2

I want to make sure there aren't any mysterious odd behaviors when redirecting a SSL VirtualHost with mod_alias Redirect as outlined by Apache here.

My code seems to work, but since SSL virtual hosts are restricted to just one IP address, I want to make sure there aren't any problems eluding me. Explicitly not using TLS. I'm stuck with Apache 2.2 for now.

<VirtualHost *:443>
    ServerName example.com
    SSLEngine On
    SSLCertificateFile /path/to/example.com-crt.crt
    SSLCertificateKeyFile /path/to/example.com-key.key
    SSLCACertificateFile /path/to/example.com-ca.txt
    Redirect 301 / https://www.example.com/
</VirtualHost>

<VirtualHost *:443>
    ServerName www.example.com
    SSLEngine On
    SSLCertificateFile /path/to/example.com-crt.crt
    SSLCertificateKeyFile /path/to/example.com-key.key
    SSLCACertificateFile /path/to/example.com-ca.txt
    # Do stuff
</VirtualHost>

So my question is, should SSL VirtualHost redirection with mod_alias Redirect work the same as non-SSL redirection?

UPDATE: To be clear, I want to make sure the Redirect circumvents the need for SNI/TLS, especially related to IE6 on WinXP. Seems to work fine in my tests with IE6 on WinXP-SP3 (see comments below the answer marked correct).

Jeff
  • 1,416
  • 3
  • 28
  • 50

1 Answers1

2

Yes, it works the same.

x509v3 includes Subject Alternative Name. Most (all?) issuing CA's will list both www.example.com and example.com as equivalent alternate names in a cert requested for either. Because of this browsers won't choke on the name when using the same cert in both VirtualHost instances.

On a different note, you have:

Redirect 301 / http://www.example.com/

I would instead recomend:

Redirect 301 / https://www.example.com/

Because this is SSL after all.

bahamat
  • 6,263
  • 24
  • 28
  • Oops, fixed! So there are no issues with turning the SSL Engine on the same IP address in two VirtualHosts as long as one is a redirect? Sort of goes against everything I've read, but it seems to work fine. Guess I'm just looking for some confidence before putting this into production. – Jeff Oct 19 '12 at 01:29
  • It should work on any relevant browser and OS. I believe Internet Explorer on Windows XP doesn't support Server Name Indication, so in that case I think it will throw you on the first virtualhost in your configuration (which is what you probably read everywhere). – gparent Oct 19 '12 at 17:14
  • I just tested with IE6 on WinXP-SP3 and it works fine. I'm a little surprised myself. I don't think SNI/TLS comes into play because of the redirect -- that was the core of my question. Would love it if someone else can confirm my findings. – Jeff Oct 19 '12 at 20:46
  • SNI/TLS doesn't come into play. See my updated answer. – bahamat Oct 19 '12 at 21:49
  • Thanks for clearing that up. For any future visitors to this question who might be curious, I can confirm that my cert does indeed include both `www.` and no-`www.` listings. – Jeff Oct 19 '12 at 22:12
  • @Jeff: Yeah, I can't even remember the last time one I got didn't have it. – bahamat Oct 20 '12 at 00:10