httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dragon <dra...@crimson-dragon.com>
Subject Re: [users@httpd] SSL & Apache Scalability
Date Thu, 29 Nov 2007 23:10:52 GMT
Tony Anecito wrote:
>Hi All,
>
>I have heard a strange story about how using 1 port
>for Apache SSL is not a good idea for performance. I
>heard if you have three sites usign the same SSL port
>it could really slow down performance as compared to
>putting those sites on separate ports for SSL.
>
>Should not each site have it's own port for SSL?
---------------- End original message. ---------------------

Where did you hear that?

What is true is that you cannot do name-based virtual hosts on the 
same IP address with multiple domain names and have that work 
correctly (that subject comes up here all the time). Basically, you 
have to use a separate IP address for each domain name so that SSL 
negotiation serves the correct certificate for the domain. This is a 
limitation of the protocol that establishes SSL connections and there 
is really no legitimate way around how it works. (There is a way to 
"cheat" and use "wild card certificates" but that is considered bad 
practice and should not be done).

All of these IP addresses can and should run on port 443 for SSL 
unless you have another compelling reason to do something different. 
Each of these instances will be separate ports because each IP 
address has its own set of ports that are not shared. In other words, 
port 443 on IP 192.168.1.100 is not the same as port 443 on IP 10.3.67.24

Perhaps the requirement for a unique IP address is the source of the 
confusion?

Dragon

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  Venimus, Saltavimus, Bibimus (et naribus canium capti sumus)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message