# One host, multiple sites. Help with SSL please!



## gnr (May 26, 2009)

Hi guys,


I am building a server to host 3 websites only one of which should be SSL. How do I get round to "isolating" other two sites (which will be virtual hosts) from using SSL cert?

thank you


----------



## DutchDaemon (May 26, 2009)

Impossible. You have one IP address, and port 443 is open on that IP address. If anyone types https://one.of.your.non-ssl.sites/, the browser will make a connection to public_ip:443 and the webserver will respond with the SSL dialog. It takes place *before* any virtual host records are even consulted, simply because the connection must be secured and encrypted before anything else passes over the connection.


----------



## gnr (May 26, 2009)

To rephrase: 

Do I just install and configure SSL server and then add 2 virtual hosts?

Or what is the proper way of doing it?


----------



## gnr (May 26, 2009)

Sorry I was typing it when you replied... Any workarounds? there should be!!


----------



## DutchDaemon (May 26, 2009)

SSL is unaware of anything but the 'raw connection'. Like I said in another thread about this subject: you can force http to https, you cannot force https to http.


----------



## vivek (May 26, 2009)

Nothing new here. Just configure all 3 websites as virtual host.

Configure 1 website as ssl aware. Remember each SSL certificate needs 1 public ip and port 443. However, if other website type https://othersite/, they will end up connecting to original SSL aware website. Try using at least 2 IP address. first one for http and https and 2ndone for http virtual hosting only.


----------



## gnr (May 26, 2009)

thanks guys, gave both of you thumbs up!


----------



## eztiger (May 26, 2009)

To muddy the waters this is technically possible :

http://en.wikipedia.org/wiki/Server_Name_Indication

But widespread support is basically non-existent enough to make it not really a feasible option.

I only found about it last year and it certainly shook my little SSL vhost world 

kev


----------



## gnr (May 27, 2009)

I am going with dual NIC setup (about to otder PCI card now).

Q: How difficult would it be for newbie to configure dual NIC FreeBSD box provided both IPs are on the same network using same gateway and subnet mask?

PS: By doing so I want to keep SSL website on one NIC and other 2-3 sites on the other NIC.

PPS: Any particular NIC I sould shay away from or are majorty of them recognized by FreeBSD today? Any make & model you can guarantee be working?

thank you


----------



## eztiger (May 27, 2009)

gnr said:
			
		

> I am going with dual NIC setup (about to otder PCI card now).
> 
> Q: How difficult would it be for newbie to configure dual NIC FreeBSD box provided both IPs are on the same network using same gateway and subnet mask?
> 
> ...



Very easy. Assuming it's supported and detected it's a one liner in /etc/rc.conf :

ifconfig_bge0="inet yourip  netmask yournetmask"

the bge0 bit would be the device name for the card.

Can't help too much on the NIC's beyond I suspect most chipsets are supported these days. If you have a currently working card you can find out the driver being used and buy a card using the same chipset.

The hardware compatibility list should help you here.


----------



## gnr (May 27, 2009)

Thanks for prompt reply. Can you point me in the right direction as to how does one assign an interface to a particular website/service (SMTP/IMAP/etc)?


----------



## eztiger (May 27, 2009)

gnr said:
			
		

> Thanks for prompt reply. Can you point me in the right direction as to how does one assign an interface to a particular website/service (SMTP/IMAP/etc)?



This largely depends on the service and it's configuration syntax.

The nice way to do it would be in it's config file, for example apache has an option:

Listen <ip address>:<port>

Which specifies what ip address (and so network card) the virtualhost binds to and the tcp port.

But it's largely daemon dependant - although the option will be there somewhere!


----------



## DutchDaemon (May 27, 2009)

@gnr: It's the other way around: you tell the service/daemon to bind to an IP address running on a specific interface. Services usually bind to every available interface (which will show up in netstat -an as "*:80" in the case of a webserver and "*:25" in the case of an SMTP server). You can tell Apache, Sendmail, etc. to pick a specific IP to bind to (which will show up as "111.222.111.222:80"). How that's done is different for every application, I'm afraid, and some can't do it at all.


----------



## gnr (May 27, 2009)

great I shall try that and get back with some feedback!


----------



## gnr (May 30, 2009)

A question.

Before I decided to add 3 websites to my machine (which happened to be mail server), I had this record in httpd.conf for SquirrelMail:

ServerName mail.mycorp.com:80

As well as:

ServerName mail.mycorp.com:443

in httpd-ssl.conf.

Now since I added a second NIC do I need to modify those two records above to reflect chosen NIC? Or how do I tell Apache to distinguish between interfaces? The other 3 websites need not be SSL.


----------



## DutchDaemon (May 31, 2009)

Apache doesn't know about interfaces. Apache attaches to a hostname, which is an IP address, which is on an interface. That's the interface Apache will be listening on.


----------



## gnr (Jun 1, 2009)

got it thanks


----------



## gnr (Jun 1, 2009)

OK. so i had a mail server working and after I moved it to virtual hosting and added one more website my system is not working (websites won't load).

Here's my httpd.conf (excerpt);

```
Listen 192.168.16.78:80

ServerName mail.server.com

NameVirtualHost 192.168.16.77:443

NameVirtualHost 192.168.16.78:80

<VirtualHost 192.168.16.77:443>
[INDENT]ServerName mail.server.com
DocumentRoot "/usr/local/www/squirrelmail"[/INDENT]
</VirtualHost>

<VirtualHost 192.168.16.78:80>
[INDENT]ServerName www.website.com
DocumentRoot "/usr/local/www/apache22/data/website"[/INDENT]
</VirtualHost>
```

Any clues?


----------



## J65nko (Jun 1, 2009)

What is the output of ?
	
	



```
# netstat -an -f inet
```


----------



## gnr (Jun 1, 2009)

Correction: mail server does in fact work which is good. Website on the second NIC won't load. I don't know maybe that's the probelm with path to website files or something but here's the output:


```
mail# netstat -an -f inet
Active Internet connections (including servers)
Proto Recv-Q Send-Q  Local Address          Foreign Address        (state)
tcp4       0     52 12.34.56.77.22      22.33.44.55.1430    ESTABLISHED
tcp4       0      0 12.34.56.77.22      *.*                    LISTEN
tcp4       0      0 12.34.56.77.443       *.*                    LISTEN
tcp4       0      0 12.34.56.88.80        *.*                    LISTEN
tcp4       0      0 *.143                  *.*                    LISTEN
tcp4       0      0 *.993                  *.*                    LISTEN
tcp4       0      0 *.587                  *.*                    LISTEN
tcp4       0      0 *.25                   *.*                    LISTEN
tcp4       0      0 127.0.0.1.783          *.*                    LISTEN
udp4       0      0 *.514                  *.*
```


----------



## vivek (Jun 2, 2009)

You have only one ip bind to port 80. You need to use *Name-based Virtual Hosts* if more than one website configure per IP address.

You need to use *IP-based Virtual Hosts* if you have an IP address for each web site.

It look like that you are bit confused about correct configurations.  Do yourself a favor and go though Apache virtual hosting guide - http://httpd.apache.org/docs/2.2/vhosts/examples.html

HTH


----------



## gnr (Jun 2, 2009)

Hi Vivek and thanks for your reply.  

I currently have only two websites, one on each interface but it will expand as soon as I get it to work. One sites is on port 443 and another on 80.


----------

