2 SSL hosts on 1 ip 1

[CGI101]

so currently i have 2 websites hosted on 1 ip...

<VirtualHost 192.168.123.5>
ServerAlias DOMAIN-ONE.com
</VirtualHost>

<IfDefine SSL>
<VirtualHost 192.168.123.5:443>
ServerName DOMAIN-ONE.com
</VirtualHost>
</IfDefine>

AND THEN

<VirtualHost 192.168.123.5>
ServerAlias DOMAIN-TWO.com
</VirtualHost>

<IfDefine SSL>
<VirtualHost 192.168.123.5:443>
ServerName DOMAIN-TWO.com
</VirtualHost>
</IfDefine>

now the problem is that you cannot have 2 ssl hosts defined under the SAME ip, in this case, 192.168.123.5

in the apache conf file, is there anyway to do an if statement?

like this:
if (website = DOMAIN-ONE.com)
{
<IfDefine SSL>
DOMAIN-ONE CONTENTS
</IfDefine>
}
else
{
<IfDefine SSL>
DOMAIN-TWO CONTENTS
</IfDefine>
}

is that possible?

please note that i've already purchases TWO separate ssl certificates for both domains, but it just won't let use it cause of the ip issue.

the only solution i can think of would be to get another NIC card, hook up another connection to the switch with ANOTHER ip like 192.168.123.10, and do it that way.

can you guys think of any other solutions?

p.s. on the current interface, i CAN'T have any ip other than the 192.168.123.5.

 

[CGI101]

no big man, its all good.

i havn't told the story completely as it ACTUALLY is either because i thought that it would make it more confusing.

so here is the deal:
i have about 5 static ips but i'm only using one of them. the one that i'm using goes INTO a HARDWARE firewall, and then the firewall sends only ONE ip out, in this case, 192.168.123.5, which then goes OUT to the server. now this is where the problem is.

now, the firewall does NOT support more than 1 ip, so if i want to use another NIC with another IP, then i would have to get another box, install the firewall on it, and also use a 2nd NIC on the server. so it will be kind of complicated.

so let me see if i understand..."ip aliasing" only works if for example my firewall is sending out 2 ips?

...in this case 192.168.123.5 AND 192.168.123.10??

 

[RhythmAce]

Dude! Life just doesn't get any better than that. Here is what you can do. First get your mitts on a hub. Connect both your server and router directly to the outside world. Setup the linux firewall on the server (iptables) to only accept http and https on eth0. Use ip aliasing to assign two of your static ips to that bad boy. Then use a third static ip for your router. Setup you router as usual to give your network a gateway to the outside world. Now, the setup you already have for apache should work like nobody's business. Go Bears!!

Just a little side note. You can use iptables to do anything your router can. Just thought I'd let you know incase you were afraid to connect your server directly to the outside world. The thing is now you can use dns to point to two different addresses where your router couldn't.

 

[CGI101]

Go Bears!!

LOL

after reading that over and over, i still don't understand what you meant.

also, i don't have a router....during this thread, my router was my firewall...thats why i was saying that my "router" can only push through 1 ip.

here my setup.

world > switch > firewall > server.

 

[RhythmAce]

Ok - remember your y-cable scenario? Picture your switch as the y-cable. Unlike a router which forwards traffic based on ports and ip addresses, a switch uses hardware or MAC addreesses. This makes it transparent. You can connect a port on your switch to eth0 on your server and connect another port to your firewall and then on to the rest of you network. I hope my dendition turns out right but I'll try. This is what you will have:

World - Switch - Server
|
- Firewall/Router - Network

I'm assuming you have a hardware firewall/router and a network of some sort or why have a switch? ;-) Your server, or actually RHEL has software that can act act either a firewall, router or both. This software is called iptables and is what most cisco routers use. What I was saying earlier is that you don't need to worry about putting your server outside of your firewall because it can take care of itself just as well as any store bought firewall can. I'm not sure what you weren't getting so I shall continue to ramble on. Everything we've done to this point with the ip aliasing and ip based virtual hosting has set things up perfectly for this scenario. You have 5 public ip addresses. Use two of them for your virtual interfaces, eth0 and eth0:1 or eth0:0 if you hate skipping numbers. The old ip addresses .5 and .10 are history. Now when you setup the dns 'A' records for each of your domains, point them to the two ip addresses you used for the virtual interfaces. It should also go without saying that these two ips will be the ones used for your vhosts as well.

 

[CGI101]

lol, i know what iptables is. also, infact, i'm using it on the firewall as well.

unless i misunderstood what you said...there is no way that i'm connecting my server to the world without the firewall in the middle.

 

[RhythmAce]

With all due respect, the machine you are using as a server is a better firewall than the one you are using. If you don't think so, turn on iptabels on the server. Now block everything. There, ya see? Ya can't even get in from the back side. Keep in mind that even though you have a server on a machine listening to eth0 on port 80, your firewall has first dibs on those, you have blocked http traffic, apache will never see a thing. That being said, you may be putting too much stock in your firewall. It is not the people you block that can hurt you but the people that YOU let in. If you let people install scripts that run on on the server side, what's a stinkin' firewall gonna do? A firewall is designed to makesure everybody come in through the doors and not the windows. Once in, it's up to you to make sure you don't leave candy on the counter. Hackers don't spend valuable time crashing through firewalls, they walk through doors you have open, then they go snooping around room to room, picking up trinkets along their way. There are things you can do to make your overall server more secure such as running selinux but the best thing is to read up on the latest vulnerabilities of each server or port you have open. Reading everything there is to know about the care and feeding of a server or network is a lot of work but then, that's why you make the big bucks.

 

[CGI101]

you're saying its better to have iptables alone installed, just on the server?

why not have a firewall as an extra measurement of security....lets say that someone somehow breaks into the firewall and gets past its rules/filters....well, guess what, now they have another thing to break into, the server.

2 is better than 1.

btw, the only ports i have open on both the server & the firewall are 80 and 443...nothing else.

 

[RhythmAce]

Then your options are very limited. You can't do what you want with a router in the middle. Even if you had a zillion public ip addresses on the inside of the router, they cannot be accessed from the outside. That is because your router only cares about the protocol of the incoming request. So if the protocol is http, it forwards the request to the ip you specify on the same port it came in on. Apache has to be configured to accept requests on the same ip the router is sending them to or it will never here anything. Now if your router can be configured to forward requests based on the url of the request, then perhaps we can do something here. If not, I'm afraid the only thing we can do is access diferent ips either with mod_rewite or links.

 

[CGI101]

i see, so i guess i'll just use the 2nd NIC.

thx for all the help, gave you a star

 

[thedaver]

Gave a star on a 48 post thread?! Geez, you should be buying dinner! ;-)

D.E.R. Management - IT Project Management Consulting

http://www.dermanagement.com/

 

[CGI101]

ahahahahah, thats the most i can do.

 

[RhythmAce]

It's probably none of my business, but what will the second nic do for you?

Oh and Thanx for the star.

 

[CGI101]

well, by that i meant getting a 2nd NIC + a 2nd firewall.

then i can use the 2nd firewall with another public ip, and forward all its traffic to 192.168.123.10.