Data Jelly

In a previous post, we walked through some steps to setup an Apache server for SSL offloading. Recently, we also purchased a wildcard SSL certificate so that we could secure all of our sub-domains.

Normally, Apache tells you that you cannot use SSL with virtual hosts. This is because the HTTP "Host" header is used to determine which virtual host to use. However, if that is encrypted with SSL, then you don't know which SSL certificate to use and therefore cannot determine which virtual host to go to.

However, this isn't a problem if you are using a wildcard SSL certificate, since all virtual hosts will be using the same SSL key to decrypt traffic. After a bit of research and testing, it does indeed work.

Simply configure your virtual hosts and SSL certificates as you normally would, and be sure to use the same configuration for each host. An example Apache configuration snippet is below:

<VirtualHost *:443>
  ServerName example.com

  SSLEngine on
  SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
  SSLCertificateFile "/path/to/certificate.pem"
  SSLCertificateKeyFile "/path/to/privatekey.pem"
  SSLCertificateChainFile "/path/to/chain.pem"
  BrowserMatch ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0

  <Location />
    ProxyPass http://localhost:8080/
    ProxyPassReverse https://example.com/
  </Location>
</VirtualHost>

<VirtualHost *:443>
  ServerName sub.example.com

  SSLEngine on
  SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
  SSLCertificateFile "/path/to/certificate.pem"
  SSLCertificateKeyFile "/path/to/privatekey.pem"
  SSLCertificateChainFile "/path/to/chain.pem"
  BrowserMatch ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0

  <Location />
    ProxyPass http://localhost:8081/
    ProxyPassReverse https://sub.example.com/
  </Location>
</VirtualHost>