Topic
3 replies Latest Post - ‏2011-09-30T15:08:35Z by Sunit
Condor70
Condor70
5 Posts
ACCEPTED ANSWER

Pinned topic Why can't I use <VirtualHost *:443>

‏2011-09-29T11:31:24Z |
I configured my IBM HTTP Server for iSeries as follows:

LoadModule ibm_ssl_module /QSYS.LIB/QHTTPSVR.LIB/QZSRVSSL.SRVPGM
NameVirtualHost *
Listen *:443 https
...
  1. VirtualHost using *
<VirtualHost *:443>
ServerName www.myserver.com
SSLEngine On
SSLAppName QIBM_HTTP_SERVER_MYSERVER
...
</VirtualHost>

But this resulted in an invalid SSLv3 response from the server.

After some trial and error I did find out that the following works:

LoadModule ibm_ssl_module /QSYS.LIB/QHTTPSVR.LIB/QZSRVSSL.SRVPGM
NameVirtualHost *
Listen *:443 https
...
  1. VirtualHost for exact IP address of each network card
<VirtualHost 10.0.0.1:443>
ServerName www.myserver.com
SSLEngine On
SSLAppName QIBM_HTTP_SERVER_MYSERVER
...
</VirtualHost>
<VirtualHost 10.0.0.2:443>
ServerName www.myserver.com
SSLEngine On
SSLAppName QIBM_HTTP_SERVER_MYSERVER
...
</VirtualHost>
<VirtualHost 10.0.0.3:443>
ServerName www.myserver.com
SSLEngine On
SSLAppName QIBM_HTTP_SERVER_MYSERVER
...
</VirtualHost>

This works, but it's not really ideal, because I have to repeat the entire VirtualHost configuration several times.

Is this the only solution or did I configure something incorrectly?
Updated on 2011-09-30T15:08:35Z at 2011-09-30T15:08:35Z by Sunit
  • SystemAdmin
    SystemAdmin
    3908 Posts
    ACCEPTED ANSWER

    Re: Why can't I use &lt;VirtualHost *:443&gt;

    ‏2011-09-29T14:12:48Z  in response to Condor70
    Not sure if there are iSeries specific issues here but note that the argument to <virtualhost has to exactly match the argumentto NameVirtualHost to have it actually be a NameVirtualHost. In both of your examples, the SSL vhosts would not be named-based virtualhosts.

    Was the invalid SSL response an HTTP error message or really SSLv3 but w/o your configuration?

    again iseries aside -- this symptom somewhat implies another port 443 vhost existing that matched better than the wildcard *:443 but not the specific IP addresses.
    • Condor70
      Condor70
      5 Posts
      ACCEPTED ANSWER

      Re: Why can't I use &lt;VirtualHost *:443&gt;

      ‏2011-09-29T16:08:42Z  in response to SystemAdmin
      Not shown in the example, but I have other vhosts on port 80 that work just fine, e.g.

      <VirtualHost *:80>
      ServerName www.myserver.com
      RewriteEngine On
      RewriteRule ^(.*)$ https://www.myserver.com$1 R,L
      ...
      </VirtualHost>
      <VirtualHost *:80>
      ServerName www.otherserver.com
      ...
      </VirtualHost>

      1. The Apache documentation is a bit cryptic on what NameVirtualHost and VirtualHost actually do. I have a single server with multiple network cards that is serving websites on multiple domains. Did I configure IHS correctly?

      2. No, it was a real SSL error. The server replied to the browser ClientHello message with and "Invalid message" SSLv3 response.

      3. I suspected that too, but as I said, I only have <VirtualHost *:80> entries besides the <VirtualHost *:443> entry I wanted to add.
      • Sunit
        Sunit
        182 Posts
        ACCEPTED ANSWER

        Re: Why can't I use &lt;VirtualHost *:443&gt;

        ‏2011-09-30T15:08:35Z  in response to Condor70
        NameVirtualHost is meant to share one instance of HTTP server with different names. In a shared environment you might want to use a single IP address with different names configured in DNS server at the same time have slightly different configuration for each server.

        www.server1.com, www.server2.com and www.server3.com all resolve to the same IP address but each serves different content.

        If you have a server with multiple network cards and you want to server different named websites on each IP address then use VirtualHost directive binding to the specific IP address. This is very important while configuring SSL because SSL handshake happens before HTTP communication takes place so server name used by browser is not known at that time and the server will use the SSL certificate used with that specific network interface.

        To debug the SSL error message please post your actual configuration.

        • Sunit