1

I have setup a Debian LAMP server where I host multiple websites. As far as I know I can only use SSL on one of them, if I'd like to use SSL on two or more sites I'd have to add another IP - so far so good.

The problem is that whenever I type https://siteone.com or https://sitetwo.com it always displays the content from: https://siteone.com. I'd rather it display some error message or something else but absolutely not to display my main site's content (which is where I want the SSL to work).

Note: my Debian web server uses ispconfig as it's control panel.

spacebiker
  • 358
  • 4
  • 14

4 Answers4

2

See this page titled Using Multiple SSL Certificates in Apache with One IP Address.

Brigand
  • 135
  • 5
  • 1
    Xabier was asking about a case with multiple IP addresses. – Stephen Ostermiller Mar 08 '13 at 02:28
  • @StephenOstermiller, he said "As far as I know [...] I'd have to add another IP." I interpreted "have" as 'be required to', and that a single IP would be best. Also, because additional IP's incur an additional charge 99.99% of the time. – Brigand Mar 08 '13 at 07:37
  • actually, I was trying to say that I do not want to install an additional ip. :-) – spacebiker Mar 10 '13 at 22:05
2

Make sure you have your virtual hosts set up correctly such that each virtual host binds only to a single ip address. The Apache documentation for IP based virtual hosting says that your virtual hosts should look similar to the following:

<VirtualHost 192.168.0.1:443>
ServerAdmin webmaster@smallco.example.com
DocumentRoot /groups/smallco/www
ServerName smallco.example.com
ErrorLog /groups/smallco/logs/error_log
TransferLog /groups/smallco/logs/access_log
</VirtualHost>

<VirtualHost 192.168.0.2:443>
ServerAdmin webmaster@baygroup.example.org
DocumentRoot /groups/baygroup/www
ServerName baygroup.example.com
ErrorLog /groups/baygroup/logs/error_log
TransferLog /groups/baygroup/logs/access_log
</VirtualHost>

The first vitual host listed in your apache config is the default one. Add a fake one before the your first two just to ensure that you are actually matching your virtual hosts, and not just blindly falling into the first one. Here is a more complete article about such a setup from IBM: http://www-01.ibm.com/support/docview.wss?uid=swg21045922

Stephen Ostermiller
  • 432
  • 8
  • 21
  • This is the way it was configured, actually this gets written by ISPConfig. All .vhost files are under /etc/apache/sites-enabled and match that structure. – spacebiker Mar 08 '13 at 07:59
  • the link to 000-default-ssl in /etc/apache2/sites-enabled was not created. I just created that link and change to and it successfully worked! Your answer is not exactly answering but it helped me a lot. Thanks for your reply – spacebiker Mar 10 '13 at 21:52
2

If Stephen's advice isn't quite working for you then make sure that you also have the following line in your apache config file:

NameVirtualHost *:443

Also, FRB is right. You CAN have SSL on as many of these Virtual machines as you like. Just put the SSL config info inside the <VirtualHost></VirtualHost> code block.

Something like this (also notice that its not necessary to bind to specific IPs when using named hosts):

## SSL (HTTPS) PORT 443
Listen 443
NameVirtualHost *:443

LoadModule ssl_module modules/mod_ssl.so
SSLPassPhraseDialog  builtin
SSLSessionCache         shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout  300
SSLMutex default
SSLRandomSeed startup file:/dev/urandom  256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin

<VirtualHost *:443>
  ServerName host1.com

  SSLEngine on
  SSLOptions +StrictRequire
  SSLProtocol -all +TLSv1 +SSLv3
  SSLCipherSuite HIGH:MEDIUM:!aNULL:+SHA1:+MD5:+HIGH:+MEDIUM
  SSLCertificateFile    /etc/httpd/ssl/host1.crt
  SSLCertificateKeyFile /etc/httpd/ssl/host1.key
  SSLVerifyClient none
  SSLProxyEngine off

  SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
  CustomLog logs/ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

  DocumentRoot /var/www/host1/

  <Directory "/var/www/host1/">
    Options Indexes FollowSymLinks
    AllowOverride All
    Order Allow,deny
    Allow from all
  </Directory>

</VirtualHost>


<VirtualHost *:443>
  ServerName host2.com

  SSLEngine on
  SSLOptions +StrictRequire
  SSLProtocol -all +TLSv1 +SSLv3
  SSLCipherSuite HIGH:MEDIUM:!aNULL:+SHA1:+MD5:+HIGH:+MEDIUM
  SSLCertificateFile    /etc/httpd/ssl/host2.crt
  SSLCertificateKeyFile /etc/httpd/ssl/host2.key
  SSLVerifyClient none
  SSLProxyEngine off

  SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
  CustomLog logs/ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

  DocumentRoot /var/www/host2/

  <Directory "/var/www/host2/">
    Options Indexes FollowSymLinks
    AllowOverride All
    Order Allow,deny
    Allow from all
  </Directory>

</VirtualHost>
Octopus
  • 349
  • 1
  • 3
  • 18
1

You can actually do multiple SSL sites on the same IP address, without using SNI. The (primary) catch is that you have to be using the same certificate, which must have all the required domains as Subject Alternative Names. (These will make the cert cost extra.) The implication is that all the sites are for the same organisation.

Apache2 handles SSL in two phases. The first phase involves checking for an "SSLEngine on" statement in the default (first) virtualhost block for the IP address, then starting the SSL connection. The second phase involves checking the ServerName/ServerAlias directives until the correct virtualhost is identified.

So you don't actually need to duplicate the SSL* directives in each virtualhost, but it helps draw people's attention to the fact that it's an SSL site. (Otherwise they'd have to notice the port number.)

The secondary catch is that there will be a warning added to error_log every time Apache starts up.

Alastair Irvine
  • 1,172
  • 10
  • 22