SSL on 1 host and non-SSL on virtual hosts
Added by saml33 over 15 years ago
Hello,
I've a questions on how Lighttpd manages SSL and non-SSL hosts :
I've few virtualhosts listening on :80, and one host dedicated to :443.
in my config, I tried so :
$SERVER["socket"] == "PUB_IP:443" {
server.errorlog = "/var/log/lighttpd/serror.log"
accesslog.filename = "/var/log/lighttpd/saccess.log"
ssl.engine = "enable"
ssl.ca-file = "/etc/lighttpd/ssl/ca-certs.crt"
ssl.pemfile = "/etc/lighttpd/ssl/domain.tld.pem"
server.document-root = "/dev/null"
$HTTP["host"] =~ "^sub\.domain\.tld$" {
server.document-root = "/var/www/"
server.name = "sub.domain.tld"
}
}
and for non-SSL hosts :
$HTTP["host"] =~ "^anothersub\.domain\.tld$" {
server.document-root = "/var/www/servers/anothersub.domain.tld/"
auth.require = ( "" =>
(
"method" => "digest",
"realm" => "anothersub.domain.tld",
"require" => "user=toto"
)
)
$HTTP["url"] =~ "^/root/" {
dir-listing.activate = "enable"
}
}
redirect http to https
$HTTP["host"] =~ "^sub\.domain\.tld$" {
$HTTP["scheme"] == "http" {
url.redirect = ( "^/(.*)" => "https://sub.domain.tld/$1" )
}
}
=> Debian Lenny on i386 server, lighttpd installed with aptitude (ssl included)
=> modules enabled : simple-virtualhosts, status, ssl,auth, fastcgi
. virtualhosts works really great
. when I load ssl host : all my hosts listen http and https instead of only the sub.domain.tld
. my certificates disappeared when accessing the website sub.domain.tld
. if I try $SERVER["socket"] == "PUB_IP:80" { ...all my vhosts ... } to separate sockets and hosts, it doesn't work
Questions :
. is that normal ? I just need the dedicated host listen on 443, not the others !
. the objective of this ssl host is to provide OpenERP, it seems I've to use module proxy.
if anyone tried this webapp with lighttpd, any council would be really appreciate ...
thanks !
Replies (2)
RE: SSL on 1 host and non-SSL on virtual hosts - Added by saml33 over 15 years ago
it's partially solved.
but the main problem is still here :
https is applied for all hosts instead of only one.
does anyone know a solution ?
thanks,
RE: SSL on 1 host and non-SSL on virtual hosts - Added by nitrox over 15 years ago
Well, read about the voodoo thats going on during the phase of establishing an ssl connection. The ssl "tunnel" is based on ip:port and happens before your client actually send a request (which contains e.g. the host header you need for your vhost). So you need to listen to :443, allow the ssl "tunnel" to be build and only afterwards you get the requests and host headers on which you can decide what to do (e.g. deny access, redirect ...).
You can´t proxy ssl-connections through lighty, but that also gets clear if your read about ssl.