timb551
asked on
Running multiple SSL websites on single server with single ip address
HI
I have a web server running on Centos 6 that is inside a firewall running a single local ip address.
On this server it is running a single site on both 80 and 443.
I now need to run another site on 443.
I understand there is a way using SNI that allows me to run multiple ssl sites using the same ip address and different ssl certs.
Can someone please explain how i configure the server to do this.
thanks
I have a web server running on Centos 6 that is inside a firewall running a single local ip address.
On this server it is running a single site on both 80 and 443.
I now need to run another site on 443.
I understand there is a way using SNI that allows me to run multiple ssl sites using the same ip address and different ssl certs.
Can someone please explain how i configure the server to do this.
thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Does your browser support SNI ?
# Because this virtual host is defined first, it will be used as the default if the hostname is not received
# in the SSL handshake, e.g. if the browser doesn't support
# Because this virtual host is defined first, it will be used as the default if the hostname is not received
# in the SSL handshake, e.g. if the browser doesn't support
Also, what are your exact versions of Apache and OpenSSL ?
ASKER
I believe its only old browsers that dont support SNI isnt it. Im using Firefox ver. 33
Server version: Apache/2.2.15 (Unix)
OpenSSL 1.0.1e-fips 11 Feb 2013
thanks
Server version: Apache/2.2.15 (Unix)
OpenSSL 1.0.1e-fips 11 Feb 2013
thanks
Actually SNI support is not so essential.
With wildcard cert you can disable SNI vs HTTP hostname validation and run 100s of sites in same domain.
With wildcard cert you can disable SNI vs HTTP hostname validation and run 100s of sites in same domain.
Your openssl & apache versions support SNI.
Can you check with Chrome recent version ?
Can you check with Chrome recent version ?
Everything modern supports SNI. SNI just means that the requested FQDN (eg. yoursite.com) is included in the Client Hello which is the first part of the SSL handshake, and the first thing which happens after the client establishes the TCP connection on port 443. This means that the web server knows what site you want *before* the SSL handshake takes place, so can present the certificate which matches that FQDN, hence making SSL VirtualHost entries feasible on a single IP.
You want to make sure you've got, as a minimum:
NameVirtualHost *:443
<VirtualHost *:443>
SSLEngine On
ServerName fqdn.on.certificate.com
SSLCertificateFile /path/to/cert/with-fqdn-ma tching-Ser verName
SSLCertificateKeyFile /path/to/corresponding/pri vate.key
SSLCertificateChainFile /path/to/file-containing-C A-cert-cha in-for-SSL Certificat eFile
DocumentRoot /somewhere
</VirtualHost>
You want to make sure you've got, as a minimum:
NameVirtualHost *:443
<VirtualHost *:443>
SSLEngine On
ServerName fqdn.on.certificate.com
SSLCertificateFile /path/to/cert/with-fqdn-ma
SSLCertificateKeyFile /path/to/corresponding/pri
SSLCertificateChainFile /path/to/file-containing-C
DocumentRoot /somewhere
</VirtualHost>
You need SSL keys for default host so that https listener starts
NameVirtualHost *:443
SSLEngine On
ServerName fqdn.on.certificate.com
SSLCertificateFile /path/to/cert/with-fqdn-ma tching-Ser verName
SSLCertificateKeyFile /path/to/corresponding/pri vate.key
SSLCertificateChainFile /path/to/file-containing-C A-cert-cha in-for-SSL Certificat eFile
<VirtualHost *:443>
</VirtualHost>
NameVirtualHost *:443
SSLEngine On
ServerName fqdn.on.certificate.com
SSLCertificateFile /path/to/cert/with-fqdn-ma
SSLCertificateKeyFile /path/to/corresponding/pri
SSLCertificateChainFile /path/to/file-containing-C
<VirtualHost *:443>
</VirtualHost>
ASKER
A few typos which were causing me issues but using the links i got it sorted, thanks
ASKER