Multiple Apache SSL Virtual Hosts Method

This documents lists how to populate one Linux Apache web server with multiple virtual hosts each using their own SSL based certificate. This method can be achieved using a single ether LAN card, but requires that each secure site have its own unique IP address. This method was done using a Linux Fedora Core 4 as a server platform.

There are several steps to needed to ensure that the methods works:

1. IP Bindings shell script:

A bash script to populate your network service ether card with multiple IP addresses: This shell script should be invoked by the rc.local script (/etc/rc.local). This will ensure that the IP bindings are loaded at boot time. A sample script follows:

#!/bin/bash

# This is a script to add IP addresses for a multi-cert SSL test

# Binding for 10.10.40.64
/sbin/ip addr add 10.10.40.64/24 brd 10.10.40.255 dev eth0

# Binding for 10.10.40.65
/sbin/ip addr add 10.10.40.65/24 brd 10.10.40.255 dev eth0

Ensure that the script is executable:

[gemini]# chmod +x ipadd.sh

Then append the invocation of this script, called ipadd.sh, to the /etc/rc.local file as follows:

#!/bin/sh
#
# This script will be executed *after* all the other init scripts.
# You can put your own initialization stuff in here if you don't
# want to do the full Sys V style init stuff.

touch /var/lock/subsys/local

# Invoke the script to create IP bindings for multiple SSL method.
/root/scripts/ipadd.sh

Now observe that the bindings are in place:

[gemini]# ip addr show
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:11:09:14:04:09 brd ff:ff:ff:ff:ff:ff
    inet 10.10.40.153/24 brd 10.10.40.255 scope global eth0
    inet 10.10.40.64/24 brd 10.10.40.255 scope global secondary eth0
    inet 10.10.40.65/24 brd 10.10.40.255 scope global secondary eth0
    inet6 fe80::211:9ff:fe14:409/64 scope link
       valid_lft forever preferred_lft forever
3: sit0: <NOARP> mtu 1480 qdisc noop
    link/sit 0.0.0.0 brd 0.0.0.0

2. Create key and certificate files for each site:

Please note that the use of the openssl command will start an interactive dialog for company information describing the certificate. In this exammple we are using self-signed certificates, not certificates that are signed by Thawte or Verisign. Also note that the key and certicate file references, in the ssl.conf file excerpt listed below, must use the path /etc/httpd/cert. The examples below correspond to the domains gemini-64.skybuilders.com and gemini-65.skybuilders.com.
```
[gemini]# cd /etc/httpd/
[gemini]# mkdir cert
[gemini]# cd cert
[gemini]# openssl req -new > gemini-64.csr
[gemini]# openssl rsa -in privkey.pem -out gemini-64.cert.key
[gemini]# openssl x509 -in gemini-64.csr -out gemini-64.cert.crt -req \
	-signkey gemini-64.cert.key -days 1065
[gemini]# openssl req -new > gemini-65.csr
[gemini]# openssl rsa -in privkey.pem -out gemini-65.cert.key
[gemini]# openssl x509 -in gemini-65.csr -out gemini-65.cert.crt -req \ 
	-signkey gemini-65.cert.key -days 1065
```
Check out the skyBuilders timeLines Installation Manual for Fedora Core 4, Secure Sockets Layer (SSL) Certificate Generation and accompanying links, for a detailed step by step description of certificate generation.

