It seem like you might be confusing "shared infrastructure" with
"single ip". As others have said, you need a distinct address for each
SSL-enabled httpd or proxy, although they can reside on the same hardware.
A good example of this is the typical configuration for larger server
farms. You find multiple High Availability load balancers in the DMZ for
both http and https using something like ha/keepalived for linux. These
proxy the incoming request back into private address space. The SSL
proxies terminate the SSL connection and broker the request on behalf of
the user and everything goes to the private address space in plain http.
This allows each of the _real_ webservers to achieve better
performance since the SSL overhead is not present.
While you can use Apache as an SSL-terminating proxy, I find I get
better performance, lower memory utilization and easier configuration
using Pound ( http://www.apsis.ch/pound/ ). Using keepalived, I have
multiple public IP addresses floating between several hosts and pound
binds https to those addresses.
Hope that adds a bit of additional clarity,
Dave
Cuesta Gilles sent forth:
So what about this ?
"*MULTIPLE CN (SAN) SERVER CERTIFICATES*
This type of certificate (also called /Subject Alternative Name/ (SAN) )
enables to secure not only one website but a large number of sites (a
list of sites) hosted on a shared infrastructure (server with multiple
names, reverse proxy). Ideal to secure multiple brands of a corporation.
One certificate per hardware is required."
http://www.tbs-certificats.com/index.html.en
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager [EMAIL PROTECTED]
