FOB
Friends Of Bart
NavigationUser loginSyndicateCMS by Drupal |
The dreaded name-based-vhosts-and-SSL questionI've wondered many times over the years why I couldn't have multiple SSL name-based virtual hosts with Apache. I've become confused more than once about whether the preceding sentence is true, but I now believe it is. The relevant sentence in the documentation is "Name-based virtual hosting cannot be used with SSL secure servers because of the nature of the SSL protocol." I'm not sure how it could be more uninformative… Red Hat's documentation gives a bit more of a clue about what is going on, saying "Note: You can not use name based virtual hosts with SSL, because the SSL handshake (when the browser accepts the secure Web server's certificate) occurs before the HTTP request which identifies the appropriate name based virtual host. If you want to use name-based virtual hosts, they will only work with your non-secure Web server." I thought about that for a minute when I finally found it tonight—it seemed to me that all that was really needed was to accept that each IP address could have only a single PKI certificate. (Actually, given the information transmitted by TLS, even that requirement might be loosened; I'd have to glance at the protocol to be sure one way or the other.) Once a secure connection was established, name-based vhosting could still be used to select between port 443 vhosts on the site. Sure, this would have security issues; for what I was trying to do, though, it would be fine. It looks like the Apache folks are not going to be helpful here. At this point, I ran across the commercial LiteSpeed HTTP server. This server's SSL support documentation seems to confirm my analysis: "Since a SSL certificate is bundled with a listener, if a virtual host requires a dedicated certificate, a dedicated SSL listener must be created for that virtual host. In other words, that virtual host must be an IP based virtual host." A "listener" in LiteSpeed parlance is separate from a vhost. Essentially, this confirms my analysis. OK, now what? I checked out the alternate HTTP server flavor of the week, lighttpd. It's reportedly much faster than Apache 2 at serving Rails content, which is what I currently care about. However, I didn't think lighttpd had SSL support. I was wrong. However, it's not clear for this server how name-based virtual hosts and SSL interact. It looks OK, but I can't tell—I guess I have to try it. I can't believe all this is so hard, nor that it cost me another night's sleep.
|
Keep us posted!
I learned quite some time ago about the handshake before virtualization thing but it didn't occcur to me to go any further with it... keep us posted if you make progress on this!
Parenthetically, I must say I'm surprised you have time for Ruby on Rails based on a conversation we had not so long ago. I'm also quite curious about your experiences here too.
I should be clear
It's not so much that I am doing Rails work myself; I just am trying to run the tracks software, which is a Rails app. I need SSL for it because, like most users, I'd like to be able to access it remotely and don't really want my to-do list flowing unencrypted over the net.
Also, it looks like our department web site is going to move to Rails real soon. Right now, the prototype is running on the webrick built-in server; if I figure this stuff out I can help them move it to Apache 2 (or some other serious HTTP server).
I'll let you know what setup I end up with.
Post new comment