Developers’ Weblog

Sponsored by
HostEurope Logo

Developers’ Weblog

All 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31

Configuring name-based apache vhosts with SSL and IPv6… is hard. Really. This is probably due to it being “a patchy webserver”. Here is a quick cut and paste solution, well, sort of.

Scenario: I have a web server running name-based vhosts on the SSL port. I get a either wildcard certificate, or – in my case – a certificate with some subjectAltName extensions set; CAcert supports these now. All vhosts I wish to serve must be included, and the primary commonName (as part of the distinguishedName) ought to be the host’s primary FQDN, and it must be duplicated as subjectAltName.

I wish to serve a default page (just the standard index.htm from /var/www/htdocs/) to everyone who does not provide a proper host name (e.g. speaking HTTP/1.0 without Host: header, or just probing my IP addresses), and a couple of vhosts to everyone else. I use one IPv4 and one IPv6 address. The vhost configuration is placed in several files in /var/www/conf/vhosts/ called «vhostname».«port»; if some information is to be shared (e.g. vhost on both port 80 and 443), these are placed in «vhostname».common and included by the port configs.

Important: Do not use wildcard vhosts, they won’t work and give errors. Do not use the _default_ vhost in any form, it silently won’t work.

You might want to place directory information in the vhost configuration file instead of in the main configuration file.

Part of httpd.conf is:

	ServerAdmin «mail address for the server itself»
	ServerName «main FQDN»

	NameVirtualHost 192.0.2.1 443
	NameVirtualHost 2001:db8:1234:1::1 443

	<IfDefine SSL>

	<VirtualHost 192.0.2.1:443>
	Include /var/www/conf/vhosts/eurynome.443
	</VirtualHost>

	<VirtualHost [2001:db8:1234:1::1]:443>
	Include /var/www/conf/vhosts/eurynome.443
	</VirtualHost>

	<VirtualHost 192.0.2.1:443>
	Include /var/www/conf/vhosts/call.443
	</VirtualHost>

	<VirtualHost [2001:db8:1234:1::1]:443>
	Include /var/www/conf/vhosts/call.443
	</VirtualHost>

	<VirtualHost 192.0.2.1:443>
	Include /var/www/conf/vhosts/default.443
	</VirtualHost>

	<VirtualHost [2001:db8:1234:1::1]:443>
	Include /var/www/conf/vhosts/default.443
	</VirtualHost>

	</IfDefine>
 

(using documentation addresses)

Make sure every vhost except the default one sets ServerName (and ServerAdmin if it differs), and DocumentRoot etc. as usual. The default vhost does not need to set ServerName, but the line
ServerAlias *
must be present and it must be the last vhost in the list, as above.

If you still have questions – especially now that even OpenBSD has seen the light and applied the IPv6 patch I not only applied to MirBSD some four years ago but also suggested to them some two or three times – come to IRC or drop us an eMail, and we’ll try to fix things. Apache is definitively historic ballast, but still common enough on todays Unices.

MirOS Logo