Re: [apache-ssl] Newbie Questions

To: apache-ssl@lists.aldigital.co.uk
Subject: Re: [apache-ssl] Newbie Questions
From: Ben Laurie <ben@algroup.co.uk>
Date: Sat, 04 Jul 1998 14:15:22 +0100
Delivered-to: mailing list apache-ssl@lists.aldigital.co.uk
Mailing-list: contact apache-ssl-help@lists.aldigital.co.uk; run by ezmlm
Organization: http://www.apache-ssl.org
Organization: A.L. Group plc
References: <2.2.16.19980703163810.2b5f22de@mail.scl.co.uk> <359DEC4D.1F894798@algroup.co.uk>
Reply-to: apache-ssl@lists.aldigital.co.uk

Adam Laurie wrote:
> 
> John Sutton wrote:
> > 3) I'm very short on IP's and can't possibly run each certificate on it's
> > own IP.  I read that it might be possible to run a number of ssl virtual
> > hosts on the same IP providing they use different ports. (At least, this is
> > what I understood by the discussion of this problem).  So, does the
> > following (outline) config make sense?
> >
> > I allocate an IP, say x.x.x.x, and give it a name:
> >
> > ssl.SCL.co.uk  IN  A  x.x.x.x  (SCL is my own domain)
> >
> > Then, when I have a customer with an insecure web site, say
> > www.customerX.co.uk (this is a NameVirtualHost running on an entirely
> > seperate IP) and who now wants secure service, I put in a CNAME:
> >
> > ssl.customerX.co.uk  IN  CNAME  ssl.SCL.co.uk  ,or (equally I would think)
> > ssl.customerX.co.uk  IN  A      x.x.x.x
> >
> > My httpd.conf file for apache-ssl will look like:
> >
> > Port 437  (from memory, that's the standard port for httpsd
> >                           and I'll use it for ssl.SCL.co.uk)
> 
> Nope, it's 443.
> 
> >
> > NameVirtualHost x.x.x.x
> >
> > <VirtualHost ssl.customerX.co.uk:438>   (maybe not exactly these ports,
> > ...                                     but a different one for each customer)
> > </VirtualHost>
> >
> > <VirtualHost ssl.customerY.co.uk:439>
> > ...
> > </VirtualHost>
> >
> > etc.
> >
> > Is that going to work?  Are there any serious drawbacks to such an approach?
> 
> In short, yes it makes sense, but no it won't work. The reason being
> that the SSL session is negotiated as soon as the browser connects, and
> before any headers have been exchanged to determine which named host
> they are looking for. As a consequence, they will be presented with the
> cert for the main IP address, not the virtual host.

Pay attention at the back, there. He's running them on different ports.
Yes, it'll work.

Cheers,

Ben.

-- 
Ben Laurie            |Phone: +44 (181) 735 0686| Apache Group member
Freelance Consultant  |Fax:   +44 (181) 735 0689|http://www.apache.org/
and Technical Director|Email: ben@algroup.co.uk |
A.L. Digital Ltd,     |Apache-SSL author     http://www.apache-ssl.org/
London, England.      |"Apache: TDG" http://www.ora.com/catalog/apache/

WE'RE RECRUITING! http://www.aldigital.co.uk/recruit/

References:
- Newbie Questions
  - From: John Sutton <list@scl.co.uk>
- Re: [apache-ssl] Newbie Questions
  - From: Adam Laurie <adam@algroup.co.uk>

Prev by Date: Re: [apache-ssl] Newbie Questions
Next by Date: Re: [apache-ssl] pass phrase for key
Previous by thread: Re: [apache-ssl] Newbie Questions
Next by thread: Re: [apache-ssl] Newbie Questions
Index(es):
- Date
- Thread