# Vhost And SSL

## _easyrider_

I just tried to set upn a virtual host with ssl support, but i kepp getting the following error when i start or restart apache.

```

 * Stopping apache...                                                                                                                                                             [ ok ]

 * Starting apache...

[Thu Jun 26 17:56:01 2003] [warn] _default_ VirtualHost overlap on port 443, the first has precedence

```

This is my conf files.

Vhosts.conf

```

# $Header: /home/cvsroot/gentoo-x86/net-www/apache/files/conf/Vhosts.conf,v 1.2 2002/05/04 23:23:01 woodchip Exp $

################# Vhosts.conf

#This is where we store the VirtualHosts configuration.

#

#Since Apache 1.3.19, we modified the setup to include some nice tricks:

#

#- We added the User and Group directives so VirtualHosts now work with

#  suexec directive. If set, Apache will run all cgi scripts under that

#  user and group (provided the uid and gid are > 1000 for security). The

#  directories and cgi files *must* belong to that user/group for the

#  feature to work

#- We added the Setenv VLOG directive. This works in conjunction with

#  the CustomLog in common.conf. When Setenv VLOG is set, apache will

#  create a /var/log/httpd/VLOG-YYYY-MM-<ServerName>.log instead of logging

#  to access_log. Use this instead of defining a special logfile for

#  each vhost, otherwise you eat up file descriptors.

#- You can also specify a path for the VLOG for each Vhost, for example,

#  to place the logs in each user's directory. However, if you want to

#  use the file for accounting, place it in a directory owned by root,

#  otherwise the user will be able to erase it.

#- I suggest only including the ErrorLog *only* if the vhost will use

#  cgi scripts. Again, it saves file descriptors!

#This is needed for Frontpage support

Port 80

ServerRoot /etc/apache

ResourceConfig /dev/null

AccessConfig /dev/null

NameVirtualHost *

#################################################

################# www.blabla.dk #################

#################################################

<VirtualHost *>

ServerName www.blabla.dk

ServerAlias blabla.dk

ServerPath /home/httpd/htdocs

DocumentRoot /home/httpd/htdocs

</VirtualHost>

