Project

General

Profile

[UE] TLS per vhost and SNI

Added by the-jeffrey 6 months ago

Hi I have noticed in your git, in the file `lighttpd1.4/doc/config/vhosts.d/vhosts.template` there is some sample configuration for TLS certificates per vhost.

In the documentation here `https://redmine.lighttpd.net/projects/lighttpd/wiki/Docs_SSL#SSL-on-multiple-domains` it explains how the TLS certificates per vhost must be declared inside $SERVER["socket"] in `lighttpd.conf`

I could not get the configuration proposed in the vhosts.template to work

```
$ lighttpd -v
lighttpd/1.4.65 (ssl) - a light and fast webserver
```

If the vhosts.template just plain misleading or am I doing something wrong?


Replies (5)

RE: TLS per vhost and SNI - Added by gstrauss 6 months ago

am I doing something wrong?

Did you share what you are doing? How to get help

RE: TLS per vhost and SNI - Added by gstrauss 6 months ago

The documentation is correct in both places. Still, I have adjusted Docs_SSL to try to make it clearer for the default use case.

(If you need different certs on different ports for the same SNI hostname, then $SERVER["socket"] conditionals must be used to differentiate, but that is not a common use case.)

RE: TLS per vhost and SNI - Added by the-jeffrey 6 months ago

gstrauss wrote in RE: TLS per vhost and SNI:

am I doing something wrong?

Did you share what you are doing? How to get help

Alright I should clarify exactly what I did.

Intention: to have 2 virtual hosts with different domains on the same IP (test-1.com and test2.com). Both domains should have their own SSL certificates.

What I did: Following the vhosts.template I declare the domains test-1.com and test-2.com and the location of their certificates. Following the information in the default lighttpd.conf I also add the following lines to lighttpd.com

#### lighttpd.conf
server.modules += ( "mod_openssl" )
$SERVER["socket"] == "*:443" {
  ssl.engine  = "enable" 
  ssl.privkey = "/path/to/privkey.pem" 
  ssl.pemfile = "/path/to/fullchain.pem" 
}

#### test-1.conf
$HTTP["host"] == "test-1.com" {
  var.server_name = "test-1.com"" 
  server.name = server_name
  server.document-root = vhosts_dir + "/web/" + server_name + "/htdocs" 

  ssl.pemfile = vhosts_dir + "/web/" + server_name + "/certs/fullchain1.pem" 
  ssl.privkey = vhosts_dir + "/web/" + server_name + "/certs/privkey1.pem" 

  accesslog.filename          = log_root + "/" + server_name + "/access.log" 
  server.errorlog             = log_root + "/" + server_name + "/error.log" 
}

Outcome: as mentioned in the documentation `https://redmine.lighttpd.net/projects/lighttpd/wiki/Docs_SSL#SSL-on-multiple-domains`, when visiting test-1.com or test-2.com the browser is served the certificate declared in the lighttpd.conf instead of the one declared in the vhost config file, causing a browser warning.

What instead I should have done (according to my understanding): following the documentation linked above, in lighttpd.conf do the following

$SERVER["socket"] == "*:443" {
  ssl.engine  = "enable" 
  ssl.privkey = "/path/to/privkey.pem" 
  ssl.pemfile = "/path/to/fullchain.pem" 

  $HTTP["host"] == "test-1.com" {
    ssl.privkey = "/path/to/privkey1.pem" 
    ssl.pemfile = "/path/to/fullchain1.pem" 
  }
  $HTTP["host"] == "test-2.com" {
    ssl.privkey = "/path/to/privkey2.pem" 
    ssl.pemfile = "/path/to/fullchain2.pem" 
  }
}

If this is the correct course of action, I think the vhost.template is confusing.

If it is necessary to use the conditional `$SERVER["socket"] == "*:443"` a second time within the scope of the vhost declaration it should be noted explicitly, perhaps by including it in the vhost template.

RE: TLS per vhost and SNI - Added by gstrauss 6 months ago

You presumed the documentation was wrong. It was not and is not wrong. The distinction is not meaningful if you have a single TLS socket on port 443.

am I doing something wrong?

Very likely.

You failed to follow the instructions in How to get help

My guess is that your lighttpd config did not include your vhosts.template file or wherever you put that part of your intended config.

RE: [UE] TLS per vhost and SNI - Added by the-jeffrey 6 months ago

I must apologize, I was frustrated and confused.

I tried to reconfigure from scratch and realized the documentation is not misleading at all and that I just must have made some mistake beforehand that I can't even replicate any longer.

Though my current configuration may not be optimal, it does exactly what I need it to do.

If anybody ever sees the previous post, please disregard it, it is bad. Follow the information inside the default lighttpd.conf and vhost.template instead

    (1-5/5)