开发者

Apache with two urls and two different SSL certificates

开发者 https://www.devze.com 2023-01-13 22:25 出处:网络
I will ask this with an example - I have a setup, nginx, django, apache ( nginx forwards ssl requests to apache)

I will ask this with an example - I have a setup, nginx, django, apache ( nginx forwards ssl requests to apache)

I have website https://www.xyz.com which has a ssl certificate associated with it and clients use it when connecting. Lets say, I have another domain name www.abc.com, which I want to assign it to the same server as xyz.com

That is when user types in the browser https://www.abc.com/ it should show the same website as https://www.xyz.com/.

Now to achieve this, Do I need to buy another ssl certificate? if I do, How would I change http.conf file to use this new certificate for another url?

Or Is there any other approach that I开发者_运维问答 can use?


As long as www.abc.com and www.xyz.com have different IP addresses, you can host them from the same httpd instance. You will need two certificates (unless both are subdomains of a common domain and you get a wildcard certificate). Set them up as two IP-based virtual hosts, with the same content.

See http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#vhosts for why.

<VirtualHost 127.0.0.1:443>
    SSLEngine on

    SSLCertificateFile      /etc/ssl/www.abc.com.crt
    SSLCertificateKeyFile   /etc/ssl/www.abc.com.key
    # etc
</VirtualHost>
<VirtualHost 127.0.0.2:443>
    SSLEngine on

    SSLCertificateFile      /etc/ssl/www.xyz.com.crt
    SSLCertificateKeyFile   /etc/ssl/www.xyz.com.key
    # etc
</VirtualHost>


Have you really tried to ask Google? One of my first hits is: http://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI
on the apache wiki.

If you have more than one IP address, I'd recommend to use IP-address-based SSL rather than name-based, because older clients (IE on XP) do not support SNI.


(I'm copying/pasting a slightly modified version of my own answer to this question. What hasn't been suggested in the existing answers so far is the use of multiple subject alternative names.)

The easy way is to be able to host www.abc.com and www.xyz.com on two distinct IP addresses (perhaps the same machine), in which case you can configure a different certificate for each.

If you're constrained to have a single IP address (and port) for the two names, if you want to use two distinct certificates, you would need to use the Server Name Indication (SNI) extension, which is relatively recent (and might not be supported by all browsers, but it seems to work with recent ones).

If you can't use SNI, you'd need the same certificate to be valid for both www.abc.com and www.xyz.com at the same time, which may be achieved by putting the two DNS entries in the Subject Alternative Name extension, or perhaps by using a wildcard, if the pattern for the two hosts is suitable (note that wildcards are unlikely to be acceptable if it's for two distinct domains rather than sub-domains). These two options are probably more expensive than two distinct certificates, with commercial CAs.


I ended up buying single multidomain certificate(UCC) for two domains. and modified the nginx configuration to direct two sites to the same Apache server.

As I had nginx in front of Apache, I did not need to change the http.conf configuration.

0

精彩评论

暂无评论...
验证码 换一张
取 消