: Multiple Apache vhosts with Basic Auth & SSL I'm just getting started using Apache and I pretty much have everything configured the way I want, I'm just having trouble with one aspect. A

Posted in: #Apache #Authentication #Https #Virtualhost

I'm just getting started using Apache and I pretty much have everything configured the way I want, I'm just having trouble with one aspect. A quick overview: I have a document root of "/var/www", then I have two sites at "/var/www/site1" and "/var/www/site2". Both sites have SSL and authenticate using a simple htpasswd file and run on two different ports (443 & 444). Everything works as I would expect, the auth and SSL both work fine. The only problem is that I can access "site2" without a password under certain conditions.

If I browse to "https://10.0.0.13:444/site2" I get the SSL and auth prompt, I can log in and everything works fine. The same goes for "site1", both the SSL and auth work correctly. However if I browse to "https://10.0.0.13/site2", then Apache lets me access "site2" without a password. Both site1 and site2 DNS resolve to the server's IP address. I know it's gotta be something that I'm just not understanding with the vhosts configuration. I've poked around a lot and cannot seem to get it working nor have I found an example online that helps me figure it out either. Any help would be greatly appreciated!! Here is the current "default-ssl" vhost configuration I'm using:

<VirtualHost *:443>
ServerName site1.domain.com
ServerAdmin site1@localhost

SSLEngine on
SSLCertificateFile /etc/apache2/site1.pem

DocumentRoot /var/www/
<Directory />
Options FollowSymLinks
AllowOverride All
</Directory>
<Directory /var/www/>
Options -Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>

ErrorLog /var/log/apache2/error.log
LogLevel warn
CustomLog /var/log/apache2/access.log combined

<Location /site1>
AuthType Digest
AuthName "site1"
AuthDigestDomain /var/www/site1/ site1.domain.com/site1
AuthDigestProvider file
AuthUserFile /etc/apache2/htpasswd
Require valid-user
SetEnv R_ENV "/var/www/site1"
</Location>
</VirtualHost>

<VirtualHost *:444>
ServerName site2.domain.com
ServerAdmin site2@localhost

SSLEngine on
SSLCertificateFile /etc/apache2/site2.pem

DocumentRoot /var/www/
<Directory />
Options FollowSymLinks
AllowOverride All
</Directory>
<Directory /var/www/>
Options -Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>

ErrorLog /var/log/apache2/error.log
LogLevel warn
CustomLog /var/log/apache2/access.log combined

<Location /site2>
AuthType Digest
AuthName "site2"
AuthDigestDomain /var/www/site2/ site2.domain.com/site2
AuthDigestProvider file
AuthUserFile /etc/apache2/htpasswd
Require valid-user
SetEnv R_ENV "/var/www/site2"
</Location>
</VirtualHost>

10.01% popularity Vote Up Vote Down

: Is it possible to rearrange my Google Analytics profiles and accounts? Some months ago, I registered profile X, Y, Z under account A in Google Analytics. But I hope to move profile X to account

@Cooney921

Posted in: #GoogleAnalytics

1 Comments

: Why are people trying to surf to example.com/{{link}}? I’ve noticed in Google Analytics accessed URLs such as example.com/{{link}}. Is this like an hacking attempt or is there some simple explanation

@Cooney921

Posted in: #GoogleAnalytics #Url

1 Comments

: AdWords animated display ads - have 30 sec limit start on view? According to https://support.google.com/adwordspolicy/answer/176108?hl=en, the total animation time for an ad needs to be kept to 30

@Cooney921

Posted in: #GoogleAdwords

1 Comments

: Canonical link or block in robots.txt for duplicate content across domains? I've built a WordPress multisite for a dealership which has different franchises, ie Honda and BMW. Each franchise has

@Cooney921

Posted in: #CanonicalUrl #DuplicateContent #RobotsTxt

0 Comments

Login to post a comment!

1 Comments

Sorted by latest first Latest Oldest Best

@Kristi941

@Cragmuer If all you want to do is host two different directories with separate user authentication, just add another <location> directive to your site config. I will assume that you have your ports.conf file setup correctly but I'll include a sample anyway. An example configuration would look like something like this:

/etc/apache2/sites-available

<VirtualHost *:443>
SSLEngine on
SSLCertificateFile /etc/apache2/cert-file.pem

DocumentRoot /var/www/
<Directory />
Options FollowSymLinks
AllowOverride All
</Directory>
<Directory /var/www/>
Options -Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>

ErrorLog /var/log/apache2/error.log
LogLevel warn
CustomLog /var/log/apache2/access.log combined

<Location /site1>
AuthType Digest
AuthName "site1"
AuthDigestDomain /var/www/site1/ 10.0.0.13/site1
AuthDigestProvider file
AuthUserFile /etc/apache2/htpasswd
Require valid-user
SetEnv R_ENV "/var/www/site1"
</Location>

<Location /site2>
AuthType Digest
AuthName "site2"
AuthDigestDomain /var/www/site2/ 10.0.0.13/site2
AuthDigestProvider file
AuthUserFile /etc/apache2/htpasswd
Require valid-user
SetEnv R_ENV "/var/www/site2"
</Location>
</VirtualHost>

/etc/apache2/ports.conf

<IfModule mod_ssl.c>
NameVirtualHost *:443
Listen 443
</IfModule>

<IfModule mod_gnutls.c>
Listen 443
</IfModule>

If you want to add more directories simply insert another <location> directive. Now if you want to actually host separate domains with different document roots, then you need to look into using the NamedVirtualHost directive. Also you don't need two different certificate files for the configuration you posted, one will work just fine.

10% popularity Vote Up Vote Down

Feed

: Multiple Apache vhosts with Basic Auth & SSL I'm just getting started using Apache and I pretty much have everything configured the way I want, I'm just having trouble with one aspect. A

More posts by @Cooney921

: Is it possible to rearrange my Google Analytics profiles and accounts? Some months ago, I registered profile X, Y, Z under account A in Google Analytics. But I hope to move profile X to account

: Why are people trying to surf to example.com/{{link}}? I’ve noticed in Google Analytics accessed URLs such as example.com/{{link}}. Is this like an hacking attempt or is there some simple explanation

: AdWords animated display ads - have 30 sec limit start on view? According to https://support.google.com/adwordspolicy/answer/176108?hl=en, the total animation time for an ad needs to be kept to 30

: Canonical link or block in robots.txt for duplicate content across domains? I've built a WordPress multisite for a dealership which has different franchises, ie Honda and BMW. Each franchise has

Login to post a comment!

1 Comments

Back to top | Use Dark Theme