Open source software security

SSL Default Virtual Host Problem on Mandriva

30 November -0001

Mandriva 2007 (http://www.mandriva.com) has an interesting implementation of Apache 2. There are a lot of non-standard implementations that will drive you crazy if you don't know where they are or what they do. One instance of this configuration is the handling of SSL if you have apache-mod_ssl installed. Normally your virtual hosts are controlled from within the file /etc/httpd/conf/vhosts.d/Vhosts.conf. This has changed in the latest distribution and Mandriva seems to have moved to a more inetd style of configuration files. Now the virtual hosts file is in /etc/httpd/conf/vhosts.d/00_default_vhosts.conf. The 00 prefix would tend to indicate that this is the first virtual host file to be loaded, but that others could be appended or loaded outside of this one. I actually tested this out and it works. For instance, say you have two virtual hosts and you want to list them separately. Assuming one virtual host was www.blackpuddingatemycharacter.com you could create a new file called 10_bpamc_vhost.conf in the /etc/httpd/conf/vhosts.d directory and it would be loaded by default. This makes managing and editing individual vhost files a little easier, but it's long term viability makes me a little nervous. If Mandriva decides to go back to a single, unified vhosts.conf file then you'll have to change your architecture again.

The other major headache that this setup creates is changing the location of your default site's SSL version. No matter what changes you make to your /etc/httpd/conf/httpd.conf file or to your 00_default_vhosts.conf file, when you point your browser at the https version of your site it will show whatever is in /var/www/html/ even if you've attempted to overwrite the configuration. The problem is that Mandriva has moved the SSL configuration files into a new directory. If you look in /etc/httpd/modules.d you'll see a 40_mod_ssl.conf file, and a 41_mod_ssl.default-vhost.conf file. These are the actual files that control you SSL implementation. The 41_mod_ssl.default-vhost.conf file actually has the settings for the default SSL site (_default_:443) and these can't be overwritten by your 00_default_vhosts.conf file no matter how hard you try. So if you're having problems changing the document root on your default site's SSL presentation check into the 41_mod_ssl.default-vhost.conf file, edit it, then restart your apache server and you should be fine.