This thread lasted much longer than I think necessary for a simple question, but I had to comment/correct one thing: On Fri, 12 Jul 2002, David Terrell wrote:
On Fri, Jul 12, 2002 at 07:17:35AM -0700, Scott Francis wrote:
On Fri, Jul 12, 2002 at 08:25:25AM -0400, kramert@mlrnoc.navy.mil said:
Odd. I've run multiple "https:" sites on one IP. The browser will complain about the certificate but you can always have a different certificate for each site while using one IP address. (Correct me if I'm wrong!)
You're wrong. :) The SSL exchange happens before the HTTP protocol over SSL can begin, and so the server has no idea which cert to send; or more practically, just has one cert configured per (host,port).
Careful. You could come accross harsh. The internet doesn't route sarcasm well. What they are talking about is sorta possible. You can setup Name-based virtual hosting and have 1 and only 1 SSL site on that IP address. Any other sites on that IP that you setup with SSL get the usual SSL complaint that the cert does not match the site name. This is not acceptable for business class customers and as said before will generate complaints. SSL has to be tied to one IP, nothing says you can't virtual host the rest of the http(without SSL) sites on that same IP (Even though that gets messy pretty quick I think). In practice/pricing it's easiest to just include the cost of one additional IP on the machine for each SSL site and then name-based on the server's primary IP won't cause you any problems. ## Examples... This is the clean way to set it up: # All name based hosts on the server would point to 10.4.10.1 in DNS. 10.4.10.1 # primary machine's IP setup for name based virtual hosting 10.4.10.2 # SSL site1 and alias1 IP on the network interface 10.4.10.2 # nonssl version of the same site1 on alias1 IP 10.4.10.3 # SSL site2 and alias2 IP on the network interface...etc 10.4.10.3 # nonssl version of site2 on alias2 IP (sometimes people don't want or need the nonssl versions...but it works just the same.) But this sorta works even if it is a bit unclean in my opinion: 10.4.10.1 # SSL site ssl.domain.com 10.4.10.1 # nonssl.domain.com 10.4.10.1 # nonssl2.domain.com 10.4.10.2 # SSL site 2 and alias1 on the network interface 10.4.10.2 # nonssl3.domain.com We've strayed far from network operation discussion, and moved to web server setup. I hope this will complete this thread. There is also much of this similar discussion available on google since like I said before it was a hot topic when ARIN temporarily changed their policy on web server addressing. If anyone wants more granular detail and this still doesn't make sense: - after reading the documentation from your web server - AND checking google groups for this discussion - e-mail me off list, but I can't promise to be as cordial there. ;-) This is a stretch for a nanog discussion. (...though not the first) Gerald P.S. I'm a sysadmin not an English teacher. Grammar/Spelling problems happen.