Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

2 SSL hosts on 1 ip 1

Status
Not open for further replies.
CGI101

CGI101

Programmer
Aug 18, 2006
50
0
0
US
so currently i have 2 websites hosted on 1 ip...

<VirtualHost 192.168.123.5>
ServerAlias DOMAIN-ONE.com
</VirtualHost>

<IfDefine SSL>
<VirtualHost 192.168.123.5:443>
ServerName DOMAIN-ONE.com
</VirtualHost>
</IfDefine>

AND THEN

<VirtualHost 192.168.123.5>
ServerAlias DOMAIN-TWO.com
</VirtualHost>

<IfDefine SSL>
<VirtualHost 192.168.123.5:443>
ServerName DOMAIN-TWO.com
</VirtualHost>
</IfDefine>

now the problem is that you cannot have 2 ssl hosts defined under the SAME ip, in this case, 192.168.123.5

in the apache conf file, is there anyway to do an if statement?

like this:
if (website = DOMAIN-ONE.com)
{
<IfDefine SSL>
DOMAIN-ONE CONTENTS
</IfDefine>
}
else
{
<IfDefine SSL>
DOMAIN-TWO CONTENTS
</IfDefine>
}

is that possible?

please note that i've already purchases TWO separate ssl certificates for both domains, but it just won't let use it cause of the ip issue.

the only solution i can think of would be to get another NIC card, hook up another connection to the switch with ANOTHER ip like 192.168.123.10, and do it that way.

can you guys think of any other solutions?

p.s. on the current interface, i CAN'T have any ip other than the 192.168.123.5.
 
Sort by date Sort by votes
You can do ip aliasing. This is where you create virtual interfaces and give them their own ip addresses. For example one NIC can have up to 256 aliases (0-255). If you have one interface called eth0 then aliases would be eth0:0, eth0:1, eth0:2 and so on. Each one of these virtual interfaces are given there own ip address. If this sounds like what you need, then you can check out the following link or do a google for 'ip aliasing'.
 
Upvote 0 Downvote
i had never heard of that before...sounds pretty cool. thx for the link.

but is this ... how it works?

basically, there is one public ip coming into the box, and out of that one ip, it makes more local ips for internal purposes?
 
Upvote 0 Downvote
tried it but it didn't work, here is what i did:

note that the virtual host with the new ip is already in the httpd.conf file.

so here we go.
1. "route add -host 192.168.123.10 dev eth0:1"
2. "route add -delete 192.168.123.10 dev eth0:1"
3. "ifconfig"...the new 0:1 was there.
4. "route"...same with this, the change was here.

tried to make an ssl connection to the 2ND domain, and it didn't work. it was still reading the 1ST domain's certificate.

then i tried
1. /etc/init.d/network restart

still nothing, but after the restart, i ran ifconfig and route again, but now, both changes were gone.

any idea on what i did wrong?
 
Upvote 0 Downvote
there was a type on the last message, here is how it should be:

1. "ifconfig eth0:1 192.168.123.10 netmask 255.255.255.0"
2. "route add -host 192.168.123.10 dev eth0:1"
3. "ifconfig"...the new 0:1 was there.
4. "route"...same with this, the change was here.

...etc...etc
 
Upvote 0 Downvote
First off, you will want to make these permanent. If you execute these command from the command line, they will be lost next time your reboot or restart the network. There are a couple things you can do. One is to put those commands in a file that will be ran at bootup. This file already exists and is called /etc/rc.d/rc.local. Or you can create a file for each of your virtual interfaces manually. Here are two examples:

/etc/sysconfig/network-scripts/ifcfg-eth0:0

DEVICE=eth0:0
BOOTPROTO=none
ONBOOT=yes
IPADDR=XXX.XXX.XXX.XXX
NETMASK=255.255.255.0

/etc/sysconfig/network-scripts/ifcfg-eth0:1

DEVICE=eth0:1
BOOTPROTO=none
ONBOOT=yes
IPADDR=XXX.XXX.XXX.XXX
NETMASK=255.255.255.0


 
Upvote 0 Downvote
still didn't work.

