch in the first vhost that show a error page.

I have tested all 3 goals and it's working fine.

Questions:

  • When the user is hitting the SAN vhost (https) which make a new request to it self. How does Apache know it will match the last 2 vhost (443) when the proxypass in SAN vhost is using http(80)
  • When the user is hitting the SAN vhost I can't see any requests in the SAN access log. The requests only appears in the last 2 vhost even if it goes through the SAN vhost. However I can see some bot requests in the SAN access log.

The code only contains the important parts.

NameVirtualHost *:80
NameVirtualHost *:443

<VirtualHost *:80>
  show error page
</VirtualHost>

<VirtualHost *:443>
  SSLCertificateFile san.crt
  CustomLog san-access.log 
  ProxyPass / http://my-local-url-server/
  ProxyPassReverse / http://my-local-url-server/
</VirtualHost>

<VirtualHost *:443>
  ServerName myurl1.server.com
  SSLCertificateFile myurl1.crt
  CustomLog myurl1-access.log 
  ProxyPass / http://mybackend1/
  ProxyPassReverse / http://mybackend1/
</VirtualHost>

<VirtualHost *:443>
  ServerName myurl2.server.com
  SSLCertificateFile myurl2.crt
  CustomLog myurl2-access.log 
  ProxyPass / http://mybackend2/
  ProxyPassReverse / http://mybackend2/
</VirtualHost>
chitech
  • 13
  • 3

1 Answers1

2

The confusion here is between SSL negotiation and apache vhost handling. This is what happens:

If a user connects without supporting SNI, Apache can't at first know which vhost the user wants, since the host name is hidden within the SSL encryption. So apache will use the first SSL certificate it finds for the SSL negotiation. Once the client has accepted that certificate and finished the negotiation, then Apache will be able to decrypt the request and handle it just as if the client had been supported SNI from the start.

So there is never any HTTP request to the SAN server - there's just an SSL negotiation which uses the certificate from the SAN server before figuring out which vhost to use for the HTTP request. Apache logs only the HTTP requests, not the SSL negotiations.

Jenny D
  • 27,358
  • 21
  • 74
  • 110
  • Does that mean that I can remove the proxypass/proxypassReverse from the SAN vhost when no request hit it? It make sense with the apache log for SAN vhost when no HTTP request is made. But some http requests must still hits the SAN vhost since it contains some bots request. So the SAN vhost must handle HTTPS request different from myurl1.server.com and myurl2.server.com. Can I somehow log all the request that does not support SNI? – chitech Feb 15 '13 at 20:56
  • 1
    Logging - you can use CustomLog to log e.g. SSL versions. I'm not sure about non-SNI logs, though. There's a fair amount of information about that at http://docs.apache.org . As for the bots, they're presumably not giving any of the hostnames you've got in your virtual hosts which is why their connections end up in your SAN-vhost logs. – Jenny D Feb 16 '13 at 07:53