Apache* + Mod_SSL2.8.12 + Openssl

rohithmr

Hi,
I am trying to set up an apache server with SSL enabled ONLY on
[url]https://secure.my-domain.tld,[/url]

all HTTP requests shudd goto

http://my-domain.tld.

If they type

[url]https://my-domain.tld,[/url] then it shudd not take them to any page. I am attaching my current httpd.conf, the problem is that when users type [url]https://my-domain.tld,[/url] it take u to teh area where only https://secure.my-domain.tld shudd have access.

If anybody kno y dis is happening, please inform me

Thnx 4 ne Help
r O h i t H

dalecosp

To the best of my recollection, you can't use name-based virtual hosting with SSL on Apache.

You have one IP, anything going to https port 443 on that box will connect with the root server.

I believe that you must use IP based Virtual Hosting to accomplish what you're looking for.

Cheers,

rohithmr

Hi Dalecosp,
I have been reading on this issue for quite q while now and i found this on a web page. I have read in the documentation on Apache how and why Vhosts does not work with SSL.
But if that is the case, i dun understand how this is possible.

Source: http://www.apache-ssl.org/#FAQ

Question: I want to run secure and non-secure servers on the same machine. Is that possible?

Answer: There are two ways to do this: run two server daemons, or run both services from the same daemon. Unless there is a good reason to run two (like using a different product for secure/non-secure), it's usually simplest to run a single daemon and disable SSL on those virtual hosts that don't need it. If you wish to run two daemons you must make sure that they each only try to bind to their alloted ports (normally port 80 for non-secure and 443 for secure). If you wish to run a single daemon, here's an example config file showing how you might do it.http://www.apache-ssl.org/httpd.conf.example

Now i know that they are taling about Apache1.3.27 and i dont really mind what version of Apache to use, as long what they say there can be achieved.

Thnx,
r O h I t H

dalecosp

Well, yes, of course it's possible to run SSL and non-SSL apache hosts on the same machine. If the machine had two seperate interfaces hooked directly to the internet with seperate IPs, the issue is easy. Assign the DNS for the 'secure' server to one IP and the 'normal' one to the other. The problem is when you have one IP address: one server is listening on port 80, and one on port 443, yet the DNS points both secure.domain.tld and www.domain.tld to the same IP. So, if you have only one network interface available to the outside world (for example, a router with one public IP doing NAT for an entire class C subnet) then a request to https://www.domain.tld is going to be sent to the one interface (on the router in this example), find an open 443 port there, and connect to it, since it's listening, regardless of the nature of the request.

Hey, though, I did just have an idea.... isn't there a REQUEST_URI variable in the $_SERVER superglobal?

Let me think on this....

rohithmr

Hmm.....i think i get what ur saying. So ur saying that the ssl.fictional.tld and another-ssl.fictional.tld and www.fictional.tld all has different IP addresses in their respective DNS records.

And i kno where ur goin with the $Requested_URI, cuz i was planning to use a slignt variation of that. Let me tell u what i had in mind, so we are both on the same page.

I was planning to have a SSL server ONLY at https://secure.domain.tld and a normal HTTP at domain.tld. Since i wanted to have subdomains, and i will put a script on the index page of domain.tld, that checks for the HOST header of the HTTP request and redirecting them to the appropriate page.

4rm what i have read, HTTP ver 1.1 sends a HOST header with every request. So the only problem i have right now is like what u said, ANY request to port 443 will get them access to the SSL secured area. I think i kno a workaround for this too, not a very practical one and i havent tried this yet, but here's my 2 cents:

Similar to the script in the index page of domain.tld, im gonna put a script at the index page of the SSL secured area, that checks for the HOST header. THen if it is not secure.domain.tld, i could jus either give then a BAD REQUEST error message or whatever.

I kno this is not the best way to do things, but until i get a better way to do htings, i guess this is the only work around.

btw please tell me ur opinion on this method

Thnxx
r O h I t H

dalecosp

That's basically what I was thinking about. I'd be very interested to hear if it works, and would like to see the code if possible. If you don't wish to or can't share it, that's OK, too, of course.

Hmmm, now what about browsers that don't comply with HTTP 1.1.......

rohithmr

I found dis snipplet rite here in dis site:

faking real vhosts

Submitted By: Nico Gawenda
Date: 06/04/02 17:16
put this at the very beginning of your php
this powerful hack implies to have *.yourdomain actually pointing to it.
first check for some vhost. this can be done much better, but this is easier to understand :-)

if (isset($HTTP_HOST) && strpos($HTTP_HOST,'.yourdomain.com')>0 && strpos($HTTP_HOST,'www.yourdomain.com')===false ){
	// extract vhost, again put your regexp here ;)
	$vhost = substr($HTTP_HOST,0,strpos($HTTP_HOST,'.'));
	// redirect whereever you want... you could also look for an id with username=$vhost in a database,
	// and redirect to something like /index.php?show_user=$id
	header('Location: [url]http://www.yourdomain.com/[/url]'.$vhost.'/index.php');
	exit;
}