Apache Example VirtualHost Configurations

By:
On:
In: Apache
Tagged: , , ,

The excerpts below show some example name-based VirtualHost configurations that can be used in Apache. For more detailed instructions, 

For each TCP port that you want to use to serve content, you will need to define a Listen directive before configuring your VirtualHosts. When using Apache version 2.2.x or lower, each port will also need a NameVirtualHost directive.

# This tells Apache to listen on port 80 
Listen 80                

# This tells Apache to listen on port 443 (Only required when using SSL) Listen 443               

# This tells Apache that you will be using name-based vhosts on port 80 
# Note: Only required when using Apache version 2.2.x or lower NameVirtualHost *:80

Basic setup, using port 80, with custom log files

<VirtualHost *:80>
  ServerName www.sysworklabs.com
  
  # if you want this vhost to listen to extra names, uncomment the next line
  # ServerAlias sysworklabs.com www.bar.com bar.com
  
  DocumentRoot /var/www/www.sysworklabs.com/htdocs
  
  CustomLog /var/log/apache/www.sysworklabs.com-access.log combined
  ErrorLog /var/log/apache/www.sysworklabs.com-error.log
</VirtualHost>

Basic setup, on port 80, with multiple virtual hosts

<VirtualHost *:80>
  ServerName www.sysworklabs.com
  
  # if you want this vhost to listen to extra names, uncomment the next line
  # ServerAlias sysworklabs.com www.bar.com bar.com
  
  DocumentRoot /var/www/www.sysworklabs.com/htdocs

  CustomLog /var/log/apache/www.sysworklabs.com-access.log combined
  ErrorLog /var/log/apache/www.sysworklabs.com-error.log
</VirtualHost>

<VirtualHost *:80>
  ServerName mail.sysworklabs.com
     
  DocumentRoot /var/www/mail.sysworklabs.com/htdocs

  CustomLog /var/log/apache/mail.sysworklabs.com-access.log combined
  ErrorLog /var/log/apache/mail.sysworklabs.com-error.log
</VirtualHost>

Basic VirtualHost with custom log files and authentication

<VirtualHost *:80>
  ServerName www.sysworklabs.com
  DocumentRoot /var/www/www.sysworklabs.com/htdocs

  CustomLog /var/log/apache/www.sysworklabs.com-access.log combined
  ErrorLog /var/log/apache/www.sysworklabs.com-error.log

  <Directory /var/www/www.sysworklabs.com/htdocs>
    AuthUserFile /var/www/www.sysworklabs.com/.htpasswd
    AuthType Basic
    AuthName "Authorised Users Only"
    Require valid-user
  </Directory>
</VirtualHost>

SSL-enabled VirtualHost with custom log files

<VirtualHost *:443>
  ServerName www.sysworklabs.com
  DocumentRoot /var/www/www.sysworklabs.com/htdocs

  CustomLog /var/log/apache/www.sysworklabs.com-access.log combined
  ErrorLog /var/log/apache/www.sysworklabs.com-error.log

  # Example SSL configuration
  SSLEngine on
  SSLProtocol all -SSLv2
  SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
  SSLCertificateFile "/var/www/www.sysworklabs.com/ssl/server.crt"
  SSLCertificateKeyFile "/var/www/www.sysworklabs.com/ssl/server.key"
</VirtualHost>

Name Based SSL VHosts With SNI ( Server Name Indication)

The Problem


The problem with using named virtual hosts over SSL is that named virtual hosts rely on knowing what hostname is being requested, and the request can’t be read until the SSL connection is established. The ordinary behavior, then, is that the SSL connection is set up using the configuration in the default virtual host for the address where the connection was received.

While Apache can renegotiate the SSL connection later after seeing the hostname in the request (and does), that’s too late to pick the right server certificate to use to match the request hostname during the initial handshake, resulting in browser warnings/errors about certificates having the wrong hostname in them.

And while it’s possible to put multiple hostnames in a modern certificate and just use that one certificate in the default vhost, there are many hosting providers who are hosting far too many sites on a single address for that to be practical for them.

Client doesn’t support SNI. Client doesn’t support SNI.

If Apache has SNI support, and a request without the SNI hostname is received for a name-based virtual host over SSL, and SSLStrict{{`SNIVHost}}`Check is on, it will be rejected (403) and this message logged:

  [error] No hostname was provided via SNI for a name based virtual host

If SSLStrict{{`SNIVHost}}`Check is off, then the request will be handled as if the server did not have SNI support; see above.

Server configuration

# Ensure that Apache listens on port 443
Listen 443
    
# Listen for virtual host requests on all IP addresses
NameVirtualHost *:443

# Go ahead and accept connections for these vhosts
# from non-SNI clients
SSLStrictSNIVHostCheck off

<VirtualHost *:443>
  # Because this virtual host is defined first, it will
  # be used as the default if the hostname is not received
  # in the SSL handshake, e.g. if the browser doesn't support
  # SNI.
  DocumentRoot /www/example1
  ServerName www.example.com

  # Other directives here

</VirtualHost>

<VirtualHost *:443>
  DocumentRoot /www/example2
  ServerName www.example2.org

  # Other directives here

</VirtualHost>

Nipuna Ruhunage

See author's posts

Post Views: 1,136