Topic: Apache 2.2.4 SSL Virtual Hosts

[anindya]

Hi, I have been trying to set up SSL for my virtual hosts. The first time I used the same IP for all of them and because of that it used to use the SSL certificate from the first virtual host.

Now I have added some more IPs 192.168.1.4, 192.168.1.5 and I have set them up using these. Now they work fine if I access the sites using the same computer or a computer in the local network. However if I try to access them using a proxy then it shows me the document root of the first virtual host which is set up with the IP 192.168.1.3.

So now i am not sure what to do next to make them work for computers outside the local network. I am using an ADSL connection with a wireless adsl router. Please let me know what else i need to do to get it to work properly.

Thanks.

Edit: Ok, I think its because of the port forwarding. The 192.168.1.3 IP is forwarded in the router. But what do I do to forward the other IPs? I cant forward them on the same port can I?

[VoodooMill]

Hi anindya,

For outside traffic coming in, configure the router to forward to the proxy, then the proxy will handle distribution to the internal servers.

[tdonovan]

It is a limitation of SSL that there can only be one certificate per IP-address/port-number combination.
This is because the certificate is needed to make the initial connection, which happens before the virtual host name is sent.

Inside your own network you can have several different IPs, like 192.168.1.3, 192.168.1.4, 192.168.1.5, etc.

Your router probably has only one IP address visible to the outside world.
Try http://www.whatsmyip.org/ or http://whatsmyip.net/ to see what your external IP address is.

One way to work around this limitation is to forward different port numbers, for example:

forward port 443 to 192.168.1.3 port 443
forward port 1443 to 192.168.1.4 port 443
forward port 2443 to 192.168.1.5 port 443

The disadvantage is that anyone outside your own network must use the specified port numbers, except for the the first web site.
The first site can be https://sitename/ because 443 is the default SSL port.
To reach the second site from outside your own network you must use https://sitename:1443/, and the third site would be https://sitename:2443/.

-tom-

[anindya]

Thanks for the help tom. I know I can forward the other ports but as you said , that way people will have to use the port number to access the sites. And I already tried that and it worked. But I dont want it that way. So I removed the IPs and changed all the virtual hosts back to the same IP.

This way SSL wont work but at least the sites will work normally. But now after doing that, if I use HTTPS:// in the sites where I dont want SSL, it shows me the document root of the first virtual host. You know what i am trying to say? And is there any way to prevent that?

Thanks.

[tdonovan]

If you want multiple SSL sites and you don't want to use a port number, then you will need to have several external IP address.

Here in the northeast U.S. most non-commercial ADSL accounts only give you one external IP address.
Multiple ADSL accounts (expensive) or a commercial account (also expensive) are needed to get more than one external IP address.

The fact that you can have several 192.168.1.x IP addresses inside your own network doesn't give you multiple IP addresses which are visible from outside your router. From the outside you only have a single IP address, hence only one SSL web site is reacheable from outside your router.

This only applies to SSL. Non-SSL web sites can have any number of different host names all using the same external IP address & port.

-tom-