Return-Path: 
 <users-return-92387-apmail-httpd-users-archive=httpd.apache.org@httpd.apache.org>
Delivered-To: apmail-httpd-users-archive@www.apache.org
Received: (qmail 29823 invoked from network); 14 Dec 2009 16:11:59 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3)
  by minotaur.apache.org with SMTP; 14 Dec 2009 16:11:59 -0000
Received: (qmail 4802 invoked by uid 500); 14 Dec 2009 16:11:56 -0000
Delivered-To: apmail-httpd-users-archive@httpd.apache.org
Received: (qmail 4758 invoked by uid 500); 14 Dec 2009 16:11:56 -0000
Mailing-List: contact users-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: users@httpd.apache.org
list-help: <mailto:users-help@httpd.apache.org>
list-unsubscribe: <mailto:users-unsubscribe@httpd.apache.org>
List-Post: <mailto:users@httpd.apache.org>
List-Id: <users.httpd.apache.org>
Delivered-To: mailing list users@httpd.apache.org
Received: (qmail 4749 invoked by uid 99); 14 Dec 2009 16:11:56 -0000
Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136)
    by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 14 Dec 2009 16:11:56 +0000
X-ASF-Spam-Status: No, hits=-2.6 required=5.0
	tests=AWL,BAYES_00,HTML_MESSAGE
X-Spam-Check-By: apache.org
Received-SPF: pass (athena.apache.org: local policy)
Received: from [66.148.202.204] (HELO pony.performanceadmin.com)
 (66.148.202.204)
    by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 14 Dec 2009 16:11:54 +0000
Received: by pony.performanceadmin.com (Postfix, from userid 99)
	id 923E5CC811E; Mon, 14 Dec 2009 11:11:32 -0500 (EST)
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
	pony.performanceadmin.com
X-Spam-Level: 
X-Spam-Report: 
	* -7.0 ALL_TRUSTED Passed through trusted hosts only via SMTP
	*  0.0 HTML_MESSAGE BODY: HTML included in message
	* -2.6 BAYES_00 BODY: Bayesian spam probability is 0 to 1%
	*      [score: 0.0000]
Received: from [192.168.1.20] (performa-dev.performanceadmin.com
 [192.168.1.20])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by pony.performanceadmin.com (Postfix) with ESMTPSA id C0F46CC811B
	for <users@httpd.apache.org>; Mon, 14 Dec 2009 11:11:31 -0500 (EST)
Message-ID: <4B2663B3.1070104@performanceadmin.com>
Date: Mon, 14 Dec 2009 11:11:31 -0500
From: Dan Schaefer <dan@performanceadmin.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;
 rv:1.8.1.22) Gecko/20090605 Thunderbird/2.0.0.22 Mnenhy/0.7.6.0
MIME-Version: 1.0
To: users@httpd.apache.org
References: <4B226A22.9010902@performanceadmin.com>
 <4B25D768.2090800@raad.tartu.ee>
 <680cbe0e0912140028t51fe097ew550cbad909d53fbf@mail.gmail.com>
 <4B2655C2.6010902@newmediagateway.com>
 <4B265726.4030607@performanceadmin.com>
 <4B266151.3020806@newmediagateway.com>
In-Reply-To: <4B266151.3020806@newmediagateway.com>
Content-Type: multipart/alternative;
 boundary="------------040307080404000208080805"
X-Old-Spam-Status: No, score=-9.6 required=7.0 tests=ALL_TRUSTED,BAYES_00,
	HTML_MESSAGE autolearn=ham version=3.2.5
Subject: Re: [users@httpd] Questions about implementing SSL/VirtualHosts

--------------040307080404000208080805
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

Justin Pasher wrote:
> Dan Schaefer wrote:
>> So are you suggesting that I need multiple public IPs to implement 
>> this, or just multiple private IPs? Private IPs is not a problem, 
>> however, due to the fact that we have limited public IPS in our 
>> range, it could be a problem when if and when we add new SSL certs. 
>> We would need to re-evaluate our ISP contract before it expires.
>
> You will need a unique public IP address for each SSL site (e.g. FQDN) 
> you are planning on running, unless you have a wildcard cert for 
> multiple subdomains that should all pull the same VirtualHost content. 
> Since SSL encrypts all of the data sent between the server, including 
> the Host: header, there's no way for Apache to know which VirtualHost 
> should handle the request unless it is IP based. SNI[1] is a new 
> extension that allows the Host header to be sent separately, thus 
> eliminating the need for dedicated IP addresses, but it does not have 
> universal browser support (most notably for IE 7.0 only on Vista or 
> higher).
>
> Now, if these sites are being used by the general public, then you 
> don't have to assign unique public IP addresses, assuming the sites 
> are only being accessed through the private IP address on the local 
> network.
>
>
> [1] http://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI
>
Does it help to mention that my example.com and www.example.com 
certificates are the exact same cert? My apologies for not mentioning 
this in the beginning. If and when we do add SSL to other subdomains, 
they will be different certs. I *don't* see that happening in the near 
future, however. Will I be able to use the same public IP for both 
example.com and www.example.com?

Dan Schaefer
Web Developer/Systems Analyst
Performance Administration Corp.


--------------040307080404000208080805
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
  <meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
Justin Pasher wrote:
<blockquote cite="mid:4B266151.3020806@newmediagateway.com" type="cite">Dan
Schaefer wrote:
  <br>
  <blockquote type="cite">So are you suggesting that I need multiple
public IPs to implement this, or just multiple private IPs? Private IPs
is not a problem, however, due to the fact that we have limited public
IPS in our range, it could be a problem when if and when we add new SSL
certs. We would need to re-evaluate our ISP contract before it expires.
    <br>
  </blockquote>
  <br>
You will need a unique public IP address for each SSL site (e.g. FQDN)
you are planning on running, unless you have a wildcard cert for
multiple subdomains that should all pull the same VirtualHost content.
Since SSL encrypts all of the data sent between the server, including
the Host: header, there's no way for Apache to know which VirtualHost
should handle the request unless it is IP based. SNI[1] is a new
extension that allows the Host header to be sent separately, thus
eliminating the need for dedicated IP addresses, but it does not have
universal browser support (most notably for IE 7.0 only on Vista or
higher).
  <br>
  <br>
Now, if these sites are being used by the general public, then you
don't have to assign unique public IP addresses, assuming the sites are
only being accessed through the private IP address on the local
network.
  <br>
  <br>
  <br>
[1] <a class="moz-txt-link-freetext" href="http://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI">http://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI</a>
  <br>
  <br>
</blockquote>
Does it help to mention that my example.com and <a class="moz-txt-link-abbreviated" href="http://www.example.com">www.example.com</a>
certificates are the exact same cert? My apologies for not mentioning
this in the beginning. If and when we do add SSL to other subdomains,
they will be different certs. I <b>don't</b> see that happening in the
near future, however. Will I be able to use the same public IP for both
example.com and <a class="moz-txt-link-abbreviated" href="http://www.example.com">www.example.com</a>?<br>
<pre class="moz-signature" cols="100">Dan Schaefer
Web Developer/Systems Analyst
Performance Administration Corp.</pre>
</body>
</html>

--------------040307080404000208080805--