```

ssl.default-vhost.conf

```

# $Header: /home/cvsroot/gentoo-x86/net-www/mod_ssl/files/ssl.default-vhost.conf,v 1.2 2002/05/04 23:23:02 woodchip Exp $

<IfModule mod_ssl.c>

##

## SSL Virtual Host Context

##

#################################################

########## www.mail.blabla.dk Over SSL ##########

#################################################

<VirtualHost _default_:443>

DocumentRoot /home/httpd/htdocs/squirrelmail

ServerName mail.blabla.dk

ServerAdmin admin@blabla.dk

ErrorLog logs/ssl-error_log

TransferLog logs/ssl-access_log

#   SSL Engine Switch:

#   Enable/Disable SSL for this virtual host.

SSLEngine on

#   SSL Cipher Suite:

#   List the ciphers that the client is permitted to negotiate.

#   See the mod_ssl documentation for a complete list.

SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

#   Server Certificate:

#   Point SSLCertificateFile at a PEM encoded certificate.  If

#   the certificate is encrypted, then you will be prompted for a

#   pass phrase.  Note that a kill -HUP will prompt again. A test

#   certificate can be generated with `make certificate' under

#   built time.

SSLCertificateFile conf/ssl/server.crt

#   Server Private Key:

#   If the key is not combined with the certificate, use this

#   directive to point at the key file.

SSLCertificateKeyFile conf/ssl/server.key

#   Server Certificate Chain:

#   Point SSLCertificateChainFile at a file containing the

#   concatenation of PEM encoded CA certificates which form the

#   certificate chain for the server certificate. Alternatively

#   the referenced file can be the same as SSLCertificateFile

#   when the CA certificates are directly appended to the server

#   certificate for convinience.

#SSLCertificateChainFile @@ServerRoot@@/conf/ssl/ssl.crt/ca.crt

#   Certificate Authority (CA):

#   Set the CA certificate verification path where to find CA

#   certificates for client authentication or alternatively one

#   huge file containing all of them (file must be PEM encoded)

#   Note: Inside SSLCACertificatePath you need hash symlinks

#         to point to the certificate files. Use the provided

#         Makefile to update the hash symlinks after changes.

#SSLCACertificatePath @@ServerRoot@@/conf/ssl/ssl.crt

#SSLCACertificateFile @@ServerRoot@@/conf/sssl/sl.crt/ca-bundle.crt

#   Certificate Revocation Lists (CRL):

#   Set the CA revocation path where to find CA CRLs for client

#   authentication or alternatively one huge file containing all

#   of them (file must be PEM encoded)

#   Note: Inside SSLCARevocationPath you need hash symlinks

#         to point to the certificate files. Use the provided

#         Makefile to update the hash symlinks after changes.

#SSLCARevocationPath @@ServerRoot@@/conf/ssl/ssl.crl

#SSLCARevocationFile @@ServerRoot@@/conf/ssl/ssl.crl/ca-bundle.crl

#   Client Authentication (Type):

#   Client certificate verification type and depth.  Types are

#   none, optional, require and optional_no_ca.  Depth is a

#   number which specifies how deeply to verify the certificate

#   issuer chain before deciding the certificate is not valid.

#SSLVerifyClient require

#SSLVerifyDepth  10

#   Access Control:

#   With SSLRequire you can do per-directory access control based

#   on arbitrary complex boolean expressions containing server

#   variable checks and other lookup directives.  The syntax is a

#   mixture between C and Perl.  See the mod_ssl documentation

#   for more details.

#<Location />

#SSLRequire (    %{SSL_CIPHER} !~ m/^(EXP|NULL)-/ \

#            and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \

#            and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \

#            and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \

#            and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20       ) \

#           or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/

#</Location>

#   SSL Engine Options:

#   Set various options for the SSL engine.

#   FakeBasicAuth:

#     Translate the client X.509 into a Basic Authorisation.  This means that

#     the standard Auth/DBMAuth methods can be used for access control.  The

#     user name is the `one line' version of the client's X.509 certificate.

#     Note that no password is obtained from the user. Every entry in the user

#     file needs this password: `xxj31ZMTZzkVA'.

#   ExportCertData:

#     This exports two additional environment variables: SSL_CLIENT_CERT and

#     SSL_SERVER_CERT. These contain the PEM-encoded certificates of the

#     server (always existing) and the client (only existing when client

#     authentication is used). This can be used to import the certificates

#     into CGI scripts.

#   CompatEnvVars:

#     This exports obsolete environment variables for backward compatibility

#     to Apache-SSL 1.x, mod_ssl 2.0.x, Sioux 1.0 and Stronghold 2.x. Use this

#     to provide compatibility to existing CGI scripts.

#   StrictRequire:

#     This denies access when "SSLRequireSSL" or "SSLRequire" applied even

#     under a "Satisfy any" situation, i.e. when it applies access is denied

#     and no other module can change it.

#   OptRenegotiate:

#     This enables optimized SSL connection renegotiation handling when SSL

#     directives are used in per-directory context.

#SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire

#   SSL Protocol Adjustments:

#   The safe and default but still SSL/TLS standard compliant shutdown

#   approach is that mod_ssl sends the close notify alert but doesn't wait for

#   the close notify alert from client. When you need a different shutdown

#   approach you can use one of the following variables:

#   ssl-unclean-shutdown:

#     This forces an unclean shutdown when the connection is closed, i.e. no

#     SSL close notify alert is send or allowed to received.  This violates

#     the SSL/TLS standard but is needed for some brain-dead browsers. Use

#     this when you receive I/O errors because of the standard approach where

#     mod_ssl sends the close notify alert.

#   ssl-accurate-shutdown:

#     This forces an accurate shutdown when the connection is closed, i.e. a

#     SSL close notify alert is send and mod_ssl waits for the close notify

#     alert of the client. This is 100% SSL/TLS standard compliant, but in

#     practice often causes hanging connections with brain-dead browsers. Use

#     this only for browsers where you know that their SSL implementation

#     works correctly.

#   Notice: Most problems of broken clients are also related to the HTTP

#   keep-alive facility, so you usually additionally want to disable

#   keep-alive for those clients, too. Use variable "nokeepalive" for this.

SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown

#   Per-Server Logging:

#   The home of a custom SSL log file. Use this when you want a

#   compact non-error SSL logfile on a virtual host basis.

CustomLog logs/ssl_request_log \

          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

RewriteEngine On

RewriteOptions inherit

</VirtualHost>

</IfModule>

