I have been searching quite a bit now but couldn't find any answers.
I'm using httpd 2.2.15 and Centos 6.2.
I have configured apache for mass virtual hosting. I.e.:
UseCanonicalName off
VirtualDocumentRoot /var/www/html/%0
I will have the same "main" domain with different subdomains pointing to the virtual hosts. I have created a self-signed cert for testing purpose with common name *.mydomain.com. There's one IP for the entire server.
How can I configure apache to use ssl for my vhosts?
And if possible, added to above I would like to achieve this as well:
-
Can I define a directory, or preferable some files (e.g. login page), that should be excluded from the ssl? All vhosts are basically different instances of the same application (except the ones I mention in 2 below).
-
Can I define some vhosts that should not use ssl (I have full control of the subdomain name for those). This will be two application, my home-page (www) and some administrative application. If it's not possible to make exceptions, I guess I will just put those on another server.
Except the ones I mentioned in 2 above, all virtual hosts will be created automatically based on users request.
Based on @Shanes comment, I update: If the user use https:// when they shouldn't, it's good if they are redirected to http://. If that's not possible I guess it's ok if they get an error message. It's of course ok if BOTH http and https works, as long as http works for the unprotected files (this may be the preferred choice actually).
I could find examples of how to do this using mod-rewrite with the exception that it wasn't for mass-domains (i.e. < VirtualHost > was used).
What's the tricks for achieving this?
If not possible, I would be most happy to get some hints about how to do this.
Best Answer
First off, you need to make sure your current configuration is prepared to have an SSL listener added in. You haven't specified if you're using the main server, or a
<VirtualHost>
, but if you're using the main server then you'll need to switch to a<VirtualHost>
.Then, we'll add you a new VirtualHost running SSL.
So, that gets us to the point where the content is all being served via both HTTP and HTTPS. Now, in order to force HTTPS for certain domains, we can use mod_rewrite.
Important security information! You need to be very careful here from a security perspective. If you're simply redirecting everything on HTTP to the HTTPS equivalent, you can potentially 'hide' cases where a request is sent over HTTP instead of HTTPS due to hardcoded resource locations - and if there's sensitive data in that request, then it was just sent over the internet, unencrypted. You'll need to weigh this risk against your ability to catch and correct these kind of issues, the user-unfriendliness of an error page if something is messed up, and the sensitivity of the data.
To force SSL for certain locations, you'll want to insert mod_rewrite configuration into the port 80 vhost (I've commented in its configuration above). You can build pretty much any kind of behavior you want, as far as directories or domains excluded; I'll provide a few examples:
Or, if you wanted to do the friendly redirect just for requests to the base directory, and the error behavior for others:
If these examples don't fit your needs, let me know.