Topic: ssl cert virtual domains

[crazybob]

Would it possible to set up certs for virtual domains based on this http://onlamp.com/pub/a/apache/2005/02/17/apacheckbk.html article ?

TAI


Bob

[CharlieBrady]

Would it possible to set up certs for virtual domains based on this http://onlamp.com/pub/a/apache/2005/02/17/apacheckbk.html article ?

SME server already sets up virtual domains exactly as specified in that article - in the last code block, just before the paragraph "In other words, exactly the way you'd set up regular virtual hosts, except turning on SSL in each one".

[crazybob]

but would it be possible to use a different ssl cert and port as in the first block of code?

[Stefano]

AFAIR there should be already some posts about your request and a NFR in bugzilla..
please search, thank you

[CharlieBrady]

but would it be possible to use a different ssl cert and port as in the first block of code?

Yes, you can do that with a custom template.

[crazybob]

I have created templates in the past for httpd, but they always affect all ibays. I have been searching, but I have not been able to find a way to make a template fragment that will affect only a specific ibay/vhost. Looking for a push in the right direction

[cactus]

I have created templates in the past for httpd, but they always affect all ibays. I have been searching, but I have not been able to find a way to make a template fragment that will affect only a specific ibay/vhost. Looking for a push in the right direction

Create the proper directory structure in the templates-custom folder and instead of the VirtualHosts folder create the folder with, for instance, the name of your domain.

Copy the relevant fragments from the original VirtualHosts container to the folder for your domain and modify according to your wishes.

Add a property TemplatePath with the name of your domain to the domain in the domains database:

Code: [Select]

db domains setprop domain.tld TemplatePath directoryname
signal-event domain-modify domain.tld
IIRC that is how you can override one domain.

[crazybob]

I will give it a try on a test server. Thanks

[crazybob]

I created a folder called test in /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/
In the test folder I placed a file called test1 with the following code

Code: [Select]

{
    my $listen_default = "Listen 0.0.0.0:445";

    my $mode = $SystemMode || "serveronly";

    return $listen_default if ($mode eq "serveronly");

    my $httpdAccess = ${'httpd-e-smith'}{access} || 'private';

    return $listen_default unless ($httpdAccess eq "private");

    # Only selectively bind interfaces if we are in private server/gateway mode

    my @ipAddresses = ("127.0.0.1", $LocalIP);

    # Remove any duplicate IP addresses
    my %ipAddresses = map { $_ => 1 } @ipAddresses;
    foreach my $ip (sort keys %ipAddresses)
    {
$OUT .= "Listen $ip:445\n";
    }
}

issued command

Code: [Select]

db domains setprop test.com /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf testfollowed by

Code: [Select]

signal-event domain-modify test.com
Nothing changes in httpd.conf

Edit to replace code in first block

[CharlieBrady]

Nothing changes in httpd.conf

What you have done does not match what cactus suggested you do.

Note, however, that if you wish to use the TemplatePath option, then you need to provide a full set of template fragments for domains.

Your code, in any case, does nothing to provide a different port for each virtual domain. All you seem to be trying to do, albiet imperfectly, is use port 445 instead of port 443. That won't achieve what you are trying to achieve.

[crazybob]

Thank you for the reply Charlie. I was hoping to change the ssl port on only one v/domain. The article I referenced at the top of this thread lead me to believe I could use 2 ssl certs if I use different ports. If I copy all the templates, and make the appropriate changes for the port number, and add the ssl cert paths, should that work, or is there an easier way?

[crazybob]

Looking at the contents of the files in the VirtualHost folder, I see nothing to set the ssl port to 445. I do see a series of files in the httpd.conf folder that do address the ssl port. Should I be using those to change the port number?

[cactus]

Disclaimer: This might work, I have not tested it.

First create the directory structure needed for the custom-template fragments:

Code: [Select]

mkdir -p /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/VirtualHosts/
Copy the original template fragments that need to be customize to the same relative location in the custom-templates tree:

Code: [Select]

cd /etc/e-smith/templates-custom/etc/httpd.conf/httpd/conf/
cp /etc/e-smith/templates/etc/httpd/conf/httpd.conf/80VirtualHosts .
cp /etc/e-smith/templates/etc/httpd/conf/httpd.conf/VirtualHosts/25SSLDirectives VirtualHosts/
If no other custom template fragments are present for httpd.conf your custom-template tree should now look like this:

Code: [Select]

[root@smetest httpd.conf]# ls -R
.:
80VirtualHosts  VirtualHosts

./VirtualHosts:
25SSLDirectives
[root@smetest httpd.conf]#

Now edit the copied fragments with your favorite editor. Let's start with the 80VirtualHosts fragment.

Change the following line:

Code: [Select]

       foreach my $port (qw(80 443))to:

Code: [Select]

       my $sslport = $domain->prop('SSLPort') || '443';

       my @ports = 80;
       push (@ports, $sslport);

       foreach my $port (@ports)
And below this line:

Code: [Select]

                port => $port,add the following line:

Code: [Select]

                sslport => $sslport,Now save this file as you are done with it.

On with the second file (./VirtualHosts/25SSLDirective):
Change the following line:

Code: [Select]

    return "    # skipping SSL directives\n" unless $port eq "443";to

Code: [Select]

    return "    # skipping SSL directives\n" unless $port eq $sslport;Now save this file as you are done with it.

We have now created custom-template fragments that superseed the original template fragments when the configuration file is generated. The template fragment take a additional parameter from the domains database that specifies the SSL port to use for the domain, if none is provided the default port (443) will be used.

To modify the port number for a domain you can add/modify the SSLPort property in the domains database like this:

Code: [Select]

db domains setprop domain.tld SSLPort portnumberMake sure to replace the domain.tld with the domain name you defined in server-manager as well as to set the port number you desire the https domain to be listening on.

After you have defined the port number you need to regenerate the configuration file and restart the web server, this can be done with the following command:

Code: [Select]

signal-event domain-modify
To remove the custom template fragments and restore SME Server's default behavior you just need to remove the custom-template fragments like this:

Code: [Select]

rm /etc/e-smith/templates-custom/etc/httpd.conf/httpd/conf/80VirtualHosts
rm /etc/e-smith/templates-custom/etc/httpd.conf/httpd/conf/VirtualHosts/25SSLDirective
signal-event domain-modify

[crazybob]

Thanks Cactus, but it didn't work. The httpd.conf did not change

I will also need to apply paths for the ssl cert and key.

[cactus]

Thanks Cactus, but it didn't work.

What did not work? Could you be more explicit? Where there errors present in any of the steps? Did your webserver not start anymore? Where you unable to access certain sites you host? I have no crystal ball.

I will also need to apply paths for the ssl cert and key.

That would be a only little harder as you would need to bring those parameters inside of the VirtualHosts containers and evaluate them based on the domain name as this is, by default, done for the whole server and not on a per VirtualHost based way.

You will most likely need to add a custom template fragment based on the /etc/e-smith/templates/etc/httpd/conf/httpd.conf/35SSL10SSLCertificate* files in the VirtualHosts/ folder and build the logic to get the proper files based on the domain name.