i created the "ifcfg-eth0:1" file using touch and used vi to do this:

root@host [/etc/sysconfig/network-scripts]# /etc/init.d/network restart
Shutting down interface eth0: [ OK ]
Shutting down interface eth1: [ OK ]
Shutting down loopback interface: [ OK ]
Setting network parameters: [ OK ]
Bringing up loopback interface: [ OK ]
Bringing up interface eth0: [ OK ]
Bringing up interface eth1: [ OK ]
root@host [/etc/sysconfig/network-scripts]# cat ifcfg-eth0:1
DEVICE=eth0:1
BOOTPROTO=none
ONBOOT=yes
IPADDR=192.168.123.10
NETMASK=255.255.255.0

also reastarted apache(just incase).

i still get the same error....try to make an ssl connection to the 2ND domain, and it didn't work. it was still reading the 1ST domain's certificate.

any other sugestions?

here is the output of ifconfig and route:
root@host [/etc/sysconfig/network-scripts]# ifconfig
eth0 Link encap:Ethernet HWaddr 00:13:72:5F:69:14
inet addr:192.168.123.5 Bcast:192.168.123.255 Mask:255.255.255.0
inet6 addr: fe80::213:72ff:fe5f:6914/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2247827824 errors:1682 dropped:0 overruns:0 frame:810
TX packets:3655865195 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1232946752 (1.1 GiB) TX bytes:2035002427 (1.8 GiB)
Base address:0xecc0 Memory:fe6e0000-fe700000

eth0:1 Link encap:Ethernet HWaddr 00:13:72:5F:69:14
inet addr:192.168.123.10 Bcast:192.168.123.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Base address:0xecc0 Memory:fe6e0000-fe700000

eth1 Link encap:Ethernet HWaddr 00:13:72:5F:69:15
inet addr:192.168.123.10 Bcast:192.168.123.255 Mask:255.255.255.0
inet6 addr: fe80::213:72ff:fe5f:6915/64 Scope:Link
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
Base address:0xdcc0 Memory:fe4e0000-fe500000

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:427611 errors:0 dropped:0 overruns:0 frame:0
TX packets:427611 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1311106363 (1.2 GiB) TX bytes:1311106363 (1.2 GiB)

 
Upvote 0 Downvote
i do, i have 2 onboard NICS, and i wasn't ignoring it...?

what i'm trying to do is to accomplish "IP aliasing", because although i have 2 NICs, i only have ONE uplink...and it would be a hassle to get another one setup....

therefore, if i can get IP aliasing to work, it would be great.
 
Upvote 0 Downvote
You can/should not "re-use" the same IP (eth0:1, eth1) on the same machine.

You should disable or re-IP eth1 to NOT .10

D.E.R. Management - IT Project Management Consulting
 
Upvote 0 Downvote
oh WOW, i had completely forgotten that i had the same ip setup on that interface...thx alot....will take that out and test this again.
 
Upvote 0 Downvote
same thing...

root@host [/etc/sysconfig/network-scripts]# ifconfig
eth0 Link encap:Ethernet HWaddr 00:13:72:5F:69:14
inet addr:192.168.123.5 Bcast:192.168.123.255 Mask:255.255.255.0
inet6 addr: fe80::213:72ff:fe5f:6914/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2402919439 errors:2615 dropped:0 overruns:0 frame:1268
TX packets:3900265087 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1394644256 (1.2 GiB) TX bytes:2699553637 (2.5 GiB)
Base address:0xecc0 Memory:fe6e0000-fe700000

eth0:1 Link encap:Ethernet HWaddr 00:13:72:5F:69:14
inet addr:192.168.123.10 Bcast:192.168.123.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Base address:0xecc0 Memory:fe6e0000-fe700000

eth1 Link encap:Ethernet HWaddr 00:13:72:5F:69:15
inet addr:192.168.123.15 Bcast:192.168.123.255 Mask:255.255.255.0
inet6 addr: fe80::213:72ff:fe5f:6915/64 Scope:Link
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
Base address:0xdcc0 Memory:fe4e0000-fe500000

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:460245 errors:0 dropped:0 overruns:0 frame:0
TX packets:460245 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1390754925 (1.2 GiB) TX bytes:1390754925 (1.2 GiB)

in the link that Ace posted:

they have a different 2 ssl configuration setup...

they have:
<IfModule mod_ssl.c>
<VirtualHost 192.168.0.1:443>
***
</VirtualHost>
<VirtualHost 192.168.0.2:443>
***
</VirtualHost>
</IfModule>

but i have ie:
<IfDefine SSL>
<VirtualHost 192.168.0.1:443>
***
</VirtualHost>
<IfDefine SSL>
</IfDefine>
<VirtualHost 192.168.0.2:443>
***
</VirtualHost>
</IfDefine>

that doesn't make a difference does it?
 
