Re: Question regarding web hosting ip addressing
On Fri, Jul 12, 2002 at 08:25:25AM -0400, kramert@mlrnoc.navy.mil said:
Odd. I've run multiple "https:" sites on one IP. The browser will complain about the certificate but you can always have
And therein lies the problem. :) The last web host work I did had a few bottom-lines rules, and one of them was do not confuse the end-users, because that tends to either create support calls (whee) or send them to competitors.
a different certificate for each site while using one IP address. (Correct me if I'm wrong!)
According to http://httpd.apache.org/docs/vhosts/name-based.html (thanks Gerald), name-based hosting cannot be used with SSL due to the nature of the SSL protocol.
- Tim
-- -= Scott Francis || darkuncle (at) darkuncle (dot) net =- GPG key CB33CCA7 has been revoked; I am now 5537F527 illum oportet crescere me autem minui
On Fri, 12 Jul 2002 07:17:35 -0700 Scott Francis <darkuncle@darkuncle.net> wrote:
a different certificate for each site while using one IP address. (Correct me if I'm wrong!)
According to http://httpd.apache.org/docs/vhosts/name-based.html (thanks Gerald), name-based hosting cannot be used with SSL due to the nature of the SSL protocol.
correct. there's a specific technical problem due to the way that the https protocol is designed; it's a chicken-and-egg problem. specifically, name based identification of sites is based on the HTTP host request-header field. in https, the certificates are processed before the Host request-header is transmitted; Host is supposed to be inside the encrypted tunnel. a different design might have permitted named based https identification of virtual web site, but they did what they did. richard -- Richard Welty rwelty@averillpark.net Averill Park Networking 518-573-7592 Unix, Linux, IP Network Engineering, Security
On Fri, Jul 12, 2002 at 07:17:35AM -0700, Scott Francis wrote:
On Fri, Jul 12, 2002 at 08:25:25AM -0400, kramert@mlrnoc.navy.mil said:
Odd. I've run multiple "https:" sites on one IP. The browser will complain about the certificate but you can always have a different certificate for each site while using one IP address. (Correct me if I'm wrong!)
You're wrong. :) The SSL exchange happens before the HTTP protocol over SSL can begin, and so the server has no idea which cert to send; or more practically, just has one cert configured per (host,port). There is a defined mechanism to do HTTPS over port 80 using a mechanism called Upgrade and inband TLS. This will make it possible to do name based vhosts and encryption, because you provide a Host: header along with the Upgrade: TLS/1.0 header.
According to http://httpd.apache.org/docs/vhosts/name-based.html (thanks Gerald), name-based hosting cannot be used with SSL due to the nature of the SSL protocol.
Yep. -- David Terrell | "It is helpful to indicate in advance whether the Nebcorp Prime Minister | printers will be supporting standard A4 paper or dbt@meat.net | the strange but patriotic American 8.5x11 inch http://wwn.nebcorp.com/ | paper." - draft-ymbk-termroom-op-06
This thread lasted much longer than I think necessary for a simple question, but I had to comment/correct one thing: On Fri, 12 Jul 2002, David Terrell wrote:
On Fri, Jul 12, 2002 at 07:17:35AM -0700, Scott Francis wrote:
On Fri, Jul 12, 2002 at 08:25:25AM -0400, kramert@mlrnoc.navy.mil said:
Odd. I've run multiple "https:" sites on one IP. The browser will complain about the certificate but you can always have a different certificate for each site while using one IP address. (Correct me if I'm wrong!)
You're wrong. :) The SSL exchange happens before the HTTP protocol over SSL can begin, and so the server has no idea which cert to send; or more practically, just has one cert configured per (host,port).
Careful. You could come accross harsh. The internet doesn't route sarcasm well. What they are talking about is sorta possible. You can setup Name-based virtual hosting and have 1 and only 1 SSL site on that IP address. Any other sites on that IP that you setup with SSL get the usual SSL complaint that the cert does not match the site name. This is not acceptable for business class customers and as said before will generate complaints. SSL has to be tied to one IP, nothing says you can't virtual host the rest of the http(without SSL) sites on that same IP (Even though that gets messy pretty quick I think). In practice/pricing it's easiest to just include the cost of one additional IP on the machine for each SSL site and then name-based on the server's primary IP won't cause you any problems. ## Examples... This is the clean way to set it up: # All name based hosts on the server would point to 10.4.10.1 in DNS. 10.4.10.1 # primary machine's IP setup for name based virtual hosting 10.4.10.2 # SSL site1 and alias1 IP on the network interface 10.4.10.2 # nonssl version of the same site1 on alias1 IP 10.4.10.3 # SSL site2 and alias2 IP on the network interface...etc 10.4.10.3 # nonssl version of site2 on alias2 IP (sometimes people don't want or need the nonssl versions...but it works just the same.) But this sorta works even if it is a bit unclean in my opinion: 10.4.10.1 # SSL site ssl.domain.com 10.4.10.1 # nonssl.domain.com 10.4.10.1 # nonssl2.domain.com 10.4.10.2 # SSL site 2 and alias1 on the network interface 10.4.10.2 # nonssl3.domain.com We've strayed far from network operation discussion, and moved to web server setup. I hope this will complete this thread. There is also much of this similar discussion available on google since like I said before it was a hot topic when ARIN temporarily changed their policy on web server addressing. If anyone wants more granular detail and this still doesn't make sense: - after reading the documentation from your web server - AND checking google groups for this discussion - e-mail me off list, but I can't promise to be as cordial there. ;-) This is a stretch for a nanog discussion. (...though not the first) Gerald P.S. I'm a sysadmin not an English teacher. Grammar/Spelling problems happen.
participants (4)
-
David Terrell
-
Gerald
-
Richard Welty
-
Scott Francis