Apache virtual hosts and config inheritance

Drobot Viktor

6/18/24, 11:36 AM

I have Apache HTTP server set up and running with a bunch of Virtual Hosts which are using Let's Encrypt certificates. However, I can't get sure if global SSL options are inherited by all VHosts.

In main config file (/etc/httpd/conf/httpd.conf) I have the following includes:

...

Include conf/extra/httpd-mpm.conf
Include conf/extra/httpd-autoindex.conf
Include conf/extra/httpd-languages.conf
Include conf/extra/httpd-default.conf
Include conf/extra/httpd-ssl.conf
Include conf/extra/httpd-vhosts.conf
Include conf/extra/php-fpm.conf

...

(the rest of the config isn't shown). So you can see that httpd-ssl.conf is included before httpd-vhosts.conf. Under each VHost configuration directive I have only references to the valid key/cert pair and SSLEngine On option. I wonder if globally-included httpd-ssl.conf options are in effect for each VHost, in other words, does VHosts inherit globally-defined options? I can't find any direct clue for this. Or may be should I explicitly include httpd-ssl.conf (or Let's Encrypt SSL options file instead) in each VHost directive?

And here arises related question: is there any helper utility to show current configuration for specified VHost including global options as well as defaults?

1 + 0

apache-2.4

Score:0

Server

HBruijn

6/18/24, 1:59 PM

Do you need to set/include ssl settings for each individual virtual host?

No. When all sites on a server should always have the same modern security requirements and the same TLS settings then setting them once in the "server config" context should be sufficient.

Otherwise: Yes. When (in the future) an customisation needs to be made in the TLS settings for one of the virtual hosts that override global default values from the server config context; that override could become unintentionally the new default for all other virtual hosts as well.

TL;DR

It depends a bit on the Apache and openssl versions what behaviour you get to see, but for (some) mod_ssl SSL/TLS directives the behaviour is not completely intuitive.

Most Apache mod_ssl settings and directives can indeed be set in the "server config" context and "virtual host" context, some are even valid in "directory" and ".htaccess" contexts. The manual lists for each directive where it can be set.

Directive values set in the server config context will be used unless they're (also) set in a "virtual host" context.

The counter intuitive part is that for some settings, when they get a value assigned in "the base virtual host", that value overrides server config for the other virtual hosts. In other words: for some some settings defined in a virtual host, the scope (effect) was/is not restricted to that particular virtual host.

It's only "explained" in the manual section for the SSLProtocol directive. (I'm not sure if I remember correctly and this might also be (or have been) applicable for other directives such as the SSLCipherSuite) :

SSLProtocol for name-based virtual hosts

Before OpenSSL 1.1.1, even though the Server Name Indication (SNI) allowed to determine the targeted virtual host early in the TLS handshake, it was not possible to switch the TLS protocol version of the connection at this point, and thus the SSLProtocol negotiated was always based off the one of the base virtual host (first virtual host declared on the listening IP:port of the connection).

Beginning with Apache HTTP server version 2.4.42, when built/linked against OpenSSL 1.1.1 or later, and when the SNI is provided by the client in the TLS handshake, the SSLProtocol of each (name-based) virtual host can and will be honored.

For compatibility with previous versions, if no SSLProtocol is configured in a name-based virtual host, the one from the base virtual host still applies, unless SSLProtocol is configured globally in which case the global value applies (this latter exception is more sensible than compatible, though).

For example

A main server config configuration with three virtual host blocks:

#/etc/httpd/conf/httpd.conf

...


LoadModule ssl_module modules/mod_ssl.so

SSLProtocol All -SSLv2 -SSLv3 -TLSv1 

Listen 443

<VirtualHost *:443>
    ServerName insecure.example.com
    SSLEngine on
    SSLCertificateFile "/path/to/insecure.example.com.cert"
    SSLCertificateKeyFile "/path/to/insecure.example.com.key"
    SSLProtocol All
</VirtualHost>

<VirtualHost *:443>
    ServerName www.example.com
    SSLEngine on
    SSLCertificateFile "/path/to/www.example.com.cert"
    SSLCertificateKeyFile "/path/to/www.example.com.key"
</VirtualHost>

<VirtualHost *:443>
    ServerName secure.example.com
    SSLEngine on
    SSLCertificateFile "/path/to/www.example.com.cert"
    SSLCertificateKeyFile "/path/to/www.example.com.key"
    SSLProtocol TLSv1.2
</VirtualHost>

On my old RHEL 7 with openssl 1.0.2 and apache 2.4.6 ; the legacy apache / openssl versions the manual warns about:

That has the effect that for www.example.com ; where the virtual host block has no explicit SSLProtocol defined: the value All from default host insecure.example.com gets used and not the value main server context SSLProtocol All -SSLv2 -SSLv3 -TLSv1.
Additionally for secure.example.com the explicitly defined SSLProtocol TLSv1.2 also gets ignored and the value All from default host insecure.example.com gets used instead.

Copy that configuration to a modern host with a recent Apache httpd version and openssl that now also supports TLS version 1.3:

That has the effect that for www.example.com ; where the virtual host block has no explicit SSLProtocol defined: the value from main server context SSLProtocol All -SSLv2 -SSLv3 -TLSv1 gets used. In other words after expanding All: SSLProtocol TLSv1.3 TLSv1.2
Additionally for secure.example.com the explicitly defined SSLProtocol TLSv1.2 also gets used, but the configuration is not the most secure because it doesn't support the newer TLSv1.3

+ 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Apache virtual hosts and config inheritance

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.