Server Name Indication

From ICO wiki

Server Name Indication

Eeldused

Ubuntu server 9.10 (Karmic Koala) beta versioonist alates
Apache 2.2.12
OpenSSL 0.9.8g

Seadistamine

Kui Apachel ja OpenSSL'il on SNI tugi olemas, saab ühe IP ja pordi pealt suunata päringuid erinevatele https veebilehtedele kasutades selleks ServerName'i nagu tavalise http puhulgi.
Muuta võib kohe /etc/apache2/sites-enabled/000-default faili uue konfiguratsiooniga

sudo nano /etc/apache2/sites-enabled/000-default

Järgnevalt on toodud näidiskonfiguratsioon:

NameVirtualHost *:443
SSLStrictSNIVHostCheck on

<VirtualHost *:443>
        ServerAdmin webmaster@localhost
        ServerName www.firma.ee
        DocumentRoot /var/www/www
        <Directory />
                Options FollowSymLinks
                AllowOverride None
        </Directory>

        <Directory /var/www/www>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride None
                Order allow,deny
                allow from all
        </Directory>

        ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
        <Directory "/usr/lib/cgi-bin">
                AllowOverride None
                Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
                Order allow,deny
                Allow from all
        </Directory>

        ErrorLog /var/log/apache2/www.error.log

        # Possible values include: debug, info, notice, warn, error, crit,
        # alert, emerg.
        LogLevel warn

        CustomLog /var/log/apache2/www.access.log combined

    Alias /doc/ "/usr/share/doc/"
    <Directory "/usr/share/doc/">
        Options Indexes MultiViews FollowSymLinks
        AllowOverride None
        Order deny,allow
        Deny from all
        Allow from 127.0.0.0/255.0.0.0 ::1/128
    </Directory>

   ErrorLog     /var/log/apache2/www.firma.ee-ssl-error.log
   TransferLog  /var/log/apache2/www.firma.ee-ssl-access.log

   SSLEngine on
   SSLCertificateFile /etc/apache2/www.firma.ee.crt
   SSLCertificateKeyFile /etc/apache2/www.firma.ee.key
   SSLOptions +StdEnvVars

 </VirtualHost>
<VirtualHost *:443>
        ServerAdmin webmaster@localhost
        ServerName sales.firma.ee
        DocumentRoot /var/www/sales
        <Directory />
                Options FollowSymLinks
                AllowOverride None
        </Directory>
        <Directory /var/www/sales>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride None
                Order allow,deny
                allow from all
        </Directory>

        ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
        <Directory "/usr/lib/cgi-bin">
                AllowOverride None
                Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
                Order allow,deny
                Allow from all
        </Directory>

        ErrorLog /var/log/apache2/sales.error.log

        # Possible values include: debug, info, notice, warn, error, crit,
        # alert, emerg.
        LogLevel warn

        CustomLog /var/log/apache2/sales.access.log combined

    Alias /doc/ "/usr/share/doc/"
    <Directory "/usr/share/doc/">
        Options Indexes MultiViews FollowSymLinks
        AllowOverride None
        Order deny,allow
        Deny from all
        Allow from 127.0.0.0/255.0.0.0 ::1/128
    </Directory>
   ErrorLog     /var/log/apache2/sales.firma.ee-ssl-error.log
   TransferLog  /var/log/apache2/sales.firma.ee-ssl-access.log

   SSLEngine on
   SSLCertificateFile /etc/apache2/sales.firma.ee.crt
   SSLCertificateKeyFile /etc/apache2/sales.firma.ee.key
   SSLOptions +StdEnvVars


 </VirtualHost>
<VirtualHost *:80>
	ServerAdmin webmaster@localhost
	ServerName www.firma.ee
	DocumentRoot /var/www/www
	<Directory />
		Options FollowSymLinks
		AllowOverride None
	</Directory>
	<Directory /var/www/www>
		Options Indexes FollowSymLinks MultiViews
		AllowOverride None
		Order allow,deny
		allow from all
	</Directory>

	ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
	<Directory "/usr/lib/cgi-bin">

		AllowOverride None
		Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
		Order allow,deny
		Allow from all
	</Directory>

	ErrorLog /var/log/apache2/www-error.log

	# Possible values include: debug, info, notice, warn, error, crit,
	# alert, emerg.
	LogLevel warn

	CustomLog /var/log/apache2/www-access.log combined

    Alias /doc/ "/usr/share/doc/"
    <Directory "/usr/share/doc/">
        Options Indexes MultiViews FollowSymLinks
        AllowOverride None
        Order deny,allow
        Deny from all
        Allow from 127.0.0.0/255.0.0.0 ::1/128
    </Directory>

</VirtualHost>

<VirtualHost *:80>

        ServerAdmin webmaster@localhost
        ServerName sales.firma.ee
        DocumentRoot /var/www/sales
        <Directory />
                Options FollowSymLinks
                AllowOverride None
        </Directory>
        <Directory /var/www/sales>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride None
                Order allow,deny
                allow from all
        </Directory>

        ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
        <Directory "/usr/lib/cgi-bin">
                AllowOverride None
                Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
                Order allow,deny                
                Allow from all
        </Directory>

        ErrorLog /var/log/apache2/sales.error.log

        # Possible values include: debug, info, notice, warn, error, crit,
        # alert, emerg.
        LogLevel warn

        CustomLog /var/log/apache2/sales.access.log combined

    Alias /doc/ "/usr/share/doc/"
    <Directory "/usr/share/doc/">
        Options Indexes MultiViews FollowSymLinks
        AllowOverride None
        Order deny,allow
        Deny from all
        Allow from 127.0.0.0/255.0.0.0 ::1/128
    </Directory>

</VirtualHost>

NameVirtualHost *:443 - määrab, et kõigil IP'del kuulatakse virtual host päringuid
SSLStrictSNIVHostCheck - määrab, kas ühendusi lubatakse ka mitte-SNI klientidelt (off = lubatakse, on = ei lubata)

Testimine

Testimiseks on vajalik SNI tuge omavat veebibrauserit. Seega ei sobi Links. SNI toega brauserid on Firefox 2.0+, IE 7.0+, Google Chrome, Opera 8.0+