1

I have setup a Debian LAMP server where I host multiple websites. As far as I know I can only use SSL on one of them, if I'd like to use SSL on two or more sites I'd have to add another IP - so far so good.

The problem is that whenever I type https://siteone.com or https://sitetwo.com it always displays the content from: https://siteone.com. I'd rather it display some error message or something else but absolutely not to display my main site's content (which is where I want the SSL to work).

Note: my Debian web server uses ispconfig as it's control panel.

Improve this question
0

4 Answers 4

Reset to default
2

Make sure you have your virtual hosts set up correctly such that each virtual host binds only to a single ip address. The Apache documentation for IP based virtual hosting says that your virtual hosts should look similar to the following:

<VirtualHost 192.168.0.1:443> ServerAdmin [email protected] DocumentRoot /groups/smallco/www ServerName smallco.example.com ErrorLog /groups/smallco/logs/error_log TransferLog /groups/smallco/logs/access_log </VirtualHost> <VirtualHost 192.168.0.2:443> ServerAdmin [email protected] DocumentRoot /groups/baygroup/www ServerName baygroup.example.com ErrorLog /groups/baygroup/logs/error_log TransferLog /groups/baygroup/logs/access_log </VirtualHost>

The first vitual host listed in your apache config is the default one. Add a fake one before the your first two just to ensure that you are actually matching your virtual hosts, and not just blindly falling into the first one. Here is a more complete article about such a setup from IBM: http://www-01.ibm.com/support/docview.wss?uid=swg21045922

Improve this answer
2
  • This is the way it was configured, actually this gets written by ISPConfig. All .vhost files are under /etc/apache/sites-enabled and match that structure. Commented Mar 8, 2013 at 7:59
  • the link to 000-default-ssl in /etc/apache2/sites-enabled was not created. I just created that link and change <VirtualHost default:443> to <VirtualHost myip:443> and it successfully worked! Your answer is not exactly answering but it helped me a lot. Thanks for your reply Commented Mar 10, 2013 at 21:52
2

See this page titled Using Multiple SSL Certificates in Apache with One IP Address.

Improve this answer
3
  • 1
    Xabier was asking about a case with multiple IP addresses. Commented Mar 8, 2013 at 2:28
  • @StephenOstermiller, he said "As far as I know [...] I'd have to add another IP." I interpreted "have" as 'be required to', and that a single IP would be best. Also, because additional IP's incur an additional charge 99.99% of the time. Commented Mar 8, 2013 at 7:37
  • actually, I was trying to say that I do not want to install an additional ip. :-) Commented Mar 10, 2013 at 22:05
2

If Stephen's advice isn't quite working for you then make sure that you also have the following line in your apache config file:

NameVirtualHost *:443

Also, FRB is right. You CAN have SSL on as many of these Virtual machines as you like. Just put the SSL config info inside the <VirtualHost></VirtualHost> code block.

Something like this (also notice that its not necessary to bind to specific IPs when using named hosts):

## SSL (HTTPS) PORT 443 Listen 443 NameVirtualHost *:443 LoadModule ssl_module modules/mod_ssl.so SSLPassPhraseDialog builtin SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000) SSLSessionCacheTimeout 300 SSLMutex default SSLRandomSeed startup file:/dev/urandom 256 SSLRandomSeed connect builtin SSLCryptoDevice builtin <VirtualHost *:443> ServerName host1.com SSLEngine on SSLOptions +StrictRequire SSLProtocol -all +TLSv1 +SSLv3 SSLCipherSuite HIGH:MEDIUM:!aNULL:+SHA1:+MD5:+HIGH:+MEDIUM SSLCertificateFile /etc/httpd/ssl/host1.crt SSLCertificateKeyFile /etc/httpd/ssl/host1.key SSLVerifyClient none SSLProxyEngine off SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0 CustomLog logs/ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" DocumentRoot /var/www/host1/ <Directory "/var/www/host1/"> Options Indexes FollowSymLinks AllowOverride All Order Allow,deny Allow from all </Directory> </VirtualHost> <VirtualHost *:443> ServerName host2.com SSLEngine on SSLOptions +StrictRequire SSLProtocol -all +TLSv1 +SSLv3 SSLCipherSuite HIGH:MEDIUM:!aNULL:+SHA1:+MD5:+HIGH:+MEDIUM SSLCertificateFile /etc/httpd/ssl/host2.crt SSLCertificateKeyFile /etc/httpd/ssl/host2.key SSLVerifyClient none SSLProxyEngine off SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0 CustomLog logs/ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" DocumentRoot /var/www/host2/ <Directory "/var/www/host2/"> Options Indexes FollowSymLinks AllowOverride All Order Allow,deny Allow from all </Directory> </VirtualHost>
Improve this answer
1

You can actually do multiple SSL sites on the same IP address, without using SNI. The (primary) catch is that you have to be using the same certificate, which must have all the required domains as Subject Alternative Names. (These will make the cert cost extra.) The implication is that all the sites are for the same organisation.

Apache2 handles SSL in two phases. The first phase involves checking for an "SSLEngine on" statement in the default (first) virtualhost block for the IP address, then starting the SSL connection. The second phase involves checking the ServerName/ServerAlias directives until the correct virtualhost is identified.

So you don't actually need to duplicate the SSL* directives in each virtualhost, but it helps draw people's attention to the fact that it's an SSL site. (Otherwise they'd have to notice the port number.)

The secondary catch is that there will be a warning added to error_log every time Apache starts up.

Improve this answer

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.