Recipe 4.8 SSL and Name-Based Virtual Hosts
ProblemYou want to have multiple SSL web sites on the same server. SolutionIn most common implementations of SSL, you are limited to one SSL host per address and port number. Thus, either you need to have a unique IP address for each SSL host or run them on alternate ports to get more than one on a particular IP address: Listen 443 Listen 444 <VirtualHost 10.0.1.2:443> ServerName secure1.example.com DocumentRoot /www/vhosts/secure1 SSLEngine On SSLCertificateFile /www/conf/ssl/secure1.crt SSLCertificateKeyFile /www/conf/ssl/secure1.key </VirtualHost> <VirtualHost 10.0.1.3:443> ServerName secure2.example.com DocumentRoot /www/vhosts/secure2 SSLEngineOn SSLCertificateFile /www/conf/ssl/secure2.crt SSLCertificateKeyFile /www/conf/ssl/secure2.key </VirtualHost> <VirtualHost 10.0.1.3:444> ServerName secure3.example.com DocumentRoot /www/vhosts/secure3 SSLEngineOn SSLCertificateFile /www/conf/ssl/secure3.crt SSLCertificateKeyFile /www/conf/ssl/secure3.key </VirtualHost> DiscussionThe limitation that restricts you to one SSL host per IP address is not a limitation imposed by Apache but by the way that SSL works. When the browser connects to the server, the first thing that it does is negotiate for a secure connection. During this process, the server sends its certificate to the client, which indicates that the rest of the transaction will be encrypted. Because this happens before the browser tells the server what resource it wants, this part of the conversation can be based only on the IP address on which the client connected. By the time the server receives the Host header field, it is too late the certificate has already been sent. It is possible to run SSL hosts on ports other than port 443, if the port number is explicitly specified in the URL. This would allow you to get around this limitation, but it would put an additional burden on the end user to type the correct URL with the port number. See Also
|
EAN: 2147483647
Pages: 215