• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 179
  • Last Modified:

SSL and virtual hosts

We have a server running Apache that is home to about a dozen sites. All of the sites are configured to use the same IP via name-based hosting (NameVirtualHost) in the httpd.conf file.

Recently, one of the sites wanted to accept credit cards online. I purchased and installed a server certificate for the domain and modified httpd.conf to add a <virtualhost> entry for the domain under the "Listen 443" directive. I can now access the site via HTTPS, but I can also access it via HTTP, which kinda negates the whole reason for enabling SSL.

I now realize that maybe I should set up a subdomain (e.g. secure.domain.com) to handle HTTPS requests only. What's the best way to do it? I already have an unused IP address I can dedicate to the subdomain, but I'm not sure a) how to configure the DNS table and b) how to configure httpd.conf so that it associates the existing (shared) IP with HTTP requests on the domain and associates the new (dedicated) IP address with HTTPS requests on the domain.

Cheers,

-db
0
dbinteractive
Asked:
dbinteractive
1 Solution
 
dbinteractiveAuthor Commented:
In order to conserve IP addresses, I think I can continue to operate the site as I have been, but add PHP to the pages that should be accessed only via HTTPS to check the request method. If the browser isn't requesting the page via HTTPS, then I can redirect to the same page with HTTPS.

Is that "cheating" or an efficient use of IPs?

-db
0
 
periwinkleCommented:
You should use a unique IP address for each domain which will be used for SSL requests.

As far as being able to access a site by either http://www.somedomain.com or https://www.somedomain.com, you could add a Redirect or rewrite rule to prevent the access from the non-secure version.  On the other hand, SSL does add overhead to the server, and not all requests will need to be secured.  Usually, the parts that do are handled by a web application (PHP, Perl/CGI, etc.).  There, you can check to see if the page is being accessed securely and handle (and/or Redirect appropriately).
0

Featured Post

[Webinar] Kill tickets & tabs using PowerShell

Are you tired of cycling through the same browser tabs everyday to close the same repetitive tickets? In this webinar JumpCloud will show how you can leverage RESTful APIs to build your own PowerShell modules to kill tickets & tabs using the PowerShell command Invoke-RestMethod.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now