Announcement

Collapse
No announcement yet.

Apache2 Documentation: Name Based SSL VirtualHosts

Collapse
This topic is closed.
X
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    Apache2 Documentation: Name Based SSL VirtualHosts

    I'm not sure what's going on here, but I think the Apache2 documentation may be out of date. It says this:

    Why is it not possible to use Name-Based Virtual Hosting to identify different SSL virtual hosts?
    Name-Based Virtual Hosting is a very popular method of identifying different virtual hosts. It allows you to use the same IP address and the same port number for many different sites. When people move on to SSL, it seems natural to assume that the same method can be used to have lots of different SSL virtual hosts on the same server.

    It comes as rather a shock to learn that it is impossible.

    The reason is that the SSL protocol is a separate layer which encapsulates the HTTP protocol. So the SSL session is a separate transaction, that takes place before the HTTP session has begun. The server receives an SSL request on IP address X and port Y (usually 443). Since the SSL request does not contain any Host: field, the server has no way to decide which SSL virtual host to use. Usually, it will just use the first one it finds, which matches the port and IP address specified.

    You can, of course, use Name-Based Virtual Hosting to identify many non-SSL virtual hosts (all on port 80, for example) and then have a single SSL virtual host (on port 443). But if you do this, you must make sure to put the non-SSL port number on the NameVirtualHost directive, e.g.

    NameVirtualHost 192.168.1.1:80
    Other workaround solutions include:

    Using separate IP addresses for different SSL hosts. Using different port numbers for different SSL hosts.
    (from here: http://httpd.apache.org/docs/2.0/ssl...q.html#vhosts2 )


    However, I have two name based virtual hosts running on the same server, at the same IP address and port number.

    So... have there been developments since the Apache2 documentation was written?

    Feathers
    samhobbs.co.uk

    #2
    Hmm, this makes it clearer:

    https://wiki.apache.org/httpd/NameBasedSSLVHosts

    So you can do it, but you will get the cert for the first host defined, regardless of which site you connect to. Fair enough!

    An interesting related problem:

    I was also trying to set up a default virtual host that would deny a request by default unless it includes a valid domain name (like www.samhobbs.co.uk), and couldn't get it working...I think I've worked out why.

    Squirrelmail's Apache2 configuration file (/etc/squirrelmail/apache.conf) is loaded by before the default virtual host file ( /etc/apache2/sites-available/default-ssl) by a symbolic link from /etc/apache2/conf.d/squirrelmail.conf. I placed this block in the default-ssl file, but I guess it wasn't the first virtualhost block to be read, and therefore wasn't treated as the default:

    Code:
    <VirtualHost *:443>
            ServerName default.only
            <Location />
                    Order allow,deny
                    Deny from all
            </Location>
    
            SSLEngine on
            SSLCertificateFile /etc/ssl/certs/2013-12-02-wildcard.samhobbs.crt
            SSLCertificateKeyFile /etc/ssl/private/2013-12-02-wildcard.samhobbs.key
    </VirtualHost>
    I could have figured this out earlier by requesting https://my-IP-address , which currently serves Squirrelmail.

    I'll have to put the bock above in front of the squirrelmail virtual host block, and see what happens!

    Feathers
    samhobbs.co.uk

    Comment


      #3
      Click image for larger version

Name:	forbidden.png
Views:	1
Size:	41.4 KB
ID:	640593

      Woop woop!

      A little bit of extra security through obscurity

      Feathers
      samhobbs.co.uk

      Comment


        #4
        Originally posted by Feathers McGraw View Post
        A little bit of extra security through obscurity
        Your Apache skills are growing, nice.

        I'm curious what risks you think you might be mitigating, though? IP addresses aren't secrets.

        Comment


          #5
          Originally posted by SteveRiley View Post
          Your Apache skills are growing, nice.

          I'm curious what risks you think you might be mitigating, though? IP addresses aren't secrets.
          No, but automated scripts looking for login pages to bash aren't going to find that page just by visiting my IP address, they now need to request a specific subdomain.
          samhobbs.co.uk

          Comment


            #6
            Good point. Have you seen such activity in your logs?

            Comment


              #7
              Originally posted by SteveRiley View Post
              Good point. Have you seen such activity in your logs?
              Nope, but it's still worth doing!

              Some jerk in Ukraine is trying to guess my WordPress login though. They're always trying the wrong username, and their IP address gets blocked after a few tries, but I think they have a dynamic IP address because it just continues from another IP.

              Something i'm keeping an eye on.
              Last edited by Feathers McGraw; Jan 04, 2014, 12:09 PM.
              samhobbs.co.uk

              Comment


                #8
                Yeah, it's fascinating to watch sometimes.

                Have you had a chance to look at Fail2Ban yet?

                Comment


                  #9
                  Not yet, no. I was setting up OwnCloud 6 again.

                  Last time I had it set up (with OwnCloud 5), I had my main server set up as a gateway to forward requests to the OwnCloud subdomain on to the OwnCloud server. I pulled the plug because it was using too much processing power on the main server to do this, so OwnCloud traffic comes in on a different (non-standard) port now.

                  This works fine for the clients on my computer and tablet, I just can't connect in a browser at work because the company firewall is blocking the outbound connection on the non-standard port. I can live with that, though.

                  I'm also planning on looking at Ampache, just to see if I can get it to work, as a demonstration that you don't need Google for that kind of thing.
                  samhobbs.co.uk

                  Comment


                    #10
                    Wow, your employer seems pretty restrictive. Not every web server in the world listens on only 80/tcp or 443/tcp. Possible guess: your employer might be allowing outbound connections to some other semi-popular ports. Try running your OwnCloud server on 88/tcp, 8080/tcp, or 90/tcp. See if you can get to those ports from inside your employer's network.

                    Also, given that you're running all these servers on Raspberry Pis, I wonder if you might have better luck using Lighttpd rather than Apache. Right now, your servers are running apache2-mpm-prefork, the non-threaded version. This is normal for PHP-based sites because PHP isn't completely thread-safe and thus can't be loaded directly into web servers that spawn multiple threads. But it's also not the best for performance. Lighttpd is event-driven and multithreaded, which utilize your CPU's resources more efficiently. To integrate Lighttpd with PHP5, you'll need some CGI/FastCGI "glue." These act as wrappers around PHP5; each thread calls to PHP5 individually as needed. By not directly integrating PHP5 into the web server, you can enjoy the advantages of multithreading without risking damage to PHP applications.

                    See here:
                    http://raspberrypi.stackexchange.com...httpd-with-php
                    http://www.howtoforge.com/installing...-debian-wheezy
                    Last edited by SteveRiley; Jan 04, 2014, 02:02 PM.

                    Comment


                      #11
                      The port I'm using is 2443 (easy to remember... but perhaps not the best for the firewall)

                      Is there a way to test those ports you suggested without setting my server up first? I.e. do you know some web servers listening on those ports that I can try to connect to in a browser from work to test?

                      Thanks for the links, I'll have a look at lighttpd and see what difference it makes to Owncloud.

                      Feathers

                      EDIT: Just to clarify, the server is accepting connections on 443, but the connection from WAN is made to 2443, and my router forwards incoming conenctions to 2443 to 443 at the Owncloud server's LAN IP.
                      Last edited by Feathers McGraw; Jan 04, 2014, 07:49 PM.
                      samhobbs.co.uk

                      Comment


                        #12
                        I don't know of any. It wouldn't be to difficult to set up a few yourself. Define an Apache virtual server on each of these ports and include a basic index.html for each. Open the respective ports in your router and forward them to your server.

                        I have Owncloud 6.0.0a running on Lighttpd in an Arch VM now. I'll post some details later.

                        Comment


                          #13
                          Originally posted by SteveRiley View Post
                          Have you had a chance to look at Fail2Ban yet?
                          I'm definitely going to have to look at this now. The WordPress plugin I was using to ban IPs of failed logins and too many 404s (Better WP Security) works by editing the .htaccess file to deny IPs.

                          Problem is, sometimes if you get loads of attacks at the same time and it tries to do too much at once it corrupts the file, duplicates a bit at the end and doesn't close an <IfModule>, so everyone visiting the site gets a 500 internal server error. Effing marvellous.

                          It's happened three times now. The first two times I just manually edited the .htaccess file and that solved the problem, but this time something stranger has happened: the theme won't load properly unless I'm logged in. No server errors in the log file. The content is displaying, but it's not formatted correctly...

                          I hope that no malicious changes have been made to the theme :/ will remove it and reinstall tomorrow, see if that has any effect.

                          Feathers
                          samhobbs.co.uk

                          Comment

                          Working...
                          X