One host, multiple sites. Help with SSL please!

gnr

gnr

Hi guys,


I am building a server to host 3 websites only one of which should be SSL. How do I get round to "isolating" other two sites (which will be virtual hosts) from using SSL cert?

thank you
 
Impossible. You have one IP address, and port 443 is open on that IP address. If anyone types https://one.of.your.non-ssl.sites/, the browser will make a connection to public_ip:443 and the webserver will respond with the SSL dialog. It takes place before any virtual host records are even consulted, simply because the connection must be secured and encrypted before anything else passes over the connection.
 
  • Thanks
Reactions: gnr
To rephrase:

Do I just install and configure SSL server and then add 2 virtual hosts?

Or what is the proper way of doing it?
 
Sorry I was typing it when you replied... Any workarounds? there should be!!
 
SSL is unaware of anything but the 'raw connection'. Like I said in another thread about this subject: you can force http to https, you cannot force https to http.
 
  • Thanks
Reactions: gnr
Nothing new here. Just configure all 3 websites as virtual host.

Configure 1 website as ssl aware. Remember each SSL certificate needs 1 public ip and port 443. However, if other website type https://othersite/, they will end up connecting to original SSL aware website. Try using at least 2 IP address. first one for http and https and 2ndone for http virtual hosting only.
 
  • Thanks
Reactions: gnr
I am going with dual NIC setup (about to otder PCI card now).

Q: How difficult would it be for newbie to configure dual NIC FreeBSD box provided both IPs are on the same network using same gateway and subnet mask?

PS: By doing so I want to keep SSL website on one NIC and other 2-3 sites on the other NIC.

PPS: Any particular NIC I sould shay away from or are majorty of them recognized by FreeBSD today? Any make & model you can guarantee be working?

thank you
 
gnr said:
I am going with dual NIC setup (about to otder PCI card now).

Q: How difficult would it be for newbie to configure dual NIC FreeBSD box provided both IPs are on the same network using same gateway and subnet mask?

PS: By doing so I want to keep SSL website on one NIC and other 2-3 sites on the other SSL.

PPS: Any particular NIC I sould shay away from or are majorty of them recognized by FreeBSD today? Any make & model you can guarantee be working?

thank you
Click to expand...

Very easy. Assuming it's supported and detected it's a one liner in /etc/rc.conf :

ifconfig_bge0="inet yourip netmask yournetmask"

the bge0 bit would be the device name for the card.

Can't help too much on the NIC's beyond I suspect most chipsets are supported these days. If you have a currently working card you can find out the driver being used and buy a card using the same chipset.

The hardware compatibility list should help you here.
 
  • Thanks
Reactions: gnr
Thanks for prompt reply. Can you point me in the right direction as to how does one assign an interface to a particular website/service (SMTP/IMAP/etc)?
 
gnr said:
Thanks for prompt reply. Can you point me in the right direction as to how does one assign an interface to a particular website/service (SMTP/IMAP/etc)?
Click to expand...

This largely depends on the service and it's configuration syntax.

The nice way to do it would be in it's config file, for example apache has an option:

Listen <ip address>:<port>

Which specifies what ip address (and so network card) the virtualhost binds to and the tcp port.

But it's largely daemon dependant - although the option will be there somewhere!
 
@gnr: It's the other way around: you tell the service/daemon to bind to an IP address running on a specific interface. Services usually bind to every available interface (which will show up in netstat -an as "*:80" in the case of a webserver and "*:25" in the case of an SMTP server). You can tell Apache, Sendmail, etc. to pick a specific IP to bind to (which will show up as "111.222.111.222:80"). How that's done is different for every application, I'm afraid, and some can't do it at all.
 
A question.

Before I decided to add 3 websites to my machine (which happened to be mail server), I had this record in httpd.conf for SquirrelMail:

ServerName mail.mycorp.com:80

As well as:

ServerName mail.mycorp.com:443

in httpd-ssl.conf.

Now since I added a second NIC do I need to modify those two records above to reflect chosen NIC? Or how do I tell Apache to distinguish between interfaces? The other 3 websites need not be SSL.
 
Apache doesn't know about interfaces. Apache attaches to a hostname, which is an IP address, which is on an interface. That's the interface Apache will be listening on.
 
OK. so i had a mail server working and after I moved it to virtual hosting and added one more website my system is not working (websites won't load).

Here's my httpd.conf (excerpt);
Code: 
Listen 192.168.16.78:80

ServerName mail.server.com

NameVirtualHost 192.168.16.77:443

NameVirtualHost 192.168.16.78:80

<VirtualHost 192.168.16.77:443>
[INDENT]ServerName mail.server.com
DocumentRoot "/usr/local/www/squirrelmail"[/INDENT]
</VirtualHost>

<VirtualHost 192.168.16.78:80>
[INDENT]ServerName www.website.com
DocumentRoot "/usr/local/www/apache22/data/website"[/INDENT]
</VirtualHost>

Any clues?
 
Correction: mail server does in fact work which is good. Website on the second NIC won't load. I don't know maybe that's the probelm with path to website files or something but here's the output:

PHP: 
mail# netstat -an -f inet
Active Internet connections (including servers)
Proto Recv-Q Send-Q  Local Address          Foreign Address        (state)
tcp4       0     52 12.34.56.77.22      22.33.44.55.1430    ESTABLISHED
tcp4       0      0 12.34.56.77.22      *.*                    LISTEN
tcp4       0      0 12.34.56.77.443       *.*                    LISTEN
tcp4       0      0 12.34.56.88.80        *.*                    LISTEN
tcp4       0      0 *.143                  *.*                    LISTEN
tcp4       0      0 *.993                  *.*                    LISTEN
tcp4       0      0 *.587                  *.*                    LISTEN
tcp4       0      0 *.25                   *.*                    LISTEN
tcp4       0      0 127.0.0.1.783          *.*                    LISTEN
udp4       0      0 *.514                  *.*
 
You have only one ip bind to port 80. You need to use Name-based Virtual Hosts if more than one website configure per IP address.

You need to use IP-based Virtual Hosts if you have an IP address for each web site.

It look like that you are bit confused about correct configurations. Do yourself a favor and go though Apache virtual hosting guide - http://httpd.apache.org/docs/2.2/vhosts/examples.html

HTH
 
Hi Vivek and thanks for your reply.

I currently have only two websites, one on each interface but it will expand as soon as I get it to work. One sites is on port 443 and another on 80.
 
You must log in or register to reply here.
Back
Top