Geoff Thorpe wrote:
>
> Everytime someone posts a "can I do name-based virtual hosting with SSL"
> request, I'm inclined to suspect a troll because of the number of replies it
> gets. :-) However, I have to make a comment because invariably many of the
> replies say something that isn't actually true ...
>
> On Tue, 17 Apr 2001, Rudi Heitbaum wrote:
>
> > Nope, it does not because the SSL session is established before
> > the http call. Thus you can only bind 1 certificate to an IP
> > address. This is a faq by the way.
>
> Wrong, you can only bind 1 certificate to an IP/port address pair. You can run a
> tonne of HTTPS hosts on the same IP address if you are prepared to use ports
> other than 443. Of course, the decision as to whether you can do that will
> depend on your circumstances (eg. if you want to work through firewalls that may
> strip everything except ports 80 and 443), but it is not true to flat-out state
> that you get only 1 host per IP address.
I would like to add to this.
You can make use of the Host header, even if you can't have more then one
VirtualHost section in the config file per IP/port pair. If all your name-based
hosts can share the same certificate, you can have the functionality of more
then one host on the same IP/port address pair.
I have used mod_rewrite in combination with mod_proxy to create a single SSL
front end, that dispatched to multiple back-end servers using the Host header to
determine which back-end host to go to.
The trick is that you have to be able to use a regex for your server's CN in the
server certificate to keep browsers from complaining... This works well for
sites that multiple "related" web sites, but of course doesn't work for the
general ISP case. (I.E. I have www(.|.*.)ucar.edu in my certificate - this
allows our top-level domain, as well as all of our "second tier" levels of
administration to be proxied by the same SSL virtual host.) Basically, this can
work as long as you can come up with a CN in your certificate that will match
all the hosts you want to serve.
jeff
--
Jeff W. Boote <[EMAIL PROTECTED]> The more that you read, the more
Software Engineer things you will know. The more
VETS/SCD/NCAR that you learn, the more places
Boulder, Colorado, USA you'll go. Dr. Suess
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
