0

I wonder what is "best" and recommended method of setting up SSL domains on single IP, where there are redirects from :80 to :443. This was not entirely covered here, because I need those redirects (https://httpd.apache.org/docs/2.4/vhosts/name-based.html)

Domains are defined in DNS and all are redirecting to the same IP:

  • Set 1: example1.com and example1.org (they share the same documentroot).
  • Set 2: example2.com and example2.info (they also share another documentroot).

I have a lot of troubles of setting this up in a way that they are on single IP address. The idea is to first define normal :80 virtual servers, which catch http:// protocol, and redirects to https://. Then, proper configuration is in a whole defined in *:443 as name based virtual host. However, I would like to have some 'default' dummy virtualhost, which will have empty page in it's own plain documentroot, and only when request is to specific domain (like in set1 or set2) there should be loaded the whole virutualhost for specific domain. I decided to not use Rewrites, because simple redirects are recommended for such a task. Using redirects worked well for single domain only in my case.

My setup is the following:

<Virtualhost *:80>
    ServerName example1.com
    Redirect / https://example1.com
</Virtualhost>
<Virtualhost *:80>
    ServerName example1.org
    Redirect / https://example1.org
</Virtualhost>
<VirtualHost *:443>
    ServerName example1.com
    DocumentRoot .......
    .......
</VirtualHost>
<VirtualHost *:443>
    ServerName example1.org
    DocumentRoot .......
    .......
</VirtualHost>
<VirtualHost *:443>
    ServerName example2.com
    DocumentRoot .......
    .......
</VirtualHost>
<VirtualHost *:443>
    ServerName example2.info
    DocumentRoot .......
    .......
</VirtualHost>

One problem with this setup is that it does not work. Another problem is that it repeats itself lots of times. I think I need to configure something like this (psedoconfig):

dummy configuration, catch for example pure IP requests, etc.

<Virtualdomain for example1.com and .org> if there is http requested, redirect to https and for both domains define the same setup defined documentroot, all logs and certs for this domains, etc.

<AnotherVirtual for example2 .com and .info> here again - if http is requested, move to https common documentroot, logs, etc.

I think somebody skilled in redirects can handle this or maybe there is some preferred way which I overlooked.

EDIT: OK, now the configuration has been tested out and I'm certain that I know what I have. And unfortunately it doesn't work.

I issued SSL certs for each site using acme.sh, by typing (domains changed because of privacy):

acme.sh --issue -d www.AAA.com -d AAA.com -d www.AAA.info -d AAA.info -w /home/path/aaa/www
cd /home/path/aaa/etc
acme.sh --install-cert -d www.AAA.com -d AAA.com -d www.AAA.info -d AAA.info --cert-file cert.pem --key-file priv.pem --fullchain-file fullchain.pem

This worked nicely, but apache conf has ONLY this single domain configured in vhost, and ssl part had some fake/old certs to allow Apache to start. Cert was tested and page was loaded in browser using http://AAA.com address which was redirected properly to https://AAA.com, which also worked.

Then, I reconfigured apache to support PPP.com domain, using similar procedure. This also worked when I configured apache to single domain only. Now, joining this two configurations DO NOT WORK, because PPP.com is recognized as it is having certificate of AAA.com, which triggers error NET::ERR_CERT_COMMON_NAME_INVALID

So, I'm stuck. Here is my apache config for virtual hosts: https://pastebin.com/hK3g6K3m

The part included as common.cfg contains just standard SSL options and Directory access config, logs config, etc.

Improve this question

2 Answers 2

Reset to default
1

I have not tried myself what you want to accomplish, but if I would have a go at it, I would do it like this:

  1. use a permanent redirect to redirect all HTTP traffic to their HTTPS counterparts (as you have done)
  2. use a rewriterule in all the 'secondary' virtualhosts to rewrite the requests to be sent to the 'primary' virtualhost in which you accept the request and respond to them (this will also keep the URL of the secondary virtualhost visbile to the visitor of your website)
  3. use include's to avoid repetition: put everything that can be shared amongst those virtualhosts (e.g. cache, SSL, etc. directives) in one or more textfiles that you then include inside the virtualhost definitions.
Improve this answer
1
  • Thank you, includes are good idea for avoiding much of repetition.
    – piotao
    Jul 16, 2020 at 17:34
1

When doing ssl, you should take into account your certificates. For example, if you have a single certificate for both example1.com and example1.org, you could just create a single VirtualHost with a principal ServerName and a secondary (or more) ServerAlias. If you have independent certificates for each domain, you need to split all in their own VirtualHost since you cannot have multiple certificates at the same level.

Also, in versions prior to 2.4, NameVirtualHost *:443 is mandatory prior any VirtualHost for apache to perform the SNI part, that is, show the cert you ask for and not the default.

The default https will be the first VirtualHost *:443 you define, so just move them around as you need.

As for the http part, if everything is going to be redirected to the https version of itself (nothing served by the http), you could create a single VirtualHost *:80 with all the ServerAlias needed (it is not necessary, but to clarify) and use a single RewriteRule such as:

RewriteRule "^/?(.*)"        "https://%{HTTP_HOST}/%1" [L,R,NE]

I have not tested it, but it should work.

NOTE: I'm not using a Redirect because I do not know if it allows an environmental variable in the substitution part, but you may try that as well.

Improve this answer
7
  • Interesting!!! Thank you for pointing this SNI description, I was not sure I something is wrong and this obviously is the clarification. SSL with virtualhosts has it's own problems. I will try to configure my virtualhosts as described in SNI description here: cwiki.apache.org/confluence/display/HTTPD/…
    – piotao
    Jul 16, 2020 at 17:47
  • 1
    NameVirtualHost is deprecated in Apache 2.4 and has no effect. It is not possible for this to be mandatory since it has no effect. It is still required if using the ancient Apache 2.2.
    – Michael Hampton
    Jul 16, 2020 at 18:03
  • I have not needed to use multiple VS on Apache for a long time, but it was mandatory in previous versions and I wouldn't expect them to drop it. I'll add your comment in the response
    – NuTTyX
    Jul 16, 2020 at 18:18
  • I edited the question (now it's waiting for approval). Simply - two sites, two domains, one org/com, another com/info (aliased) and with certs generated by acme.sh - if single one is configured, works. Every single one is OK. Problem is for both of them. I've posted my config to pastebin.com/hK3g6K3m for investigation. One site is meessed up with another one - certificate error: NET::ERR_CERT_COMMON_NAME_INVALID
    – piotao
    Jul 16, 2020 at 22:05
  • You tried to edit my answer, not your question, I'm fixing that. In your code, both VirtualHost *:443 refer to the same SSLCertificateFile and SSLCertificateKeyFile; those directives, when used with relative paths (not beggining with /) build the path from the ServerRoot directory, not the DocumentRoot (and you should never put private keys in the document root because they can be downloaded!), thus the same files. When you issue the cert, make sure you name each file independently from the second issue (i.e. fullchainAAA.crt and fullchainPPP.crt - and privAAA.pem, and so on).
    – NuTTyX
    Jul 16, 2020 at 22:29

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .