[peruser] peruser with mod_ssl and different ServerEnvironment hangs

Jordan Tomkinson jordan at moodle.com
Tue Sep 6 10:50:12 MDT 2011


On Tue, Sep 6, 2011 at 7:26 PM, Leen Besselink <leen at consolejunkie.net>wrote:

> On 09/06/2011 10:40 AM, Jordan Tomkinson wrote:
> > Hi list,
> >
> > Im using Apache 2.2.0 with Peruser 0.4.0rc2 compiled in and having
> > trouble with ssl vhosts
> > I use a wildcard ssl certificate for *.mydomain.tld with virtualhost
> > entries for different subdomains.
> >
> > something like:
> >
> > <VirtualHost x.x.x.x:443>
> >   ServerName sub1.mydomain.tld
> >   SSLEngine On
> >   SSLCertificateFile /path/to/my/wildcard.crt
> >   SSLCertificateKeyFile /path/to/my/wildcard.key
> >   KeepAlive on
> >   DocumentRoot /path/to/mydomain/sub1/html
> >
> >   <IfModule peruser.c>
> >     <Processor apache-ssl>
> >       User apache
> >       Group apache
> >     </Processor>
> >     ServerEnvironment apache-ssl
> >   </IfModule>
> >
> > </VirtualHost>
> >
> > Repeating for sub2, sub3, sub4 of .mydomain.tld etc..
> >
> > This all works fine when each vhost is using the same
> > ServerEnvironment, but this means I cannot Chroot vhosts into unique
> > directories.
> > When I change the ServerEnvironment, apache hangs on the connection
> > with nothing being written to the error_log
> >
> > I originally thought this was related to
> > http://www.peruser.org/trac/peruser/ticket/2 but perhaps I'm wrong.
> >
> > Any ideas??
> >
>
> Just a quick check:
> - you use one certficate for different Vhost, probably ok
> - each Vhost has atleast one seperate IP-address ?
> - you want to have different ServerEnvironment/Chroot for each VHost
>
> If you don't have different IP-addresses, you might have problems with a
> vanilla Apache as well.
>
> Because SNI-support is limited in browsers and webservers:
> http://en.wikipedia.org/wiki/Server_Name_Indication
>

SNI is not a problem because we use a wildcard ssl certificate - this is the
correct way to do multiple ssl vhosts bound to a single IP in apache.
the CN of our certificate is set to *.ourdomain.tld, apache has a single
virtual host (the default) which sends the certificate, the other vhost
entries simply specify additional ServerName and DocumentRoot options.
It works fine in both vanilla apache and with mod-peruser - but only with
the same ServerEnvironment - see
http://www.peruser.org/trac/peruser/ticket/3 for the same issue

On a side note: has anyone noticed the incredible amount of SPAM links on
the peruser.org wiki / trac website? is there no active webmaster ??


>
> > Regards,
> >
> > Jordan Tomkinson
> > Systems Administrator
> > Moodle HQ
>
> _______________________________________________
> Peruser mailing list
> Peruser at telana.com
> http://www.telana.com/mailman/listinfo/peruser
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.telana.com/pipermail/peruser/attachments/20110907/0bd06ba9/attachment.htm>


More information about the Peruser mailing list