Enable multiple SSL vhosts and certificates on a single IP with Apache

Apache with ssl certificate = httpsHistorically, if you wanted to host multiple SSL enabled Web sites, you had to have an unique IP address for each site. With the advent of SNI, one SSL certificate per unique IP address is no longer necessary. The Server Name Indication (SNI) is a TLS extension which makes the configuration of SSL-enabled name-based virtual hosts possible. This extension eliminates the need for the assignment of one IP address per secure virtual host, so all secure virtual hosts can share the same IP address and port combination. However the SNI has only recently gained support in browsers. The browsers that have been confirmed to support SNI are:

  • Opera 8.0+ (with TLS 1.1 enabled)
  • Firefox 2+
  • Internet Explorer 7+
  • Safari 3.2.1+ on Vista or higher and Mac OS X 10.5.6 or higher
  • Chrome (NOT Chromium) on Vista or higher

Apache has two modules that support SNI for multiple SSL vhosts implementation. The first module is default SSL module (mod_ssl) which require Apache 2.2.8 for SNI support. The other is a mod_gnutls that supported SNI on an unpatched Apache and not required Apache 2.2.8 and up.

The configuration of name based SSL virtual hosts is similar to configure of standard name based virtual hosts, except the port number and the certificate files. However the first of all, https needs to be set to listen on port 443 to listen to all the available network interfaces or IP address, like below.

Listen 443
NameVirtualHost *:443

Next, the configuration can be separated in two configurations – using mod_ssl and using mod_gnutls – so I can explain the step for each configurations in below:

Using SSL Module

  1. Load mod_ssl:
    LoadModule ssl_module modules/mod_ssl.so
  2. Setup virtaul hosts to listen port 443 (https) and enable SSL option
    <VirtualHost *:443>
    	SSLEngine on
    	SSLCertificateFile /etc/apache2/ssl/server1.crt
    	SSLCertificateKeyFile /etc/apache2/ssl/server1.key
    
    	ServerName secure.ezylinux.com
    	DocumentRoot /path/to/www/site1
    	<Directory /path/to/www/site1>
    		SSLRequireSSL
    		Order Deny,Allow
    		Allow from All
    	</Directory>
    </VirtualHost>
    
    <VirtualHost *:443>
    	SSLEngine on
    	SSLCertificateFile /etc/htt/ssl/server2.crt
    	SSLCertificateKeyFile /etc/http/ssl/server2.key
    
    	ServerName secure.ezylinux.com
    	DocumentRoot /path/to/www/site2
    	<Directory /path/to/www/site2>
    		SSLRequireSSL
    		Order Deny,Allow
    		Allow from All
    	</Directory>
    </VirtualHost>
    

Using gnutls module

  1. Install mod_gnutls (CentOS 5)
    [root@Ezylinux ~]# yum install mod_gnutls --enablerepo=c5-testing
  2. Load mod_gnutls
    LoadModule gnutls_module modules/mod_gnutls.so
    
  3. Setup virtaul hosts to listen port 443 (https) and enable GnuTLS option
    
    <VirtualHost *:443>
    	GnuTLSEnable on
    	GnuTLSExportCertificates on
    	GnuTLSCacheTimeout 500
    	GnuTLSCertificateFile /etc/http/ssl/server1.crt
    	GnuTLSClientCAFile	/etc/http/ssl/CA-bundle1.crt
    	GnuTLSKeyFile /etc/http/ssl/server1.key
    
    	ServerName secure1.ezylinux.com
    	DocumentRoot /path/to/www/site1
    	<Directory /path/to/www/site1>
    		Order Deny,Allow
    		Allow from All
    	</Directory>
    </VirtualHost>
    
    <VirtualHost *:443>
    	GnuTLSEnable on
    	GnuTLSExportCertificates on
    	GnuTLSCacheTimeout 500
    	GnuTLSCertificateFile /etc/http/ssl/server2.crt
    	GnuTLSClientCAFile	/etc/http/ssl/CA-bundle2.crt
    	GnuTLSKeyFile /etc/http/ssl/server2.key
    
    	ServerName secure2.ezylinux.com
    	DocumentRoot /path/to/www/site2
    	<Directory /path/to/www/site2>
    		Order Deny,Allow
    		Allow from All
    	</Directory>
    </VirtualHost>
    

Having finished with the configuration, review the changes, restart the server and check the error logs for any errors. Use a OpenSSL’s s_client or curl or web browser to visit each of the virtual hosts by using the HTTPS protocol:

OpenSSL’s s_client

[root@Ezylinux ~]# openssl s_client -connect secure1.ezylinux.com:443
[root@Ezylinux ~]# openssl s_client -connect secure2.ezylinux.com:443

Curl

[root@Ezylinux ~]# curl https://secure1.ezylinux.com/
[root@Ezylinux ~]# curl https://secure2.ezylinux.com/
You can leave a response, or trackback from your own site.

3 Responses to “Enable multiple SSL vhosts and certificates on a single IP with Apache”

  1. การเปิดใช้งาน https รองรับ SSL certificate หลายใบบน port 443 ของ Apache เมื่อหลายปีก่อนดูเหมือนจะเป็นเรื่องยุ่งยาก แต่การมาของ SNI หรือ Server Name Indication ทำให้ชีวิตง่ายขึ้นเยอะมาก

  2. Sati says:

    It’s work!!!

  3. newexception.com says:

    great tutorial

Leave a Reply

*