lighttpd forum lighty > SSL config with multiple virtual domains

SSL config with multiple virtual domains
Posted by Andrew Hodgkinson
on 17.05.2008 21:34 
I have a Lighty configuration file which supports various virtual 
domains routed to the same IP address as follows:

  <preamble snipped>

  $HTTP["host"] == "foo.pond.org.uk" {
    server.document-root = "/home/me/www/foo"
    # etc.
  }
  else $HTTP["host"] == "bar.pond.org.uk" {
    server.document-root = "/home/me/www/bar"
    # etc.
  }

I've been running a self-signed SSL certificate on the site for some 
time, but it's really nasty because, of course, all browsers complain 
about it and besides, the certificate only covers "pond.org.uk". That 
means browsers complain about a domain name mismatch in addition to 
everything else. With ever-newer browser versions, the warnings start 
sounding ever-more serious and in some cases (MSIE 7, Firefox 3 beta) 
just look like impenetrable error pages. That's no good!

Step 1 towards a long term solution is to use a real CA, albeit a poorly 
adopted one (CAcert) to generate certificates specifically for 
"foo.pond.org.uk" and "bar.pond.org.uk". But how do I use these in 
Lighty?

The following *does not* work:

  $HTTP["host"] == "foo.pond.org.uk" {
    server.document-root = "/home/me/www/foo"

    $SERVER["socket"] == "<ip.addr>:443" {
      ssl.engine  = "enable"
      ssl.pemfile = "/home/me/certificates/foo.pond.org.uk.pem"
      ssl.ca-file = "/home/adh/certificates/www.cacert.org.cert"
      server.name = "foo.pond.org.uk"
    }

    # etc.
  }
  else $HTTP["host"] == "bar.pond.org.uk" {

    $SERVER["socket"] == "<ip.addr>:443" {
      ssl.engine  = "enable"
      ssl.pemfile = "/home/me/certificates/bar.pond.org.uk.pem"
      ssl.ca-file = "/home/adh/certificates/www.cacert.org.cert"
      server.name = "bar.pond.org.uk"
    }

    server.document-root = "/home/me/www/bar"
    # etc.
  }

Lighty just seems to "see" the first $SERVER line, regardless of its 
context, and always uses the "foo.pond.org.uk" certificate - even if a 
request is made to "bar.pond.org.uk".

Is there a way around this? Wildcard SSL certificates are expensive and, 
in some respects, less secure / obvious to the end user.

TIA...
Reply with quote
Re: SSL config with multiple virtual domains
Posted by Andy Cox
on 29.05.2008 10:10 
Hi

I may be wrong .. yet i dont think you can share the same IP with 2 
(two) SSL vhosts. Each certificate will need it's own IP address in 
order to work. That's the way ssl works and not only on lighty.

Regards
Andy
Reply with quote