httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Leif W" <warp-...@usa.net>
Subject Re: [users@httpd] separate certificate per virtual host
Date Thu, 03 Feb 2005 18:30:07 GMT
> "Nelson, Robert D." <RDNelson@Mail.Donaldson.com>; Thu 
> 2005-02-03@11:24 GMT-5
>
>> Yassen:
>>
>> I could not find any help so far for resolving the following problem:
>>
>> apache 2.0.52 w/ dynamic virtual hosts (we host a lot of
>> domains, so dynamic virtual hosting is a great relief -- I
>> cannot part with it!)
>>
>> Need to present a host-specific SSL certificate for each
>> virtual host, so the host name in the certificate matches the
>> virtual host name. How to configure apache to handle this case?
>
> The SSL handshake happens before any HTTP headers are sent, which is 
> why you
> MUST use IP-based virtual hosting with SSL. This way, Apache knows 
> what
> virtual host to serve up by the IP of the request without knowing the 
> 'host'
> line in the headers.
>
> You can read up on IP-based virtual hosting here:
>
> http://httpd.apache.org/docs-2.0/vhosts/ip-based.html
>
>> Any help or a pointer to a good reading will be appreciated!
>> Thanks in advance!

I don't know if this is an option you would consider, but it is one that 
no one has pointed out, which I have used for personal web sites.

IP-based Virtual Hosting requires a unique IP socket, not necessarily 
unique addresses.  You could use one IP address and put each HTTPS site 
on a different port.  You could then just link to the 
http://site.com:port/ from the unencrypted site (I used ports 4300-4307 
for 8 personal sites and testing), or simply do a permanent redirect 
from the unencrypted to the encrypted site, either from the top level, 
or by putting all of the encrypted content under a single sub-directory. 
Of course, I think there are only 65535 available ports on most systems, 
and the first 1024 are reserved for use by common server programs or 
protocols.

It is only a tradition that all HTTP requests must be on either port 80 
or port 443.  Browsers can only be reasonably expected to look at these 
two ports by default.  But technically there is absolutely nothing wrong 
with using a non-standard port.  The data will be transmitted just the 
same.  If a site is written carefully, then the port should be included 
in all links that need it, and is no more a burden than is using valid 
filenames or valid urls throughout the rest of the site.  If the ports 
are not carelessly juggled around, then the URLs should even be 
bookmarkable or indexable.  If you've got thousands of sites, you may 
need to do some calculations to determine the maximum number of ports 
you can safely reserve for encrypted virtual hosts, otherwise there 
won't be enough ports to respond to clients.

I have absolutely no idea of the ability or even the feasability of 
using this technique with dynamic or mass virtual hosting.

Leif



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message