tags:

views:

48

answers:

4
+1  Q: 

Apache SSL multi domain

We have a web application that hosts multiple websites for our customers under different domains. All these domains are hosted on an single apache vhost, the logical seperation into different sites is done by the software.

We would like to offer ssl-support for some of these virtual websites. Pricipically that should be no problem, as after an ssl connection is established, the software can use the host: header to route to the correct website.

But: How do I tell apache to serve the correct certificate, depending on the requested host?

Is there a possibity to map certs to domains, e.g. with something like:

SSLCertificateFile file

All help is appreciated!

+1  A: 

This is not possible. Since the host header is only sent after the SSL connection is set up, the server can not serve a SSL certificate depending on the host.

Server Name Indication tries to fix this, but is not implemented on all browsers.

Sjoerd  2010-09-30 09:45:57
+2  A: 

You will need to use a separate IP address per SSL domain. You can set the SSLCertificateFile okay on a VirtualHost that has an IP:port combination to itself.

It is a limitation of HTTPS that you choosing a certificate to secure the connection happens before the client passes a Host: request header (it has to, because the headers are also encrypted). So you can't have more than one hostname per IP address (except for wildcard certs, and that only gives you subdomains).

An extension to SSL known as SNI works around this problem, but browser support is not currently good enough to consider for public deployment.

bobince  2010-09-30 09:46:30
+1 You also have the option of "unrelated" host names in multiple entries in the SAN extension.
Bruno  2010-09-30 09:57:43
This may be a possible way: To use an combination of ip:port to serve multiple vhosts, each of them pointing to the same DocumentRoot. All we need to do in addition, is to open the firewall for these ports in order to let requests in and keep track what port belogs to what instance. Thanks a lot!
D.Bel ca  2010-09-30 11:20:20
@D.Bel ca The problem with multiple ip:port, is that https uses 443 by default and not all of the possible client's firewalls will let connections to other ports (it varies, but it's not just about your firewall, but also about theirs). It is quite common for HTTP proxy servers will only allow `CONNECT` (which is used for proxying https) to port 443.
Bruno  2010-09-30 14:26:24
+3  A: 

In addition to what @bobince said, you can have multiple host names in the same certificate (not necessarily with wild-cards or sub-domains) using multiple DNS entries in the subject alternative name extension. (CAs are likely to charge a much higher fee for this type of certificate).

Bruno  2010-09-30 09:51:16
This is the easiest method, and most SAN certificates are only slightly more expensive: http://www.sslshopper.com/unified-communications-uc-ssl-certificates.html
Robert  2010-09-30 14:15:40
A: 

If your looking to buy an SSL with the FQDN option, Totally GlobalSign are currently offering 33% off all there certificates for this month? And with the Unlimited Server Licence they have just started offering, sounds to me like a great bargain,

Gary  2010-10-01 09:57:07

related questions

How do I add a MIME type to .htaccess?
Difference between the Apache HTTP Server and Apache Tomcat?
How do I support SSL Client Certificate authentication?
Why can't I connect to my CAS server with Perl's AuthCAS?
Cleanest & Fastest server setup for Django
Installing Apache Web Server on 64 Bit Mac
Running Apache alongside another web server?
Algorithm behind MD5Crypt
Can you compile Apache HTTP Server and redeploy its binaries to a different location ?
mod_rewrite rule to redirect all requests except for one specific path
How do I create a self signed SSL certificate to use while testing a web app.
Software for Webserver Log Analysis?
What is the difference between an endpoint, a service, and a port when working with webservices?
What are the proper permissions for an upload folder with PHP/Apache?
mod_rewrite to alias one file suffix type to another
How do you redirect HTTPS to HTTP?
Using mod_rewrite to Mimic SSL Virtual Hosts?
User authentication on Resin webserver
How do you set up Python scripts to work in Apache 2.0?
Block user access to internals of a site using HTTP_REFERER
.htaccess directives to *not* redirect certain URLs
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP