[lug] ssl apache paths
Lee Woodworth
blug-mail at duboulder.com
Tue Aug 14 21:36:47 MDT 2007
Kevin Fenzi wrote:
> On Tue, 14 Aug 2007 07:33:24 -0600 (MDT)
> dio2002 at indra.com wrote:
>
>> I'm trying to setup self-signed certificates on apache for a couple
>> of php sites.
>>
>> does anybody know if it's possible to use apache directives to
>> selectively apply the ssl protection to specific paths within a given
>> vhost versus globally assigning it to the entire domain? if so how?
>
> See:
> http://httpd.apache.org/docs/2.0/mod/mod_ssl.html
> and the SSLEngine directive. You can enable per virtual.
>
>> for example, instead of having ssl protection on the entire domain
>> site.com, i'd like to only apply it selectively to site paths:
>>
>> site.com/login/*
>> site.com/configure/*
>> site.com/dothis.php
>
> You would have to do this with redirects or something.
> Ie, when someone goes to one of those dirs via a http: link, you
> rewrite it to https and so on. Not easy to do, but possible.
>
>> Also, i'm getting conflicting info about whether you can use ssl
>> certs on MULTIPLE NAMEBASED vhosts on a single server?
>
> no. You can't do name based ssl.
>
>> I've seen info online that says you can't but then i see examples that
>> actually seem to do it. If I can what do i need to do? If i can't
>> what are my options? Must i use IP based vhosting?
>
> Yes. Each ssl host needs to have it's own IP.
> The name based virtual stuff takes place after the ssl handshake
> between your server and the browser. It already has to know the
> hostname it's going to to verify the ssl certificate. You can't do
> multiple ones in a single IP...
>
> There is one exception. You can get a wildcard ssl cert.
> Basically instead of being issued to one host, it's issued to
> '*.domain.com" so any host in that domain validates.
How do multiple names in the certificate's subject alt name
interact with the vhost processing?
More information about the LUG
mailing list