logo
Apache Lounge
Webmasters

 


About

Forum Index Downloads Search Register Log in  RSS Apache Lounge
 


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Apache Lounge is not sponsored.

Your donations will help to keep this site alive and well, and continuing building binaries.



Dynamic SNI Certificate %0

 
Post new topic   Reply to topic    Apache Forum Index -> Apache



View previous topic :: View next topic  
Author Message
fryser_d



Joined: 11 Aug 2017
Posts: 5
Location: Canada

PostPosted: Wed 20 Dec '17 2:15    Post subject: Dynamic SNI Certificate %0 Reply with quote

THIS WORKS:
Code:

                <VirtualHost *:443>
                        ServerName site111.com
                        ServerAlias www.site111.com

                        DocumentRoot /var/www/html

                        SSLEngine on
                        SSLCertificateFile "/var/app/s3/ssl/site111.com/certificate.crt"
                        SSLCertificateKeyFile "/var/app/s3/ssl/site111.com/certificate.key"
                        SSLCertificateChainFile "/var/app/s3/ssl/site111.com/certificate.chain"
                </VirtualHost>

                <VirtualHost *:443>
                        ServerName site222.com
                        ServerAlias www.site222.com

                        DocumentRoot /var/www/html

                        SSLEngine on
                        SSLCertificateFile "/var/app/s3/ssl/site222.com/certificate.crt"
                        SSLCertificateKeyFile "/var/app/s3/ssl/site222.com/certificate.key"
                        SSLCertificateChainFile "/var/app/s3/ssl/site222.com/certificate.chain"
                </VirtualHost>


THIS DOESN'T WORK:
Code:

<IfModule mod_ssl.c>
                <VirtualHost *:443>
                        ServerAlias *
         UseCanonicalName Off

                        DocumentRoot /var/www/html
                  
                        SSLEngine on
                        SSLCertificateFile /etc/apache2/ssl/%0/server.crt    //<=here
                        SSLCertificateKeyFile /etc/apache2/ssl/%0/server.key //<= and here

                        SSLCipherSuite        EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
                        SSLProtocol           All -SSLv2 -SSLv3
                        SSLHonorCipherOrder   On
                        SSLSessionTickets     Off
                </VirtualHost>
</IfModule>


When I try to compile the configuration file... I get the error:
SSLCertificateFile: file '/etc/apache2/ssl/%0/server.crt' does not exist or is empty

I try to do a system like https://www.wix.com/ where you can add website on the fly with custom domain and still use SSL. I know some say %0 cannot be resolved because it's AFTER the TLS handshake but a lot of people use it successfully with
Code:
VirtualDocumentRoot "/www/hosts/%0/docs"
https://httpd.apache.org/docs/2.4/vhosts/mass.html

How can I make it work?
Thank you for your time Mr. Green
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 6435
Location: Germany, Next to Hamburg

PostPosted: Thu 21 Dec '17 18:11    Post subject: Reply with quote

The %0 works only with

VirtualDocumentRoot
VirtualDocumentRootIP
VirtualScriptAlias
VirtualScriptAliasIP

I think you want to use mod_macro[1]




[1] https://httpd.apache.org/docs/2.4/mod/mod_macro.html
Back to top
fryser_d



Joined: 11 Aug 2017
Posts: 5
Location: Canada

PostPosted: Thu 21 Dec '17 20:47    Post subject: Reply with quote

Thank you for your quick answer James Blond!

Maybe I was not clear in my question. We try to do a website generator like [url]wix.com[/url], [url]squarespace.com[/url] that could possibly host millions of custom website with https.

We're planning to host millions of websites. I heard Apache have a max of 64 to 256 to 16384 of virtualHost depending on who you ask, like this post:

https://www.virtualmin.com/node/20085

Following this tutorial:

https://debian-administration.org/article/725/Simplifying_repetitive_Apache_configuration_with_mod_macro

The virtualHosts would still be defined like so:
Code:
<VirtualHost 1.2.3.4:443>
  ServerName www.example.com
  use SSL example.com
  Redirect / https://example.com/
</VirtualHost3>

<VirtualHost 1.2.3.4:443>
  ServerName example.com
  use SSL example.com
  DocumentRoot /srv/example.com/public/htdocs
</VirtualHost3>


So we're still in the same trap of the number of maximum virtual hosts. Do you know a solution or technology that can handle this problem? Nginx, NodeJs? ... I need a dynamic resolution of SSL according to the SNI servername definition.

Thank you for your time James Blond Mr. Green
Back to top
fryser_d



Joined: 11 Aug 2017
Posts: 5
Location: Canada

PostPosted: Thu 21 Dec '17 22:30    Post subject: Reply with quote

uwsgi have something very similar of what I'm looking for: http://uwsgi-docs.readthedocs.io/en/latest/SNI.html#massive-sni-hosting

But I don't use python :/
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 6435
Location: Germany, Next to Hamburg

PostPosted: Thu 21 Dec '17 23:44    Post subject: Reply with quote

For the programming part. I would use the default vhost aka fetch all vhost. And then use a programming language of your choise to to the dynamic part.

With SSL certificats it is harder, cause you need a vhost for each cert.

Other solutions might be

https://www.apachelounge.com/viewtopic.php?p=20365

https://httpd.apache.org/docs/2.4/mod/mod_dbd.html

https://wiki.apache.org/httpd/ApacheVirtualHostMysql
Back to top
fryser_d



Joined: 11 Aug 2017
Posts: 5
Location: Canada

PostPosted: Fri 22 Dec '17 5:32    Post subject: Reply with quote

I try to understand what you're saying... You say that I can do "TLS Termination" in PHP with OpenSSL?

I configure Apache to passthrough HTTPS request and terminate the request in my code? Is that correct?
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 6435
Location: Germany, Next to Hamburg

PostPosted: Fri 22 Dec '17 17:29    Post subject: Reply with quote

No the SSL termination has to be done by apache. But mod_vhost dbd can create vhosts on the fly like you want.

The other suggestion was to have vhost that fetches all requests and sends the required DB.

The limit numbers of vhosts was on old *nix systems. You can check it running ulimit on your system.

---


Thinking about your problem how I would solve it, is still mod_macro. I would edit or simply add a vhost at the top to the config file in which you define new vhosts from the macro template.

Code:

Use VHost example example.com
Use VHost myhost hostname.org
Use VHost apache apache.org

UndefMacro VHost


Then call an automatic script to get a certificate from let's encrypt.

You only have to make sure that the DNS is pointing to your server IP.

Once a server is "full" you have a luxury problem. I would add another server with another IP.
Back to top


Post new topic   Reply to topic    Apache Forum Index -> Apache
Page 1 of 1