SSL to access sub-domain ONLY on new site

[Ladyoclass]

I am trying to setup a web site using Linux enterprise server, Apache 2.0.46 and tomcat. I have 2 sites on the server and I need one of them to be accessable only with SSL.
I have

http://www.domain1.com

and subDomain.domain1.com and I need subDomain.domain1.com to be accessed only with SSL.

I am new at this and have tried to set them up with name-based virtual host settings and this doesn't ssem to work work.

The entire site can be accessed with SSL including

http://www.domain1.com

and I don't need or want this to be SSL accessable although the default access doesn't initially send them to

http://www.domain1.com

with SSL. There is a link on the

http://www.domain1.com

page which sends them to

https://subDomain.domain1.com

but they can also access this site without the https.

Any help would be greatly appreciated. Because I am new at this, simple terms would also be greatly appreciated although I think I have a pretty good grasp on this

Thank you!

 

[RhythmAce]

I'm not sure I know the answer but I never let stuff like that from replying to a good question. Have you tried to bind the sub-domain to port 443? i.e. <VirtualHost *:443> I think with apache version 2.0 and above, you have to use ssl.conf for this vhost because you can no longer mix the 2 types under httpd.conf. One other draw back is certs apply to ip addresses rather than domains. You may have to use ip based addressing but this is where my ignorance comes to the fore. I don't use SSL but I do know how to do virtual ip addressing.

 

[Ladyoclass]

Can I use IP virtual hosts (in ssl.conf) if I only have the one IP for this server? Bind to port 80 and to port 443 but only send port 443 traffic to the sub-domain?

 

[RhythmAce]

If you want ip addressing for your virtual hosts and you just have one ip, you would do virtual ip addressing or often called ip aliasing. Basically what you do is create virtual network interfaces from your real one. For example, eth0, eth0:1, etho:2 and so on. This is how you do that. Open up /etc/rc.d/rc.local with your vavorite text editor. Then add the following lines:

/sbin/ifconfig eth0 xxx.xx.x.xx (this is your real ip)
/sbin/ifconfig eth0:0 192.168.0.10
/sbin/ifconfig eth0:1 192.168.0.11
# you can add up to 255 but at least one for each vhost

#setting up the routes

/sbin/route add -host xxx.xx.x.xx eth0 (real ip)
/sbin/route add -host 192.168.0.10 eth0:0
/sbin/route add -host 192.168.0.11 eth0:1

In most cases, you don't have to add the lines with your real ip because they will already be loaded by the time rc.local is read at boot up. The ip addresses that start with 192 are network ip addresses and are not seen by the outside world. However, your local servers will have no problem finding them.

 

[BobMCT]

FWIW - We're doing exactly what you seem to be asking. One Apache server, multiple domains, ONLY ONE IP address.

Our DNS points all the requisite FQDN's to the same IP address. Our Apache.conf has separate <virtualserver> sections. Several of them accept http (port 80) and only ONE can accept SSL (port 443).

Works exactly as intended and works very well.

Bob

 

[Ladyoclass]

Thank you very much for the help. We will apply this today and see how we do.