Home > Net >  Apache Multi-Site configuration with SSL - httpd-vhosts.conf , hosts table and .htaccess
Apache Multi-Site configuration with SSL - httpd-vhosts.conf , hosts table and .htaccess

Time:11-01

My setting is done and it works. Is it the correct way?

I have a Windows server and I installed XAMPP on it. Different domain would point to different IP address to the server. Also, every site runs https on this server. I go through a lot of tutorials and set up self-signed cert to each site. Then, I configed the server with below setting.

These config works but I am not sure is it secure enough. I afraid that I missed something important. I need the site to be reachable by below URL:

http://sitea.com (Will redirect to https://sitea.com)

http://www.sitea.com (Will also redirect to https://sitea.com)

https://sitea.com (This great)

https://www.sitea.com (Will force to use non-www version due to program needed- https://sitea.com)

My configuration is listed below. May I ask if it is good enough or if I missed something?

C:\xampp\apache\conf\extra\httpd-vhosts.conf:

<VirtualHost 192.168.242.121:80>
    ServerName sitea.com
    ServerAlias www.sitea.com
    Redirect permanent / https://sitea.com/
</VirtualHost>

<VirtualHost 192.168.242.121:443>
    DocumentRoot "S:/websites/sitea/"
    ServerName sitea.com
   RewriteEngine On
   RewriteCond %{HTTP_HOST} ^(www\.)(.*) [NC]
   RewriteRule (.*) https://%2%{REQUEST_URI} [L,R=301]
   SSLEngine on
   SSLCertificateFile "ssl/sitea.com/server.crt"
   SSLCertificateKeyFile "ssl/sitea.com/server.key"
    AccessFileName .htaccess
    ErrorLog "S:/websites/sitea/logs/error.log"
    CustomLog "S:/websites/sitea/logs/access.log" common

    <Directory S:/websites/sitea/>  
       Options FollowSymLinks
        AllowOverride All
        Require all granted  
    </Directory>
</VirtualHost>

<VirtualHost 192.168.242.120:80>
    ServerName siteb.com
   ServerAlias www.siteb.com
    Redirect permanent / https://siteb.com/
</VirtualHost>

<VirtualHost 192.168.242.120:443>
    DocumentRoot "S:/websites/siteb/"
    ServerName siteb.com
   RewriteEngine On
   RewriteCond %{HTTP_HOST} ^(www\.)(.*) [NC]
  RewriteRule (.*) https://%2%{REQUEST_URI} [L,R=301]
   SSLEngine on
   SSLCertificateFile "ssl/siteb.com/server.crt"
   SSLCertificateKeyFile "ssl/siteb.com/server.key"
    AccessFileName .htaccess
    ErrorLog "S:/websites/siteb/logs/error.log"
    CustomLog "S:/websites/siteb/logs/access.log" common

    <Directory S:/websites/siteb/>  
       Options FollowSymLinks
        AllowOverride All
        Require all granted  
    </Directory>
</VirtualHost>

C:\Windows\System32\drivers\etc\hosts:

192.168.242.121 sitea.com www.sitea.com
192.168.242.120 siteb.com www.siteb.com

Thank you!

CodePudding user response:

Enabling HTTPS on a website does not stop website vulnerabilities, it only secures data which is being transferred between the website server and client i.e. someone can not eaves drop on what the server and client are saying to each other. If a website has a vulnerability people will still be able to exploit it.

In your Apache configuration it looks like some of your apache configurations can be bypassed by accessing your website directly i.e. type it's IP address into a web browser. This would allow someone to bypass your mandated HTTPS for example. You should set up a redirect rule if you want to prevent against this.

  • Related