```

apache.conf

```

# $Header: /home/cvsroot/gentoo-x86/net-www/apache/files/conf/apache.conf,v 1.2 2002/05/04 23:23:01 woodchip Exp $

### Main Configuration Section

### You really shouldn't change these settings unless you're a guru

###

ServerType standalone

ServerRoot /etc/apache

#ServerName localhost

#LockFile /etc/httpd/httpd.lock

PidFile /var/run/apache.pid

ScoreBoardFile /etc/apache/apache.scoreboard

ErrorLog logs/error_log

LogLevel warn

ResourceConfig /dev/null

AccessConfig /dev/null

DocumentRoot /home/httpd/htdocs

### Dynamic Shared Object (DSO) Support

###

###

LoadModule mmap_static_module modules/mod_mmap_static.so

LoadModule env_module         modules/mod_env.so

LoadModule config_log_module  modules/mod_log_config.so

LoadModule agent_log_module   modules/mod_log_agent.so

LoadModule referer_log_module modules/mod_log_referer.so

LoadModule mime_magic_module  modules/mod_mime_magic.so

LoadModule mime_module        modules/mod_mime.so

LoadModule negotiation_module modules/mod_negotiation.so

LoadModule status_module      modules/mod_status.so

LoadModule info_module        modules/mod_info.so

LoadModule includes_module    modules/mod_include.so

LoadModule autoindex_module   modules/mod_autoindex.so

LoadModule dir_module         modules/mod_dir.so

LoadModule cgi_module         modules/mod_cgi.so

LoadModule asis_module        modules/mod_asis.so

LoadModule imap_module        modules/mod_imap.so

LoadModule action_module      modules/mod_actions.so

LoadModule speling_module     modules/mod_speling.so

LoadModule userdir_module     modules/mod_userdir.so

LoadModule proxy_module       modules/libproxy.so

LoadModule alias_module       modules/mod_alias.so

LoadModule rewrite_module     modules/mod_rewrite.so

LoadModule access_module      modules/mod_access.so

LoadModule auth_module        modules/mod_auth.so

LoadModule anon_auth_module   modules/mod_auth_anon.so

LoadModule dbm_auth_module    modules/mod_auth_dbm.so

LoadModule db_auth_module     modules/mod_auth_db.so

LoadModule digest_module      modules/mod_digest.so

LoadModule cern_meta_module   modules/mod_cern_meta.so

LoadModule expires_module     modules/mod_expires.so

LoadModule headers_module     modules/mod_headers.so

LoadModule usertrack_module   modules/mod_usertrack.so

LoadModule example_module     modules/mod_example.so

LoadModule unique_id_module   modules/mod_unique_id.so

LoadModule setenvif_module    modules/mod_setenvif.so

<IfDefine PHP4>

LoadModule php4_module    extramodules/libphp4.so

</IfDefine>

<IfDefine SSL>

LoadModule ssl_module    extramodules/libssl.so

</IfDefine>

LoadModule vhost_alias_module   modules/mod_vhost_alias.so

#  Reconstruction of the complete module list from all available modules

#  (static and shared ones) to achieve correct module execution order.

#  [WHENEVER YOU CHANGE THE LOADMODULE SECTION ABOVE UPDATE THIS, TOO]

ClearModuleList

AddModule mod_mmap_static.c

AddModule mod_env.c

AddModule mod_log_config.c

AddModule mod_log_agent.c

AddModule mod_log_referer.c

AddModule mod_mime_magic.c

AddModule mod_mime.c

AddModule mod_negotiation.c

AddModule mod_status.c

AddModule mod_info.c

AddModule mod_include.c

AddModule mod_autoindex.c

AddModule mod_dir.c

AddModule mod_cgi.c

AddModule mod_asis.c

AddModule mod_imap.c

AddModule mod_actions.c

AddModule mod_speling.c

AddModule mod_userdir.c

AddModule mod_proxy.c

AddModule mod_alias.c

AddModule mod_rewrite.c

AddModule mod_access.c

AddModule mod_auth.c

AddModule mod_auth_anon.c

AddModule mod_auth_dbm.c

AddModule mod_auth_db.c

AddModule mod_digest.c

AddModule mod_cern_meta.c

AddModule mod_expires.c

AddModule mod_headers.c

AddModule mod_usertrack.c

AddModule mod_example.c

AddModule mod_unique_id.c

AddModule mod_so.c

AddModule mod_setenvif.c

<IfDefine PHP4>

AddModule mod_php4.c

</IfDefine>

<IfDefine SSL>

AddModule mod_ssl.c

</IfDefine>

