Archive for the tag 'name-based'

SBDavid
Mar 14th, 2012

Name-Based VirtualHosts and SSL

Name-Based VirtualHosts and SSL

As a rule, it is impossible to host more than one SSL virtual host on the same IP address and port. This is because Apache needs to know the name of the host in order to choose the correct certificate to setup the encryption layer. But the name of the host being requested is contained only in the HTTP request headers, which are part of the encrypted content. It is therefore not available until after the encryption is already negotiated. This means that the correct certificate cannot be selected, and clients will receive certificate mismatch warnings and be vulnerable to man-in-the-middle attacks.

In reality, Apache will allow you to configure name-based SSL virtual hosts, but it will always use the configuration from the first-listed virtual host (on the selected IP address and port) to setup the encryption layer. In certain specific circumstances, it is acceptable to use a single SSL configuration for several virtual hosts. In particular, this will work if the SSL certificate applies to all the virtual hosts. For example, this will work if:

All the VirtualHosts are within the same domain, eg: one.example.com and two.example.com.

You have a wildcard SSL certificate for that domain (one where the Common Name begins with an asterix: i.e *.example.com)

SBDavid
Jan 27th, 2010

IP-based and name-based Web sites

IP-based and name-based Web sites.

There are two ways to host domains. The first is to create the domain with its own IP address. This is called IP-based hosting. You must create IP-based domains if the domain needs anonymous FTP and its own secure-site (SSL) support.

The second way to host domains is to create a domain that shares the primary IP address of the server. This is called name-based hosting. Name-based domains receive most of the benefits of an IP-based domain without occupying an IP address.

All of the standard sets of server applications are available to IP-based and name-based sites, except SSL encryption. SSL is not supported for name-based sites.

IP addresses happen to be scarce resources. To conserve IP addresses, you can arrange to have many sites share the same IP address.