3. Apache httpd.conf edits:

The following is an excerpt form the httpd.conf file (/etc/httpd/conf/httpd.conf). Most of this excpert was appended to the end of this file:

#NameVirtualHost *:80
### JSB listen on several addresses and protocols

NameVirtualHost 10.10.40.64:80
NameVirtualHost 10.10.40.64:443
NameVirtualHost 10.10.40.65:80
NameVirtualHost 10.10.40.65:443

###########################
###########################
##                       ##
##    ADD SITES HERE     ##
##                       ##
###########################
###########################

<VirtualHost 10.10.40.64:80>
    ServerName gemini-64.skybuilders.com
    DocumentRoot /var/www/gemini-64.skybuilders.com
    ServerAdmin jesse@skybuilders.com
    ErrorLog logs/gemini-64.skybuilders.com-error_log
    CustomLog logs/gemini-64.skybuilders.com-access_log common
    DirectoryIndex index.html
    AddType application/x-httpd-php .php .php4 .php3 .phtml .html .xsd .xml .rss .rdf .rdfs
</VirtualHost>

<VirtualHost 10.10.40.65:80>
    ServerName gemini-64.skybuilders.com
    DocumentRoot /var/www/gemini-65.skybuilders.com
    ServerAdmin jesse@skybuilders.com
    ErrorLog logs/gemini-65.skybuilders.com-error_log
    CustomLog logs/gemini-65.skybuilders.com-access_log common
    DirectoryIndex index.html
    AddType application/x-httpd-php .php .php4 .php3 .phtml .html .xsd .xml .rss .rdf .rdfs
</VirtualHost>

4. Apache ssl.conf edits:

Likewise there are corresponding edits required for the ssl.conf file (etc/httpd/conf.d/ssl.conf). Several things to note: 1) the ssl logs are set to the same files as the normal httpd logs for each site instance; I have done this merely to consoldate the log data; 2) each site has its own key file and certificate file (SSLCertificateFile: /etc/httpd/cert/gemini-65.cert.crt and SSLCertificateKeyFile: /etc/httpd/cert/gemini-65.cert.key). These were created by process related above.

#################
#################
###           ###
### gemini-64 ###
###           ###
#################
#################

<VirtualHost 10.10.40.64:443>

ServerName gemini-64.skybuilders.com:443
DocumentRoot /var/www/gemini-64.skybuilders.com
ErrorLog logs/gemini-64.skybuilders.com-ssl_error_log
TransferLog logs/gemini-64.skybuilders.com-ssl_access_log
DirectoryIndex index.html
AddType application/x-httpd-php .php .php4 .php3 .phtml .html .xsd .xml .rss .rdfs .rdf
SSLCertificateFile /etc/httpd/cert/gemini-64.cert.crt
SSLCertificateKeyFile /etc/httpd/cert/gemini-64.cert.key
### This is self-signing
SSLCACertificateFile /etc/httpd/cert/gemini-64.cert.crt

#################
#################
###           ###
### gemini-65 ###
###           ###
#################
#################

<VirtualHost 10.10.40.65:443>

ServerName gemini-65.skybuilders.com:443
DocumentRoot /var/www/gemini-65.skybuilders.com
ErrorLog logs/gemini-65.skybuilders.com-ssl_error_log
TransferLog logs/gemini-65.skybuilders.com-ssl_access_log
DirectoryIndex index.html
AddType application/x-httpd-php .php .php4 .php3 .phtml .html .xsd .xml .rss .rdfs .rdf
SSLCertificateFile /etc/httpd/cert/gemini-65.cert.crt
SSLCertificateKeyFile /etc/httpd/cert/gemini-65.cert.key
### This is self-signing
SSLCACertificateFile /etc/httpd/cert/gemini-65.cert.crt

5. PostgrSQL config edits:

Two config files, postgresql.conf and pg_hba.conf, must be modified if using timelines sites in this context.

For /var/lib/pgsql/data/postgresql.conf change the line:
```
listen_addresses = '10.10.40.64'
```
to:
```
listen_addresses = '10.10.40.64, 10.10.40.65'
```
For /var/lib/pgsql/data/pg_hba.conf add a line to the one at the end of the file:
```
host     all     all     10.10.40.64     255.255.255.255      md5
```
yielding:
```
host     all     all     10.10.40.64     255.255.255.255      md5
host     all     all     10.10.40.65     255.255.255.255      md5
```