Ideal Setup of Apache for multiple SSL certs with SNI on a single IP

Question

I'm looking for the most efficient way to achieve this setup on Apache 2.4.33 in the Amazon Linux Distro:

• a single server instance (here: AWS EC2)

• a single associated IP

• two (or more) domains, each with their own SSL certificate

• one default SSL VirtualHost that applies to all others, to set such things as SSLProtocol, FilesMatch, and BrowserMatch only once

• a dedicated VirtualHost per domain that points to the respective files and sets the document root

Is there something wrong with this setup?

1) /etc/httpd/conf.d/ssl.conf (entire file):

Listen 443 https

SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog

SSLSessionCache shmcb:/run/httpd/sslcache(512000)
SSLSessionCacheTimeout 300

SSLRandomSeed startup file:/dev/urandom 256
SSLRandomSeed connect builtin

SSLCryptoDevice builtin

# default settings for all VirtualHosts
<VirtualHost *:443>

LogLevel warn

SSLProtocol all -SSLv3
SSLProxyProtocol all -SSLv3

SSLHonorCypherOrder o

#use OpenSSL default
#SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
#SSLProxyCipherSuite HIGH:MEDIUM:!aNULL:!MD5

<FilesMatch "\.(cgi|shtml|phtml|php)$">
  SSLOptions +StdEnvVars
</FilesMatch>

<Directory "/var/www/cgi-bin">
  SSLOptions +StdEnvVars
</Directory>

BrowserMatch "MSIE [2-5]" \
    nokeepalive ssl-unclean-shutdown \
    downgrade-1.0 force-response-1.0

CustomLog logs/ssl_request_log \
    "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

</VirtualHost>

2) /etc/httpd/cond.f/vhosts.conf

# foo.com

<VirtualHost *:80>
  ServerName foo.com
  ServerAlias www.foo.com
  Redirect 301 / https://foo.com
</VirtualHost>

<VirtualHost *:443>
  ServerName foo.com:443
  ServerAlias www.foo.com:443

  DocumentRoot "/var/www/foo"

  SSLEngine on
  SSLCertificateFile /etc/pki/tls/certs/foo.crt
  SSLCertificateChainFile /etc/pki/tls/certs/foo.bundle
  SSLCertificateKeyFile /etc/pki/tls/private/foo.key

  ErrorLog logs/foo
  TransferLog logs/foo-acc
</VirtualHost>


# bar.com

<VirtualHost *:80>
  ServerName bar.com
  ServerAlias www.bar.com
  Redirect 301 / https://bar.com
</VirtualHost>

<VirtualHost *:443>
  ServerName bar.com:443
  ServerAlias www.bar.com:443

  DocumentRoot "/var/www/bar"

  SSLEngine on
  SSLCertificateFile /etc/pki/tls/certs/bar.crt
  SSLCertificateChainFile /etc/pki/tls/certs/bar.bundle
  SSLCertificateKeyFile /etc/pki/tls/private/bar.key

  ErrorLog logs/bar
  TransferLog logs/bar-acc
</VirtualHost>

Will this work, or do I have to repeat the default setup for each dedicated domain?

Answer 1

I figured it out after some extensive testing:

The generic "master" VirtualHost in ssl.conf must reference a Certificate, Chain and Key, otherwise it will not work. So, for clarity and to avoid writing (and maintaining) duplicate lines across vhosts, it might be best to move this generic vhost into vhosts.conf, before the others.

Any rules specified there seem to be inherited properly by the following vhosts and don't have to be repeated.