[lug] ssl apache paths

Lee Woodworth blug-mail at duboulder.com
Tue Aug 14 21:36:47 MDT 2007

Kevin Fenzi wrote:
> On Tue, 14 Aug 2007 07:33:24 -0600 (MDT)
> dio2002 at indra.com wrote:
>> I'm trying to setup self-signed certificates on apache for a couple
>> of php sites.
>> does anybody know if it's possible to use apache directives to
>> selectively apply the ssl protection to specific paths within a given
>> vhost versus globally assigning it to the entire domain?  if so how?
> See: 
> http://httpd.apache.org/docs/2.0/mod/mod_ssl.html
> and the SSLEngine directive. You can enable per virtual. 
>> for example, instead of having ssl protection on the entire domain
>> site.com, i'd like to only apply it selectively to site paths:
>> site.com/login/*
>> site.com/configure/*
>> site.com/dothis.php
> You would have to do this with redirects or something. 
> Ie, when someone goes to one of those dirs via a http: link, you
> rewrite it to https and so on. Not easy to do, but possible. 
>> Also, i'm getting conflicting info about whether you can use ssl
>> certs on MULTIPLE NAMEBASED vhosts on a single server?
> no. You can't do name based ssl. 
>> I've seen info online that says you can't but then i see examples that
>> actually seem to do it.  If I can what do i need to do?  If i can't
>> what are my options?  Must i use IP based vhosting?
> Yes. Each ssl host needs to have it's own IP. 
> The name based virtual stuff takes place after the ssl handshake
> between your server and the browser. It already has to know the
> hostname it's going to to verify the ssl certificate. You can't do
> multiple ones in a single IP... 
> There is one exception. You can get a wildcard ssl cert. 
> Basically instead of being issued to one host, it's issued to
> '*.domain.com" so any host in that domain validates. 

How do multiple names in the certificate's subject alt name
interact with the vhost processing?

More information about the LUG mailing list