How to have Apache rewrite to multiple Zopes?
Yet another Apache redirect question Is there a way to have one Apache server redirect SSL requests to different Zope instances without requiring separate IP addresses for each instance? Background: I have 3 Zope instances running on 3 different ports, with one ApacheSSL. I have a VirtualHostMonster for each Zope. Inside one VirtualHost of *:443, I tried the following Rewrite Rules: ^/my_name(.*) http://localhost:9090/VirtualHostBase/https/hostname:443/VirtualHostR oot/$1 [P,L] ^/(.*) http://localhost:8080/VirtualHostBase/https/hostname:443/VirtualHostRoot/$ 1 [P,L] (substituting real values for my_name and hostname, of course). My (ill-informed?) idea was to catch requests of https://hostname/my_name to go to the Zope on 9090, and requests of https://hostname to go to Zope 8080. It actually works to serve content, but when attempting to do any management URLS, it is removing the my_name from the URL and redirecting to the Zope 8080 site. I can get to manage_main of the correct site, but beyond that it breaks. Any fixes, or must I resort to getting extra IP addresses and creating a separate IP-based VirtualHost for each Zope instance? TIA, Rob Boyd __________________________________ Do you Yahoo!? Yahoo! Hotjobs: Enter the "Signing Bonus" Sweepstakes http://hotjobs.sweepstakes.yahoo.com/signingbonus
On Tue, 2004-01-06 at 15:03, Rob Boyd wrote:
Is there a way to have one Apache server redirect SSL requests to different Zope instances without requiring separate IP addresses for each instance?
I wish it were possible to do this... but it isn't. For each IP you use, it is possible to have only one host that responds to port 443 (SSL). It's easy to split port 80 among different virtual hosts, but not 443. If you really need multiple SSL hosts, you'll need multiple IPs. HTH, Dylan
I wish it were possible to do this... but it isn't. For each IP you use, it is possible to have only one host that responds to port 443 (SSL). It's easy to split port 80 among different virtual hosts, but not 443.
If you really need multiple SSL hosts, you'll need multiple IPs.
Well, this needs one more detail: You can serve as many NameVirtualHosts off of a single IP port 443 - but due to the way SSL negotiation works you can only serve a single SSL certificate over that IP. So if you want to use separate certificates for each SSL-enabled host then you need different IPs. Unless you don't care about constant browser popups informing you that the hostname on the certificate does not match the host you're connecting to... jens
On Tue, 2004-01-06 at 16:12, Jens Vagelpohl wrote:
You can serve as many NameVirtualHosts off of a single IP port 443
This *seems* like it should be true, but it simply isn't. See: http://httpd.apache.org/docs-2.0/ssl/ssl_faq.html#vhosts http://httpd.apache.org/docs-2.0/ssl/ssl_faq.html#vhosts2 HTH, Dylan
You can serve as many NameVirtualHosts off of a single IP port 443
This *seems* like it should be true, but it simply isn't.
See: http://httpd.apache.org/docs-2.0/ssl/ssl_faq.html#vhosts http://httpd.apache.org/docs-2.0/ssl/ssl_faq.html#vhosts2
OK, that's even more correct ;) jens
On Tuesday 06 January 2004 04:35 pm, Dylan Reinhardt wrote:
On Tue, 2004-01-06 at 16:12, Jens Vagelpohl wrote:
You can serve as many NameVirtualHosts off of a single IP port 443
This *seems* like it should be true, but it simply isn't.
See: http://httpd.apache.org/docs-2.0/ssl/ssl_faq.html#vhosts http://httpd.apache.org/docs-2.0/ssl/ssl_faq.html#vhosts2
Strange, I've certainly set up multiple perfectly working NameVirtualHosts over SSL on apache 1.3. Of course they all use the same SSL certificate, but that is only a minor annoyance for the hosts which are not on the cert. The config entries follow: <VirtualHost *:443> ServerName site1.bogus.com RewriteEngine On RewriteRule ^/bogus-images(.*) /var/www/bogus.com/images$1 [L] RewriteCond %{HTTP_HOST} ^.*:443$ RewriteRule ^/(.*) http://127.0.0.1:8080/VirtualHostBase/https/%{HTTP_HOST}/site1/VirtualHostRoot/$1 [P] RewriteRule ^/(.*) http://127.0.0.1:8080/VirtualHostBase/https/%{HTTP_HOST}:443/site1/VirtualHostRoot/$1 [L,P] [boring SSL and logging stuff removed] </VirtualHost> <VirtualHost *:443> ServerName site2.bogus.com RewriteEngine On RewriteRule ^/bogus-images(.*) /var/www/bogus.com/images$1 [L] RewriteCond %{HTTP_HOST} ^.*:443$ RewriteRule ^/(.*) http://127.0.0.1:8080/VirtualHostBase/https/%{HTTP_HOST}/site2/VirtualHostRoot/$1 [P] RewriteRule ^/(.*) http://127.0.0.1:8080/VirtualHostBase/https/%{HTTP_HOST}:443/site2/VirtualHostRoot/$1 [L,P] [more boring SSL and logging stuff removed] </VirtualHost> I'm surprised to find that I have unwittingly done the impossible. I think it's more likely that the SSL incompatability with NameVirtualHost is new in 2.0, but who knows? Alec
What you have done is not impossible - but it is the only possible option and most folks find it unacceptable. You have use the same certificate for all hosts and so all but one of them will pop up the name mis-match warning message. In a number of situations, that is unacceptable. For example, would you give your credit card # to a site that did not have its own SSL certificate? Quoting Alec Mitchell <apm13@columbia.edu>:
Strange, I've certainly set up multiple perfectly working NameVirtualHosts over SSL on apache 1.3. Of course they all use the same SSL certificate, but that is only a minor annoyance for the hosts which are not on the cert. The config entries follow:
...
I'm surprised to find that I have unwittingly done the impossible. I think it's more likely that the SSL incompatability with NameVirtualHost is new in 2.0, but who knows?
-- Cynthia Kiser
On Tuesday 06 January 2004 09:43 pm, Cynthia Kiser wrote:
What you have done is not impossible - but it is the only possible option and most folks find it unacceptable. You have use the same certificate for all hosts and so all but one of them will pop up the name mis-match warning message. In a number of situations, that is unacceptable. For example, would you give your credit card # to a site that did not have its own SSL certificate?
I understand that. I indicated in my post that the shared certificate was a problem with the setup, though I probably underplayed its significance. For the specific sites involved it is not at all critical (the SSL is perhaps superfluous to begin with), and they are in use by a limited number of people who can easily be made aware of the certificate warning issue. I was just responding to the above post, which stated that it such configurations were entirely impossible, not merely ill-advised. That post was in turn a response to a post which claimed that it was possible as long as you were willing to share a certificate among multiple hosts, a point upon which we both agree and the above post disagreed. The links in that post seem to bear out the claim that NameVirtualHost is entirely impossible under SSL with Apache 2.0 (according to the documentation, I've never tried). I simply intended to point out that at least in earlier versions (still in widespread use) it is doable. There are certainly instances where such a configuration can be useful, despite its imperfections. Alec
On Tue, 2004-01-06 at 21:36, Alec Mitchell wrote:
I'm surprised to find that I have unwittingly done the impossible. I think it's more likely that the SSL incompatability with NameVirtualHost is new in 2.0, but who knows?
This issue has been an Apache FAQ for many years. I can't explain why your config would work, but it's interesting to hear that it does. Dylan
participants (5)
-
Alec Mitchell -
Cynthia Kiser -
Dylan Reinhardt -
Jens Vagelpohl -
Rob Boyd