httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Igor Galić <i.ga...@brainsware.org>
Subject Re: [users@httpd] Options for multiple SSL domains on 1 server
Date Mon, 04 Oct 2010 16:11:18 GMT

----- "Grant" <emailgrant@gmail.com> wrote:

> >> I need to set up SSL certificates for multiple domain names on a
> >> single server.  I've done some research and I think these are my
> >> options:
> >>
> >> 1. use multiple IPs
> >> drawbacks: requires separate apache2 config for each SSL domain,
> extra
> >> IPs must be allocated by the hosting company
> >>
> >> 2. use multiple ports
> >> drawbacks: requires separate apache2 & firewall config for each
> SSL
> >> domain, port numbers look weird in the URL
> >>
> >> 3. Server Name Indication
> >> drawbacks: browser support is not widespread enough yet
> >>
> >> 4. X.509 v3 with subjectAltName
> >> drawbacks: ???
> >>
> >> Are there other options?  Are there drawbacks to relying on X.509
> v3
> >> with subjectAltName, or is that the way to go?
> >
> > Options 1) and 2) don't require seperate apache2 configs. You can
> have
> > apache listen to multiple IPs or Ports. Just add the necessary
> > "Listen" statements to your config, and than a virtualhost for each
> > SSL host.
> >
> > Personally I think that until SNI adoption gets more widespread the
> > best option is 1) if you have the IPs to spare, as it doesn't have
> any
> > more config overhead than the other options and is going to work as
> > expected.
> >
> >
> > Krist
> 
> Thanks Krist.
> 
> The "virtualhost for each SSL host" is what I mean by separate
> apache2
> configs.  I'd like to be able to define different domain names on the
> fly within my perl scripts without changing apache2 config.  Maybe
> we're just not there yet?

You can also use things like mod_macro to enable that kind of flexibility.


> Why would you use multiple IPs instead of X.509 v3 with
> subjectAltName?  Does subjectAltName have any drawbacks?

Though more widely spread, it's the same as for SNI:
It's not supported by all Browsers/libraries

One example that comes to my mind is serf.

 
> - Grant
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server
> Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org

-- 
Igor Galić

Tel: +43 (0) 664 886 22 883
Mail: i.galic@brainsware.org
URL: http://brainsware.org/

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message