0

I have httpd 2.4 on RHEL7 and experimenting SNI integration before apply it to production environment. I experienced an interesting behavior. Server always serve the matched virtualhost content of www.example.org with the certificate specified within <Virtualhost _default_:443> directive inside conf.d/ssl.confinstead of conf.d/vhost.conf.

However, if DocumentRoot directive with different location is specified within the <Virtualhost _default_:443> directive, server still serves the same matched virtualhost content specified in conf.d/vhosts.conf with false certificate. Even with the different DocumentRoot location & ServerName www.example.org directives within the _default_ section, server still acts same as before.

The point in here is the ServerName directive in Global Configuration which is not specified. So at start-up, server takes effect of the localhost's currently active hostname which is also www.example.org. When the hostname is changed into a different hostname, after the restart of httpd, server act as normally which is expected.

However, it is stated here that _default_ configurations should never overwrite already matched request from another virtualhost configuration.

In my point of view, since the SNI&TLS handshake happens in the beginning of communication, the httpd server fails to separate that is the content requested belong to the main global server or the matching virtualhost (with same ServerName). In final, server provides the certificate specified in global configuration, however content is served by considering the DocumentRoot directive within virtualhost configuration conf.d/vhosts.conf`.

It's fix is simple; do not provide global ServerName same as any other virtualhost. However these questions make me curious:

  • Why only the SSL section of virtualhost configuration pulled from global configuration. Why not the rest of it such as DocumentRoot and Log* directives too?
  • Is it a bug or an expected behavior?

Related content of conf.d/ssl.conf :

Listen 443 https
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:!MEDIUM:!LOW:!SSLv2:!EXPORT
<VirtualHost _default_:443>
        DocumentRoot "/var/www/html"
        ErrorLog logs/ssl_error_log
        TransferLog logs/ssl_access_log
        LogLevel warn
        SSLEngine on
        SSLCertificateFile /etc/pki/tls/certs/localhost.crt
        SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
</VirtualHost>

Content of conf.d/vhosts.conf :

<VirtualHost 192.168.1.1:443>
        SSLEngine On
        ServerName sni.example.org
        DocumentRoot /var/www/html/sni.html/
        SSLCertificateFile certs/sni.cer
        SSLCertificateKeyFile certs/sni.key
</VirtualHost>
Aesnak
  • 571
  • 4
  • 12
  • Always define ServerName for each virtualhost. Do so, try again and tell us about your results then. – Daniel Ferradal Aug 29 '16 at 18:12
  • As i mentioned above, i tried that by adding ServerName and DocurmentRoot directives separately to the `conf.d/ssl.conf` configuration file shown above. That doesn't change anything. In result, server uses the certificate on ssl.conf however content (DocumentRoot) is pulled from vhosts.conf – Aesnak Aug 31 '16 at 08:01

0 Answers0