Apache HTTP Server: Serving Multiple HTTPS Hosts on the Same IP Address
When migrating a server to the cloud, it became necessary to host several HTTPS websites on a single physical IP address.
At the same time, it was necessary to stay on the same CentOS 5.6 operating system and the standard apache-2.2.19.
I did not find a ready solution for CentOS, therefore I propose my own solution.
According to RFC 4366 , section 3.1. Server Name Indication is possible.
For full-fledged work, this extension must support both the server and the client (browser).
Support for the SNI extension according to Wikipedia has appeared in the Apache HTTP Server since version 2.2.12.
Details are in the Apache Wiki .
The extension requires the OpenSSL library version 0.9.8f or higher.
The problem is that OpenSSL version 0.9.8e is built into CentOS 5.6, and it’s not so easy to “raise” the version. It is on this version that many other components are tied.
Build separate OpenSSL and Apache outside the package tree - unsportsmanlike.
In the process of finding a solution, I came across an alternative: the gnutls library and the mod_gnutls module.
The gnutls library is also present in the system and is also very old, although it is rather painlessly deleted along with the dependencies.
')
As a result, fresh packages of gnutls and mod_gnutls were assembled and installed, which gave the necessary functionality with minimal impact on the rest of the system. Under the cut are details on the build process and examples of configuration files.
For the assembly, you will need * -devel packages from the regular repositories, I will not list the necessary packages.
The module needs access to the file in which its own cache is maintained, the path to the file is specified by the GnuTLSCache key in the configuration file.
If selinux is enabled, you need to configure the policy:
semanage fcontext -a -f "" -t httpd_cache_t "/var/cache/mod_gnutls_cache(/.*)?"
You need to create a directory for the cache file and assign rights to it:
mkdir / var / cache / mod_gnutls_cache
chown apache: apache / var / cache / mod_gnutls_cache
chmod 700 / var / cache / mod_gnutls_cache
The default configuration file is in /etc/httpd/conf.d/mod_gnutls.conf.
When configuring you need to consider a few points:
At the same time, it was necessary to stay on the same CentOS 5.6 operating system and the standard apache-2.2.19.
I did not find a ready solution for CentOS, therefore I propose my own solution.
Theory
According to RFC 4366 , section 3.1. Server Name Indication is possible.
For full-fledged work, this extension must support both the server and the client (browser).
Practice
Support for the SNI extension according to Wikipedia has appeared in the Apache HTTP Server since version 2.2.12.
Details are in the Apache Wiki .
The extension requires the OpenSSL library version 0.9.8f or higher.
The problem is that OpenSSL version 0.9.8e is built into CentOS 5.6, and it’s not so easy to “raise” the version. It is on this version that many other components are tied.
Build separate OpenSSL and Apache outside the package tree - unsportsmanlike.
In the process of finding a solution, I came across an alternative: the gnutls library and the mod_gnutls module.
The gnutls library is also present in the system and is also very old, although it is rather painlessly deleted along with the dependencies.
')
As a result, fresh packages of gnutls and mod_gnutls were assembled and installed, which gave the necessary functionality with minimal impact on the rest of the system. Under the cut are details on the build process and examples of configuration files.
Build Packages
For the assembly, you will need * -devel packages from the regular repositories, I will not list the necessary packages.
- From the Fedora Core 15 kit ( Fedora Mirror List ) took the packages:
libtasn1-2.7-2.fc15.src.rpm
gnutls-2.10.5-1.fc15.src.rpm - From the project home page ( mod_gnutls ) I took the current version of the source code of the module.
- Installed source packages (the --nomd5 key is needed if cpio swears at md5 mismatch, since srpm is compiled in a newer version)
rpm -ivh --nomd5 libtasn1-2.7-2.fc15.src.rpm
rpm -ivh --nomd5 gnutls-2.10.5-1.fc15.src.rpm - The source code archive (mod_gnutls-0.5.9.tar.bz2) copied to / usr / src / redhat / SOURCES.
- In / usr / src / redhat / SPECS created the file mod_gnutls.spec . Based on mod_gnutls.spec from http://dev.centos.org/centos/5/testing/SRPMS/mod_gnutls-0.2.0-1.el5.centos.src.rpm .
The contents of the file at the end of the post ( mod_gnutls.spec ). - Removed old packages with dependencies:
yum erase gnutls libtasn1 - Gathered libtasn1 :
rpmbuild -bb --clean /usr/src/redhat/SPECS/libtasn1.spec - Installed libtasn1 packages:
yum localinstall --nogpgcheck /usr/src/redhat/RPMS/x86_64/libtasn1-*.rpm - Gathered gnutls :
rpmbuild -bb --clean /usr/src/redhat/SPECS/gnutls.spec - Installed gnutls packages:
yum localinstall --nogpgcheck /usr/src/redhat/RPMS/x86_64/gnutls-*.rpm - From the /usr/lib64/pkgconfig/gnutls.pc file from the Requires.private line , deleted zlib , because The installed zlib-devel does not contain a definition for pkg-config.
- Collected mod_gnutls :
rpmbuild -bb --clean /usr/src/redhat/SPECS/mod_gnutls.spec - Installed mod_gnutls packages:
yum localinstall --nogpgcheck /usr/src/redhat/RPMS/x86_64/mod_gnutls-*.rpm
Configuring the plugin
The module needs access to the file in which its own cache is maintained, the path to the file is specified by the GnuTLSCache key in the configuration file.
