2

I'm looking for the most efficient way to achieve this setup on Apache 2.4.33 in the Amazon Linux Distro:

  • a single server instance (here: AWS EC2)

  • a single associated IP

  • two (or more) domains, each with their own SSL certificate

  • one default SSL VirtualHost that applies to all others, to set such things as SSLProtocol, FilesMatch, and BrowserMatch only once

  • a dedicated VirtualHost per domain that points to the respective files and sets the document root

Is there something wrong with this setup?

1) /etc/httpd/conf.d/ssl.conf (entire file):

Listen 443 https SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog SSLSessionCache shmcb:/run/httpd/sslcache(512000) SSLSessionCacheTimeout 300 SSLRandomSeed startup file:/dev/urandom 256 SSLRandomSeed connect builtin SSLCryptoDevice builtin # default settings for all VirtualHosts <VirtualHost *:443> LogLevel warn SSLProtocol all -SSLv3 SSLProxyProtocol all -SSLv3 SSLHonorCypherOrder o #use OpenSSL default #SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5 #SSLProxyCipherSuite HIGH:MEDIUM:!aNULL:!MD5 <FilesMatch "\.(cgi|shtml|phtml|php)$"> SSLOptions +StdEnvVars </FilesMatch> <Directory "/var/www/cgi-bin"> SSLOptions +StdEnvVars </Directory> BrowserMatch "MSIE [2-5]" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 CustomLog logs/ssl_request_log \ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" </VirtualHost>

2) /etc/httpd/cond.f/vhosts.conf

# foo.com <VirtualHost *:80> ServerName foo.com ServerAlias www.foo.com Redirect 301 / https://foo.com </VirtualHost> <VirtualHost *:443> ServerName foo.com:443 ServerAlias www.foo.com:443 DocumentRoot "/var/www/foo" SSLEngine on SSLCertificateFile /etc/pki/tls/certs/foo.crt SSLCertificateChainFile /etc/pki/tls/certs/foo.bundle SSLCertificateKeyFile /etc/pki/tls/private/foo.key ErrorLog logs/foo TransferLog logs/foo-acc </VirtualHost> # bar.com <VirtualHost *:80> ServerName bar.com ServerAlias www.bar.com Redirect 301 / https://bar.com </VirtualHost> <VirtualHost *:443> ServerName bar.com:443 ServerAlias www.bar.com:443 DocumentRoot "/var/www/bar" SSLEngine on SSLCertificateFile /etc/pki/tls/certs/bar.crt SSLCertificateChainFile /etc/pki/tls/certs/bar.bundle SSLCertificateKeyFile /etc/pki/tls/private/bar.key ErrorLog logs/bar TransferLog logs/bar-acc </VirtualHost>

Will this work, or do I have to repeat the default setup for each dedicated domain?

Improve this question
0

1 Answer 1

Reset to default
1

I figured it out after some extensive testing:

The generic "master" VirtualHost in ssl.conf must reference a Certificate, Chain and Key, otherwise it will not work. So, for clarity and to avoid writing (and maintaining) duplicate lines across vhosts, it might be best to move this generic vhost into vhosts.conf, before the others.

Any rules specified there seem to be inherited properly by the following vhosts and don't have to be repeated.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.