3

I have been searching quite a bit now but couldn't find any answers.

I'm using httpd 2.2.15 and Centos 6.2.

I have configured apache for mass virtual hosting. I.e.:

UseCanonicalName off VirtualDocumentRoot /var/www/html/%0

I will have the same "main" domain with different subdomains pointing to the virtual hosts. I have created a self-signed cert for testing purpose with common name *.mydomain.com. There's one IP for the entire server.

How can I configure apache to use ssl for my vhosts?

And if possible, added to above I would like to achieve this as well:

  1. Can I define a directory, or preferable some files (e.g. login page), that should be excluded from the ssl? All vhosts are basically different instances of the same application (except the ones I mention in 2 below).

  2. Can I define some vhosts that should not use ssl (I have full control of the subdomain name for those). This will be two application, my home-page (www) and some administrative application. If it's not possible to make exceptions, I guess I will just put those on another server.

Except the ones I mentioned in 2 above, all virtual hosts will be created automatically based on users request.

Based on @Shanes comment, I update: If the user use https:// when they shouldn't, it's good if they are redirected to http://. If that's not possible I guess it's ok if they get an error message. It's of course ok if BOTH http and https works, as long as http works for the unprotected files (this may be the preferred choice actually).

I could find examples of how to do this using mod-rewrite with the exception that it wasn't for mass-domains (i.e. < VirtualHost > was used).

What's the tricks for achieving this?

If not possible, I would be most happy to get some hints about how to do this.

Improve this question
4
  • What kind of behavior would you like to see for the directories and domains that don't use SSL? A connecting client will always connect to the server if they use https://domain.that.shouldnt.have.ssl/ - should they get an error message, or a redirection to http:// version? Commented May 17, 2012 at 15:47
  • If they use https:// when they shouldn't, it's good if they are redirected to http://. If that's not possible I guess it's ok if they get an error message. It's of course ok if BOTH http and https works, as long as http works. Commented May 17, 2012 at 16:17
  • Oh, so you want to force certain of the sites to use HTTPS? Commented May 17, 2012 at 16:23
  • Yes, correct. That was my intention with "How can I configure apache to use ssl for my vhosts?", perhaps I was a bit unclear. Update my answer a little bit, somewhat more informative than my comment. Commented May 17, 2012 at 16:35

1 Answer 1

Reset to default
4

First off, you need to make sure your current configuration is prepared to have an SSL listener added in. You haven't specified if you're using the main server, or a <VirtualHost>, but if you're using the main server then you'll need to switch to a <VirtualHost>.

<VirtualHost *:80> ServerName everything.example.com ServerAlias *.example.com VirtualDocumentRoot /var/www/html/%0 # insert logging config, anything else you need.. <Directory /var/www/html/> Order Allow,Deny Allow from all # Get rid of this if you need to allow htaccess files: AllowOverride None </Directory> RewriteEngine On # We're going to insert some Rewrite configuration here in a minute. </VirtualHost>

Then, we'll add you a new VirtualHost running SSL.

# Add this if you don't already have it: Listen 443 <VirtualHost *:443> ServerName everything.example.com ServerAlias *.example.com VirtualDocumentRoot /var/www/html/%0 SSLEngine On SSLCertificateFile /path/to/cert.pem SSLCertificateKeyFile /path/to/private.key # insert logging config, anything else you need.. <Directory /var/www/html/> Order Allow,Deny Allow from all # Get rid of this if you need to allow htaccess files: AllowOverride None </Directory> # if you want to kick someone back to HTTP if they're using HTTPS, # do that with Rewrite configuration here. For example: #RewriteRule ^/(non/sensitive/content.*\.html)$ http://%{HTTP_HOST}/$1 [R=301,L] </VirtualHost>

So, that gets us to the point where the content is all being served via both HTTP and HTTPS. Now, in order to force HTTPS for certain domains, we can use mod_rewrite.

Important security information! You need to be very careful here from a security perspective. If you're simply redirecting everything on HTTP to the HTTPS equivalent, you can potentially 'hide' cases where a request is sent over HTTP instead of HTTPS due to hardcoded resource locations - and if there's sensitive data in that request, then it was just sent over the internet, unencrypted. You'll need to weigh this risk against your ability to catch and correct these kind of issues, the user-unfriendliness of an error page if something is messed up, and the sensitivity of the data.

To force SSL for certain locations, you'll want to insert mod_rewrite configuration into the port 80 vhost (I've commented in its configuration above). You can build pretty much any kind of behavior you want, as far as directories or domains excluded; I'll provide a few examples:

# Exclude the domain "static.example.com" RewriteCond %{HTTP_HOST} !^static\.example\.com$ # Exclude the directory /images RewriteCond %{REQUEST_URI} !^/images/ # Exclude requests to .css files RewriteCond %{REQUEST_URI} !\.css$ # This is the more secure but less user friendly version - block requests to the non-secured port. RewriteRule ^ - [F,L] # This is the user friendly version, where you need to be especially careful that # your site never sends sensitive data to http accidentally: #RewriteRule ^/(.*)$ https://%{HTTP_HOST}/$1 [R=301,L]

Or, if you wanted to do the friendly redirect just for requests to the base directory, and the error behavior for others:

# Exclude the domain "static.example.com" RewriteCond %{HTTP_HOST} !^static\.example\.com$ # ..insert other exclusion conditions here.. RewriteRule ^/$ https://%{HTTP_HOST}/ [R=301,L] # Exclude the domain "static.example.com" RewriteCond %{HTTP_HOST} !^static\.example\.com$ # ..insert other exclusion conditions here.. RewriteRule ^ - [F,L]

If these examples don't fit your needs, let me know.

Improve this answer
7
  • Wow, thanks so much :) My day is getting to an end, this will be my work for tomorrow. I'll gett back tomorrow with feedback. One thing I can see already, I didn't know one could put VirtualDocumentRoot inside the <VirtualDirectory> , must have missed it on apache's site while reading. Really appreciate your time taken. Commented May 17, 2012 at 18:55
  • Ok, I am doing it a bit at a time here. Before I'm starting to create exceptions for some directories/urls, I want to make sure I can get SSL working properly for my domains. I managed to get it working for one subdomain using "ServerName dev.example.com" in <VirtualHos>, but then "dev2.example.com" doesn't work, neither does it when configuring ServerName *.example.com. Will I need to create one <VirtualHost> for each application instance? Or can mod_rewrite be used so I don't need to do that? Commented May 18, 2012 at 10:54
  • What happens is that everything gets redirected to an index.html file directly under /var/www/html Commented May 18, 2012 at 11:02
  • 1
    You'll need ServerAlias *.example.com - ServerName doesn't do wildcards. Commented May 18, 2012 at 15:46
  • Ah, sorry, commented that out, my mistake.https now works for all my subdomains. Moving on... Commented May 18, 2012 at 16:54

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.