[GLLUG] Have multiple domains / hosts on one server
Lachniet, Mark
mlachniet at sequoianet.com
Fri May 5 10:41:39 EDT 2006
You might think so, but....
http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html
Why can't I use SSL with name-based/non-IP-based virtual hosts?
The reason is very technical, and a somewhat "chicken and egg" problem.
The SSL protocol layer stays below the HTTP protocol layer and
encapsulates HTTP. When an SSL connection (HTTPS) is established
Apache/mod_ssl has to negotiate the SSL protocol parameters with the
client. For this, mod_ssl has to consult the configuration of the
virtual server (for instance it has to look for the cipher suite, the
server certificate, etc.). But in order to go to the correct virtual
server Apache has to know the Host HTTP header field. To do this, the
HTTP request header has to be read. This cannot be done before the SSL
handshake is finished, but the information is needed in order to
complete the SSL handshake phase. Bingo!
Mark Lachniet
Technical Director, Security Group
Analysts International
(517) 336-1004 (office)
(517) 336-1100 (fax)
-----Original Message-----
From: Charles Ulrich [mailto:charles at idealso.com]
Sent: Friday, May 05, 2006 10:39 AM
To: Lachniet, Mark
Cc: Linux User
Subject: Re: [GLLUG] Have multiple domains / hosts on one server
Lachniet, Mark wrote:
> For what its worth, virtual hosting can be painful, especially if you
> only have one IP address and you want to mix and match HTTP and HTTPS
> sites. All the documentation I found said it couldn't be done (mixing
> with a single IP) but I somehow got it working anyway. If someone
> wants a working apache config with virtual hosting I can send one
offline.
Mixing HTTP and HTTPS virtual hosts shouldn't be any more difficult than
just having a bunch of HTTP virtual hosts. The only difference is that
you add a bunch of SSL directives to the HTTPS host. (I can provide
working configuration files for the curious.)
The main problem with HTTPS and virtual hosting is that you can't have
more HTTPS virtual hosts than you have IP addresses due to limitations
in how SSL is implemented. This means that if you plan to host more than
one HTTPS site on a box, you *must* use IP-based virtual hosting and
have a separate IP address for each HTTPS site that you wish to host.
--
Charles Ulrich
Ideal Solution, LLC -- http://www.idealso.com
More information about the linux-user
mailing list