SSL and ServerAlias on one Apache server with multiple domains

I have a virtual sever which I would like to point two domains to, both pointing to different sites.

For example, example1.com goes to /var/www/example1. example2.com goes to /var/www/example2.

I can do this just fine with VirtualHosts:

<VirtualHost *:80>
    ServerName example1.com
    DocumentRoot "/var/www/example1"
</VirtualHost>

<VirtualHost *:80>
    ServerName example2.com
    DocumentRoot "/var/www/example2"
</VirtualHost>

My first question is to do with the leading www. In order to enable support for the www, I have just added a ServerAlias:

<VirtualHost *:80>
    ServerName example1.com
    ServerAlias www.example1.com
    DocumentRoot "/var/www/example1"
</VirtualHost>

Is this the best way to do this?

My second question involves SSL. I would also like example2.com to be accessed via SSL: https://example2.com. I have issued the certificate etc, but how would I achieve this in my httpd.conf file? At the moment I have a temporary workaround. I have just changed the server's main DocumentRoot to point to this /var/www/example2. I understand that SSL is on a different port so it will not be interpreted by the VirtualHost definition, so I have done this as a quick workaround. However, I would like to know what the best way to do this is?


Solution 1:

  1. yes - ServerAlias is the standard way to achieve that. Sometimes it is preferred to select the www.myserver.com as the "most preferred" identity and have "myserver.com" as the alias, but it really makes no different unless you canonicalise (convert links to preferred ones) URLs at some point.

    2.

Edit: it seems that I misunderstood the OP question, so this is mostly irrelevant

short answer (for hosting multiple SSL sites on one apache server)

  • the simplest solution, is IP based virtual hosts... supports all browsers - ask your ISP for a second IP address. So you have 1 IP per SSL cert. See below for example config.

  • Server name indication - not XP or old safari, or old android - works with only 1 IP - http://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI

Long answer (and boy I did get carried away with this answer... ;-) here is a quick primer on SSL and name virtual hostings....

Name based virtual hosting, is a strategy of sharing the web server between web sites based on the "Host" header presented by the client, (ie the web browser etc).

This is a HTTP 1.1 extension, and to use it apache reads the content of the request and parses the header, ie it looks like this;

GET /index.htm HTTP/1.1
Accept: image/png,image/*;q=0.8,*/*;q=0.5
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:8.0) Gecko/20100101 Firefox/8.0
Host: www.google.co.uk            <--  apache checks this value 

However with the TLS handshake used in SSL connections the server indentifies itself before the Host header is sent, using the "common name" field in the SSL certificate.

Hence (using traditional... SSL v1, old browsers etc, Windows XP) there can only be 1 SSL identity per IP address, because the first thing the server does is identify itself as say www.amazon.com, which it cannot change afterwards...

Basically the differences is like so, in normal http://myserver.com requests

client: hello server   
server: hello client   
client: please give me web XXX   
server: here is websiteXXX    

but for https:// requests it is more like this;

client: hello server   
server: I am website XXX   
client: ok, go ahead and give me website XXX   
server: here is websiteXXX   

So basically, for a "supporting all browsers", including crufty old ones solution, You need to ask your ISP for another public IP address and then bind your second virtual host to the second ip instead of the first...

However there are some alternatives, which allow multiple SSL identities on a single IP address that work on most modern browsers, for example SNI or wildcard certs.

  • wildcard certs, not suitable in this particular situation because the servers names are domain level, eg badger.com and monkey.com, rather than badger.server.com and monkey.server.com

however with Server Name Indication, you tell the server which Host you want, during the handshake process and the server can provide the correct certificate. It appears that the server will fall back to the default cert, so might be a good strategy when you have a "primary" SSL site, and a less important one which you can accept some loss of user requests.

Basically the directives for adding SSL virtual hosts are similar, except that you are adding just plain virtual Hosts, rather than NameVirtualHosts.

#if not done elsewhere in httpd.conf incldue these
Listen 443
LoadModule ssl_module   modules/mod_ssl.so

#this does work for wildcard SSL certs like *.myserver.com (and SNI???)
NameVirtualHost *:443

<VirtualHost 1.1.1.1:443>
  SSLEngine On
  ServerName address1.com
  DocumentRoot /var/www/adderss2
  SSLCertificateFile /etc/httpd/conf/domaina_ssl/zimbra.zmb.moc.crt
</VirtualHost>

<VirtualHost 1.1.1.2:443>
  SSLEngine on
  ServerName address2.com
  DocumentRoot /var/www/adderss2
  SSLCertificateFile /etc/apache2/ssl/apache.pem
</VirtualHost>

Solution 2:

Your ServerAlias for www is perfectly normal; no worries. If you want to get fancy, you can setup a RewriteRule to direct traffic from www.example.com to example.com, or vice-versa. As for SSL support, use separate VirtualHost definitions for your :80 and :443 virtual hosts.