httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tom Evans <tevans...@googlemail.com>
Subject Re: [users@httpd] Alias-ed directory appears on multiple virtual hosts
Date Wed, 08 Dec 2010 13:13:12 GMT
On Wed, Dec 8, 2010 at 12:55 PM,  <breg@kanka.de> wrote:
> Hello,
>
> On 08.12.2010 13:45, Tom Evans wrote:
>>>
>>> .. but at this point apache knows that there is something wrong with the
>>> request or the configuration, and should throw an error instead of
>>> serving
>>> the wrong data.
>>
>> Typically, you don't even get to that point. Most browsers will throw
>> a fit if they request www.hostb.com and are served certificates for
>> www.hosta.com.
>
> And the experienced user has seen these warnings often, so he regularly
> clicked on "I understand the risks" and accepted the ssl session anyway -
> and it's even wiser in most cases to do because mostly you're better off (in
> web 2.0 services for example) with an encrypted transfer and non-secure
> identity than with both non-secure...

What 'experienced' (stupid?) users do is neither here nor there. I
rarely trust self signed certs and would never accept a certificate
for a host that isn't what it claims to be. Since 'experienced' users
do do this sort of thing, don't give them an option to do so.

>
>> The best way to avoid this problem is not dummy vhosts, it is to not
>> serve multiple websites from the same IP ...
>
> In an ideal world, yes.
> But in this world the number of available IPs is restricted, whereas the
> quest for new domains seems endless.
> ".. over 240 Million active and deleted domains in the .com .net .org .biz
> .info .mobi .asia .ie .eu .de .co.uk Top Level Domains.."
> ( http://www.hosterstats.com )

IPv4 addresses aren't exactly tricky to lay your hands on, despite the
endless yearly warnings that IPv4 will run out in the next N years.

>
>> ... if you intend on handling SSL
>> for any one of those websites and not the others. SSL sites that share
>> a certificate (eg, if you have a wildcard certificate) are fine to
>> share an IP.
>
> If there is exactly one SSL site a wildcard cert is not needed and makes
> little sense IMHO.
>

Indeed, I was just trying to make it clear I didn't mean you must have
1 IP per SSL vhost, to avoid someone jumping on that :)

If you have one SSL site, and many non SSL sites, you should host on 2
distinct IPs, one for the SSL enabled site, and one for the all  the
non SSL sites. It's just cleaner and works better. The cost of
obtaining a second IP is small compared to the brand cost of having
badly served SSL sites.

Cheers

Tom

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message