apache logo

Until recently, you needed a dedicated IP address for each SSL website because TLS did not support named-based virtual hosting. This made hosting SSL websites relatively expensive, and maybe even impossible if you ran out of IP addresses. Although this standard, now elucidated in RFC 4366, has been around since at least 2003, it has been very slow to catch on. IE 6 is the last major browser in use today which still does not support SNI, but honestly I see that as a benefit. The more webpages that break in IE6, the faster people will move away from it. The major advantage of SNI is you can have multiple SSL websites running through the same IP address. This is a huge benefit to individuals, small organizations, or small businesses that need to run SSL websites.

You can setup an Apache server with SNI with Apache 2.2.12 and openssl 0.9.8f (with SNI compiled in). Helpfully Ubuntu 9.10, Karmic Koala, has SNI support out of the box. Finally there’s a mainstream distribution and enough browser support to dive into Virtual Hosting with SSL!

Setting up SSL named-based VirtualHosting is exactly how you’d setup unencrypted name-based Virtual Hosting.

In your ports.conf (or something else that in included in your apache2.conf or httpd.conf):

Listen 80 NameVirtualHost *:80 <IfModule mod_ssl.c> Listen 443 NameVirtualHost *:443 </IfModule>

Then in your sites-available folder (or wherever you define your virtual hosts) you’d have something like this:

<VirtualHost *:443> ServerName my.first.domain ... </VirtualHost> <VirtualHost *:443> ServerName my.second.domain ... </VirtualHost>

If you are having trouble with this, you may want to review the apache2 documentation on NameVirtualHost or Apache 2.2 Virtual Hosting in general.

I can verify this is working in Karmic Koala, because this server is running TLS with SNI.


comments powered by Disqus