Answer the question
In order to leave comments, you need to log in
How to make SSL (https) access for multiple sites on the same IP?
In connection with the development of a certain service, it became necessary to use a secure connection for several projects. There is only one dedicated IP on the server.
Is it possible somehow to use multiple sites with ssl on the same IP?
From what I found on the Internet:
- name-based vhosts (apache + mod_gnutls) ( _http: // www.g-loaded.eu/2007/08/10/ssl-enabled-name-based-... )
- SSL with Virtual Hosts Using SNI (apache) ( _http:// wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI ) , SNI (nginx) ( _http:// itbuben.org/blog/Unix-way/1621.html )
- ip- based vhosts (apache) ( _http://www.ibm.com/developerworks/ru/library/wa-multissl/... ) (I didn’t fully understand the principle of operation, how the server will determine which internal ip to send to)
In principle, using SNI is fine, full support by (old) browsers is not so relevant and important to me. But I didn’t understand how exactly the browser would behave in this case?
Are there any other options for setting up multiple ssl on one ip?
What options have you used or can recommend?
Answer the question
In order to leave comments, you need to log in
I use SNI with Nginx, the configuration is the same as for a single address, i.e. server_name is tritely specified, no directives need to be specially called - it just works. SNI is able to any sane browser (and insane and without it has problems).
Regarding WinXP - so SNI is not supported in IE, other browsers do not care.
wildcard certificates are quite expensive, but can be a good solution to get around SNI.SNIT
I, to my shame, do not really understand in theory why and how it works. but I have it on the host and it works. nginx.
server {
listen 443;
server_name host1.com;
ssl on;
ssl_certificate /path/to/host1.crt;
ssl_certificate_key /path/to/host1.key;
ssl_session_timeout 5m;
ssl_protocols SSLv2 SSLv3 TLSv1;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
ssl_prefer_server_ciphers on;
… # rest as usual
}
and the same for the second one. Main server_name specify different and ssl certificates
SNI is not supported in WinXP
Subdomains + certificate for *.xxx.yyy universal solution
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question