Upvote 0 Downvote
i tried the actual domain name to make sure if the .10 is working and it isn't.

i did:
<VirtualHost 192.168.123.10> (not ssl)
.
..
...
</<VirtualHost>
wasn't detecting it, when i browsed the domain, it showed the very 1st virtual host. the ".5"

8(
 
Upvote 0 Downvote
think it might be an apache issue from this point on because i followed the instructions accordingly and i cannot think of anything on the network side being wrong...testing things out with it...

currently have

NameVirtualHost 192.168.123.5:80
NameVirtualHost 192.168.123.10:80

<VirtualHost 192.168.123.5>
</VirtualHost>
<VirtualHost 192.168.123.10>
</VirtualHost>
 
Upvote 0 Downvote
Sorry to leave you high and dry so long buyt I had to work late today (very late). When you say "It doesn't work", do you mean the ip aliasing or the vhosts? After taking a quick peak, it looks like the aliasing took. ;-) ssl doesn't work with name-based addressing because apache won't see the request for the name in the header. Therefore you need to use ip-based addressing. To use both, you need to bind the https addresses to port 443 and the regular http addresses to port 80. Just for kicks let's say you want .5 to be http and .10 and .15 to be https. The you can set a few Listen directives like this:

Listen 192.168.123.5:80
Listen 192.168.123.10:443
Listen 192.168.123.15:443

Now tell apache what ip your using for name-based vhosts.

NameVirtualHost 192.168.123.5:80

The newer versions of apache have a file called /etc/conf/conf.d/ssl.conf. If you have RHEL you may have 1.3.x. In that case you will need to uncomment all the ssl stuff in apache. The inside of a ssl container looks just like a regular vhost container. The diference is in the opening directive.

<VirtualHost *:80> All your name-based guys can use this because it's the ServerName directive apache is looking for.

<VirtualHost 192.168.123.10:443> This is important here because this is how the vhost is identified (ip-based).

There are a lot of way people configure apache to handle these things. Some people use multiple instances of httpd. There are other who will argue that you can indeed use name-based addressing with ssl. Others will use Rewite. Sorry if I'm not being much help to you but I thought you already knew how you wanted things setup but just needed help with the single ip address issue.

 
Upvote 0 Downvote
thx...and i do know how i want things setup, i just thought that maybe my way might be the wrong/not-best way.

anyway, i AM currently ALL using ip-based virtual hosts. infact i've never had a name-based one.

i don't know why i even brought up "NameVirtualHost"....i don't even know why it was even in the conf file...weird

anyway, i'll continue to see whats causing the issue....any futher advice would be very helpful and appreciated.
 
Upvote 0 Downvote
nevermind that last comment, i had just woke up from a long nap.
 
Upvote 0 Downvote
There are other who will argue that you can indeed use name-based addressing with ssl.
Click to expand...
I'd love to know how that could possibly be accomplished.

As I understand it, the crypto handshake and decisions as to which SSL key to use are made before any packets carrying the HTTP request are ever sent. Which means Apache must decide on which virtual host's crypto to use before it receives the "Host:" HTTP request header. And Apache uses that header to decide which among a set of name-based hosts it should serve up.


Want the best answers? Ask the best questions! TANSTAAFL!
 
Upvote 0 Downvote
after doing some thinking, i think that the problem is still from the network side, and not apache.

because i tried various apache configurations and none of them could detect the new ip ".10"

 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

donald lepariku
  • Locked
  • Question
Error: 694, Severity: 24, State: 10 An attempt was made to read logical page '153', virtpage '616' f 1
Replies
3
Views
172
spamjim
spamjim
bhuv560
  • Locked
  • Question
Postfix Installation on EC2 AWS Linux
Replies
0
Views
78
bhuv560
bhuv560
malpa
  • Locked
  • Question
block incoming snmp traps from ip
Replies
1
Views
129
malpa
malpa
gregor weertman
  • Locked
  • Question
set samba &quot;template shell&quot; dependent on group
Replies
0
Views
71
gregor weertman
gregor weertman
lslamp
  • Locked
  • Question
Bash Onliner ... 1
Replies
2
Views
127
lslamp
lslamp

Part and Inventory Search

Sponsor

Back
Top