[peruser] peruser with mod_ssl and different ServerEnvironment hangs
jordan at moodle.com
Tue Sep 6 10:50:12 MDT 2011
On Tue, Sep 6, 2011 at 7:26 PM, Leen Besselink <leen at consolejunkie.net>wrote:
> On 09/06/2011 10:40 AM, Jordan Tomkinson wrote:
> > Hi list,
> > Im using Apache 2.2.0 with Peruser 0.4.0rc2 compiled in and having
> > trouble with ssl vhosts
> > I use a wildcard ssl certificate for *.mydomain.tld with virtualhost
> > entries for different subdomains.
> > something like:
> > <VirtualHost x.x.x.x:443>
> > ServerName sub1.mydomain.tld
> > SSLEngine On
> > SSLCertificateFile /path/to/my/wildcard.crt
> > SSLCertificateKeyFile /path/to/my/wildcard.key
> > KeepAlive on
> > DocumentRoot /path/to/mydomain/sub1/html
> > <IfModule peruser.c>
> > <Processor apache-ssl>
> > User apache
> > Group apache
> > </Processor>
> > ServerEnvironment apache-ssl
> > </IfModule>
> > </VirtualHost>
> > Repeating for sub2, sub3, sub4 of .mydomain.tld etc..
> > This all works fine when each vhost is using the same
> > ServerEnvironment, but this means I cannot Chroot vhosts into unique
> > directories.
> > When I change the ServerEnvironment, apache hangs on the connection
> > with nothing being written to the error_log
> > I originally thought this was related to
> > http://www.peruser.org/trac/peruser/ticket/2 but perhaps I'm wrong.
> > Any ideas??
> Just a quick check:
> - you use one certficate for different Vhost, probably ok
> - each Vhost has atleast one seperate IP-address ?
> - you want to have different ServerEnvironment/Chroot for each VHost
> If you don't have different IP-addresses, you might have problems with a
> vanilla Apache as well.
> Because SNI-support is limited in browsers and webservers:
SNI is not a problem because we use a wildcard ssl certificate - this is the
correct way to do multiple ssl vhosts bound to a single IP in apache.
the CN of our certificate is set to *.ourdomain.tld, apache has a single
virtual host (the default) which sends the certificate, the other vhost
entries simply specify additional ServerName and DocumentRoot options.
It works fine in both vanilla apache and with mod-peruser - but only with
the same ServerEnvironment - see
http://www.peruser.org/trac/peruser/ticket/3 for the same issue
On a side note: has anyone noticed the incredible amount of SPAM links on
the peruser.org wiki / trac website? is there no active webmaster ??
> > Regards,
> > Jordan Tomkinson
> > Systems Administrator
> > Moodle HQ
> Peruser mailing list
> Peruser at telana.com
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Peruser