If selinux is enabled, you need to configure the policy:
semanage fcontext -a -f "" -t httpd_cache_t "/var/cache/mod_gnutls_cache(/.*)?"
You need to create a directory for the cache file and assign rights to it:
mkdir / var / cache / mod_gnutls_cache
chown apache: apache / var / cache / mod_gnutls_cache
chmod 700 / var / cache / mod_gnutls_cache
The default configuration file is in /etc/httpd/conf.d/mod_gnutls.conf.
Sample module configuration file mod_gnutls.conf
## Documentation Link: ## http://www.outoforder.cc/projects/apache/mod_gnutls/docs/ ## Load the module into Apache. LoadModule gnutls_module modules/libmod_gnutls.so ## Set Certificate MIME-types, may instead be in ssl.conf AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl .crl ## Set TLS Cache info GnuTLSCache dbm "/var/cache/mod_gnutls_cache/server1_test_net.dbm" GnuTLSCacheTimeout 300 ## Configuring virtual hosts
When configuring you need to consider a few points:
- It is advisable to completely disable mod_ssl .
- Each VirtualHost must be either completely HTTP or completely HTTPS, with the “mixed” version of the HTTP protocol, SSL-encrypted data will still come.
- A virtual HTTPS host “by default” must have a certificate and key, since the initial connection happens to him.
VirtualHost configuration example
Listen 80 Listen 443 NameVirtualHost *:80 NameVirtualHost *:443 ServerName defsrv.home.net # (http://www.home.net) <VirtualHost _default_:80> Redirect permanent / http://www.home.net/ </VirtualHost> # SSL- ! <VirtualHost _default_:443> GnuTLSEnable on GnuTLSPriorities NORMAL GnuTLSCertificateFile /etc/httpd/certs/defsrv_home_net.crt GnuTLSKeyFile /etc/httpd/certs/defsrv_home_net.key Redirect permanent / https://www.home.net/ </VirtualHost> <VirtualHost *:80> ServerName www.home.net:80 UseCanonicalName On ServerAdmin webmaster@www.home.net DocumentRoot /srv/www.home.net # </VirtualHost> <VirtualHost *:443> ServerName www.home.net:443 UseCanonicalName On ServerAdmin webmaster@www.home.net DocumentRoot /srv/www.home.net GnuTLSEnable on GnuTLSPriorities NORMAL GnuTLSCertificateFile /etc/httpd/certs/www_home_net.crt GnuTLSKeyFile /etc/httpd/certs/www_home_net.key # </VirtualHost> <VirtualHost *:80> ServerName test.home.net:80 UseCanonicalName On ServerAdmin webmaster@test.home.net DocumentRoot /srv/test.home.net # </VirtualHost> <VirtualHost *:443> ServerName test.home.net:443 UseCanonicalName On ServerAdmin webmaster@test.home.net DocumentRoot /srv/test.home.net GnuTLSEnable on GnuTLSPriorities NORMAL GnuTLSCertificateFile /etc/httpd/certs/test_home_net.crt GnuTLSKeyFile /etc/httpd/certs/test_home_net.key # </VirtualHost> Spec file ( mod_gnutls.spec )
Summary: mod_gnutls is a DSO module for the apache Web server. Name: mod_gnutls Version: 0.5.9 Release: 1%{?dist} Group: System Environment/Daemons URL: http://www.outoforder.cc/projects/apache/mod_gnutls/ Source: http://www.outoforder.cc/downloads/mod_gnutls/%{name}-%{version}.tar.bz2 Source1: mod_gnutls.conf License: Apache Software License BuildRoot: %{_tmppath}/%{name}-root BuildRequires: httpd-devel > 2.0.42 BuildRequires: gnutls >= 1.2.0, gnutls-devel >= 1.2.0, gnutls-utils >= 1.2.0, apr-devel Requires: httpd-mmn = %(cat %{_includedir}/httpd/.mmn || echo missing httpd-devel) Requires: gnutls >= 1.2.0, httpd >= 2.0.42 %description mod_gnutls uses the GnuTLS library to provide SSL v3, TLS 1.0 and TLS 1.1 encryption for Apache HTTPD. It is similar to mod_ssl in purpose, but does not use OpenSSL. %prep %setup -q %build %configure --disable-srp make %install [ "$RPM_BUILD_ROOT" != "/" ] && rm -rf $RPM_BUILD_ROOT mkdir -p $RPM_BUILD_ROOT%{_libdir}/httpd/modules install -m755 src/.libs/lib%{name}.so $RPM_BUILD_ROOT%{_libdir}/httpd/modules # Install the config file mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/httpd/conf.d install -m 644 %{SOURCE1} \ $RPM_BUILD_ROOT%{_sysconfdir}/httpd/conf.d/ mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/httpd/conf #Create a cache directory mkdir -p -m 0700 $RPM_BUILD_ROOT%{_var}/cache/mod_gnutls_cache %clean [ "$RPM_BUILD_ROOT" != "/" ] && rm -rf $RPM_BUILD_ROOT %files %defattr(-,root,root) %doc LICENSE NOTICE README %{_libdir}/httpd/modules/*.so %config(noreplace) %{_sysconfdir}/httpd/conf.d/*.conf %attr(0700, apache, apache) %{_var}/cache/mod_gnutls_cache Source: https://habr.com/ru/post/124864/
All Articles