AddModule mod_vhost_alias.c

###

### Global Configuration

###

# Splitting up apache.conf into two files makes it possible to support

# multiple configurations on the same serer.  In commonapache.conf

# you keep directives that apply to all implementations and in this

# file you keep server-specific directives.  While we don't yet have

# multiple configurations out-of-the-box, this allows us to do that

# in the future easily.

Include conf/commonapache.conf

###

### IP Address/Port

###

#BindAddress *

Port 80

Listen 80

###

### Log configuration Section

###

# Single logfile with access, agent and referer information

# This is the default, if vlogs are not defined for the main server

CustomLog logs/access_log combined env=!VLOG

# If VLOG is defined in conf/vhosts/Vhosts.conf, we use this entry

#CustomLog "|/usr/sbin/apachesplitlogfile" vhost env=VLOG

###

### Virtual Hosts

###

# We include different templates for Virtual Hosting. Have a look in the

# vhosts directory and modify to suit your needs.

Include conf/vhosts/Vhosts.conf

#Include conf/vhosts/DynamicVhosts.conf

#Include conf/vhosts/VirtualHomePages.conf

Include conf/vhosts/ssl.default-vhost.conf

###

### Performance settings Section

###

#

# Timeout: The number of seconds before receives and sends time out.

#

Timeout 300

#

# KeepAlive: Whether or not to allow persistent connections (more than

# one request per connection). Set to "Off" to deactivate.

#

KeepAlive On

#

# MaxKeepAliveRequests: The maximum number of requests to allow

# during a persistent connection. Set to 0 to allow an unlimited amount.

# We recommend you leave this number high, for maximum performance.

#

MaxKeepAliveRequests 100

#

# KeepAliveTimeout: Number of seconds to wait for the next request from the

# same client on the same connection.

#

KeepAliveTimeout 15

#

# Server-pool size regulation.  Rather than making you guess how many

# server processes you need, Apache dynamically adapts to the load it

# sees --- that is, it tries to maintain enough server processes to

# handle the current load, plus a few spare servers to handle transient

# load spikes (e.g., multiple simultaneous requests from a single

# Netscape browser).

#

# It does this by periodically checking how many servers are waiting

# for a request.  If there are fewer than MinSpareServers, it creates

# a new spare.  If there are more than MaxSpareServers, some of the

# spares die off.  The default values are probably OK for most sites.

#

MinSpareServers 4

MaxSpareServers 10

#

# Number of servers to start initially --- should be a reasonable ballpark

# figure.

#

StartServers 4

#

# Limit on total number of servers running, i.e., limit on the number

# of clients who can simultaneously connect --- if this limit is ever

# reached, clients will be LOCKED OUT, so it should NOT BE SET TOO LOW.

# It is intended mainly as a brake to keep a runaway server from taking

# the system with it as it spirals down...

#

MaxClients 150

#

# MaxRequestsPerChild: the number of requests each child process is

# allowed to process before the child dies.  The child will exit so

# as to avoid problems after prolonged use when Apache (and maybe the

# libraries it uses) leak memory or other resources.  On most systems, this

# isn't really needed, but a few (such as Solaris) do have notable leaks

# in the libraries. For these platforms, set to something like 10000

# or so; a setting of 0 means unlimited.

#

# NOTE: This value does not include keepalive requests after the initial

#       request per connection. For example, if a child process handles

#       an initial request and 10 subsequent "keptalive" requests, it

#       would only count as 1 request towards this limit.

#

MaxRequestsPerChild 500

Include  conf/addon-modules/mod_php.conf

Include  conf/addon-modules/mod_ssl.conf

Include  conf/vhosts/ssl.default-vhost.conf

