IBM Support

Using NameVirtualHost with SSL in IBM HTTP Server

Question & Answer


Question

My IBM HTTP Server (IHS) has two hostnames using the same ip address. How can I configure IHS with two different virtualhost definitions on SSL (port 443)?

Cause

NameVirtualHost tells IHS to choose the VirtualHost stanza based on matching the hostname of the request. That works great for non-SSL (HTTP) since it is hostname-based. However, SSL (HTTPS) is a little different, because SSL is ipaddress-based.

Answer

Here is a sample IHS configuration using NameVirtualHost with SSL:

 


Listen 0.0.0.0:443
NameVirtualHost 192.168.0.21:443

KeyFile /opt/IBM/HTTPServer/key.kdb  

<VirtualHost 192.168.0.21:443>
   ServerName apples.ibm.com
   SSLEnable
   SSLServerCert apples
   DocumentRoot /docs/apples
</VirtualHost>

<VirtualHost 192.168.0.21:443>
   ServerName bananas.ibm.com
   SSLEnable
   SSLServerCert bananas
   DocumentRoot /docs/bananas
</VirtualHost>


For the SSL negotiation, IHS will use the first virtualhost that matches the IP address and port of the hostname in the request. In the sample configuration above, both virtualhosts match the same IP address, therefore, IHS will use only the FIRST one for SSL negotiation. Because it matches the IP address and port f the request. IHS will use the "apples" certificate for all SSL requests regardless of which hostname was used. This may cause warning messages on the client side if the certificate does not match the hostname. To resolve this, you can use a "Subject Alternative Name" SSL certificate which is valid for BOTH hostnames.

After the SSL negotiation has completed, then for other stuff like DocumentRoot and ErrorLog and RewriteRule, IHS will use the virtualhost that has a ServerName or ServerAlias that matches the hostname of the request. So, in the sample configuration above, if the hostname is bananas, then IHS will use the DocumentRoot from the SECOND virtualhost. Because it matches the hostname of the request.

For example, this request:https://bananas.ibm.com/hello.html

 


Will use the SSL certificate (apples) from the FIRST virtualhost, because it matches the IP address.

Then, it will serve the hello.html page from the document root (/docs/bananas) of the SECOND virtualhost, because it matches the hostname.

[{"Product":{"code":"SSEQTJ","label":"IBM HTTP Server"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"SSL","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"8.5;8.0;7.0","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
07 September 2022

UID

swg21607527

Page Feedback