What if you want to hide an internal server ? you need to configure apache to act as a reverse Proxy. This is the small snippet you need to configure a proxy pass on the public server. Everything is well known expect (for me at least) the directive ProxyPreserveHost that is needed to rewrite the HTTP_SERVER parameter for the hidden server. This way the application can ignore the fact that is behind a proxy.

<VirtualHost IP:443>
    ServerName public.domain.org
    SSLProxyEngine on
    ProxyRequests Off
    ProxyPreserveHost On
    ProxyPass / https://hidden.hiddendomain/
    ProxyPassReverse / https://hidden.hiddendomain/
    <Proxy https://hidden.hiddendomain>
            Order deny,allow
            Deny from all
            Allow from all
    </Proxy>
</VirtualHost>

vlogger [1] is a nice piece of software to deal with large number of virtual hosts. It is meant to work with apache by piping the logs to the vlogger process that will then take care of storing them in you log directory.

I found an excellent howto that describes how to install vlogger in debian [2] .

To better integrate it with webalizer you can use this small bash snippet to generate conf files automatically for all your vhosts. This assumes that your log files are stored in /var/log/apache2 and that you don’t have any other directories there but those generated by vlogger.

#!/bin/sh

for vhost in `ls -l /var/log/apache2 | grep "^d" | awk '{print $9}'`; do

cat <<EOF >> $vhost.conf
LogFile /var/log/apache2/$vhost/access.log
LogType clf
OutputDir /var/www/webalizer/$vhost
Incremental yes
IncrementalName webalizer.current
ReportTitle Usage statistics for
HostName $vhost
PageType    htm*
PageType    cgi
PageType    php3
PageType    php
DNSCache    dns_cache.db
HideURL     *.gif
HideURL     *.GIF
HideURL     *.jpg
HideURL     *.JPG
HideURL     *.png
HideURL     *.PNG
HideURL     *.ra
IgnoreSite  localhost
IgnoreReferrer  localhost
SearchEngine    yahoo.com   p=
SearchEngine    altavista.com   q=
SearchEngine    google.com  q=
SearchEngine    eureka.com  q=
SearchEngine    lycos.com   query=
SearchEngine    hotbot.com  MT=
SearchEngine    msn.com     MT=
SearchEngine    infoseek.com    qt=
SearchEngine    webcrawler  searchText=
SearchEngine    excite      search=
SearchEngine    netscape.com    search=
SearchEngine    mamma.com   query=
SearchEngine    alltheweb.com   query=
SearchEngine    northernlight.com  qr=
SearchEngine    sensis.com.au   find=
SearchEngine    google.nl   q=
SearchEngine    google.fr   q=
SearchEngine    google.ch   q=
SearchEngine    google.ca   q=
SearchEngine    google.be   q=
EOF

done

[1] http://n0rp.chemlab.org/vlogger/ [2] http://www.howtoforge.com/apache_log_splitting_vlogger

I’ve been looking for a solution to this problem for a long time. Basically apache2 is not able to do name-based virtual hosting if you also want to use ssl. The reason for this problem is very simple. In order to know then hostname, apache2 I need to establish a secure channel, but to establish a secure channel, if I have more then one virtual host, then I need to know the hostname, that is, to provide the client the correct certificate. There is also a better explanation on the apache website [1].

There correct solution to this problem is to use the TLS extension called SNI [2]. This is provided by two different apache modules: mod_gnutls and mod_ssl.

There are two nice tutorials one for mod_ssl [3] and the other one for mod_gnutls [4] . If you are running lenny (debian testing at the time of writing), you can just install mod_gnutls. If you are running etch, then your best bet is to recompile apache with the mod_ssl patch to support SNI. The first tutorial [3] is about the latter option. The patch can be downloaded from this website [5] mentioned also in [3].

The tutorial explains how to recompile the package. The only thing I’ve done is to use pbuilder to automate the process. In particular, if you’re building the apache2 package in pbuilder, you need to recompile openssl first, then to install in your pbuilder image and then build apache. This is the command I’ve used to add the package.

sudo /usr/sbin/pbuilder --login --save-after-login --bindmounts /var/cache/pbuilder/

dpkg -i /var/cache/pbuilder/results/libssl*.deb /var/cache/pbuilder/results/openssl*.deb

so far so good. I’ve save myself an big headache.

:)

[1] http://httpd.apache.org/docs/2.1/ssl/ssl_faq.html#vhosts2

[2]http://en.wikipedia.org/wiki/Server_Name_Indication

[3]http://www.how2forge.org/enable-multiple-https-sites-on-one-ip-using-tls-extensions-on-debian-etch

[4]http://www.g-loaded.eu/2007/08/10/ssl-enabled-name-based-apache-virtual-hosts-with-mod_gnutls/

[5]https://dave.sni.velox.ch/

A quick one about mod_rewrite. I added ssl to cduce.org for our user pages. However I’ve no use of ssl to serve our static pages. This rule will redirect all https requests (^443$) that are not related to userdirs (!^/~) to http:// .

        RewriteEngine   on
        RewriteCond %{SERVER_PORT} ^443$
        RewriteCond %{REQUEST_URI} !^/~
        RewriteRule ^(.*)$ http://www.cduce.org$1 [L,R]