```

Can anybody see what i do wrong?..

----------

## devon

```
<VirtualHost _default_:443>
```

Have you tried changing this to read

```
<VirtualHost IPADDRESS:443>
```

Note, s/IPADDRESS/actual IP address/

----------

## _easyrider_

Whet i put in my ip instead, it comes with this error when i try to start or restart apache.

```

 * Stopping apache...                                                                                                                        [ ok ]

 * Starting apache...

[Thu Jun 26 20:43:07 2003] [warn] VirtualHost 80.199.17.226:443 overlaps with VirtualHost 80.199.17.226:443, the first has precedence, perhaps you need a NameVirtualHost directive                                                                                                             [ ok ]
```

----------

## devon

Reading, reading, reading..

Okay. After looking at this, change everything back and try to set "<VirtualHost *>" in Vhosts.conf to "<VirtualHost *:80>".

----------

## _easyrider_

Nope didn't helt either.. The same error.

```

[Thu Jun 26 21:48:54 2003] [warn] _default_ VirtualHost overlap on port 443, the first has precedence

```

----------

## devon

 *Quote:*   

> Nope didn't helt either.. The same error. 

   :Sad:  I did notice you don't have a "Listen 443" for SSL. Perhaps that is it... Try adding that first.

Here is what I have and it works. I have been playing around with settings and this is how I got it to work.

```
NameVirtualHost *

<VirtualHost *>

        ServerAdmin web@noved.org

        DocumentRoot /usr/local/www/data-dist/

        ServerName www.noved.org

        ServerAlias noved.org

</VirtualHost>

<VirtualHost 216.26.167.54:443>

DocumentRoot "/home/stephen/public_html"

ServerName panorama.noved.org

ServerAdmin stephen@noved.org

ErrorLog /var/log/httpd/ssl-httpd-error.log

TransferLog /var/log/httpd/ssl-httpd-access.log
```

----------

## _easyrider_

Witch conf file did you grap that info of what you have???

----------

## devon

 *Quote:*   

> Witch conf file did you grap that info of what you have???

 Two of them. httpd.conf and ssl.conf. My config files are a little "unique" to yours as far as names and "Include" statements. The basic ideas are the same though.  :Smile: 

I would add "Listen 443" to your ssl.default-vhost.conf file since your apache.conf has an "Include conf/vhosts/ssl.default-vhost.conf".

----------

## _easyrider_

I'v just tryied to make som changes to the to different conf files, så that the look like yours, but with my info.. Still same problem   :Crying or Very sad: 

----------

## devon

Followup since _easyrider_ and I took this to ICQ.  :Smile: 

He had "Include  conf/vhosts/ssl.default-vhost.conf" twice in his apache.conf file (D'oh!) so we removed one and it seems to work now.

----------

## ikaro

i made a search on the forums and looks like this is a comun problem.

quite problematic, and i wonder if it isnt possible to have a server which can answer on both ports ( 80 && 443 ) depending on which url it recieves.

That is for all valid addresses, beeing vhosts or not.

Iam also having some problem with this kind of setup.

I have a domain and a couple of vhosts , beeing user.domain.dk.

If i have SSL enabled in the server , when you type http://user.domain.dk you get redirected to the main page that you see when you type www.domain.dk

with SSL disabled thats not a problem and everything works.

ive been strugling with this for a week or so, reading manuals ,asking more experience people on irc,  googling, reading on these forums and trying possible solutions.

however until now i havent been able to come up with something that works.

Iam very tempted so post my configs and ask wtf  iam doing wrong   :Laughing: 

but im going to give it a last try before i hand this over.

----------

## splooge

Just FYI...

Name-Based Virtual Hosting is a very popular method of identifying different virtual hosts. It allows you to use the same IP address and the same port number for many different sites. When people move on to SSL, it seems natural to assume that the same method can be used to have lots of different SSL virtual hosts on the same server.

It comes as rather a shock to learn that it is impossible.

The reason is that the SSL protocol is a separate layer which encapsulates the HTTP protocol. So the problem is that the SSL session is a separate transaction that takes place before the HTTP session even starts. Therefore all the server receives is an SSL request on IP address X and port Y (usually 443). Since the SSL request does not contain any Host: field, the server has no way to decide which SSL virtual host to use. Usually, it will just use the first one it finds that matches the port and IP address.

You can, of course, use Name-Based Virtual Hosting to identify many non-SSL virtual hosts (all on port 80, for example) and then you can have no more than 1 SSL virtual host (on port 443). But if you do this, you must make sure to put the non-SSL port number on the NameVirtualHost directive, e.g.

NameVirtualHost 192.168.1.1:80 

Other workaround solutions are: 

Use separate IP addresses for different SSL hosts. Use different port numbers for different SSL hosts.

----------

## Heretic

 *splooge wrote:*   

> It comes as rather a shock to learn that it is impossible.

 

Another reason it won't work is that the SSL certificate includes the site name.  The site needs to reverse map to the proper name in the certificate and IP addressess can only map to one name, though many names can map to one IP address.

Maybe not so surprising after all if you think about it.

----------

