This tutorial describes how you can host multiple SSL-encrypted web sites (HTTPS) on one IP address with Apache 2.2 and GnuTLS on a Debian Lenny server.
For more information on why this couldn't be done prior to OpenSSL 0.98g or with GnuTLS please refer to http://en.wikipedia.org/wiki/Server_Name_Indication.
I will mention that Virtual Hosting SSLs on the same IP address has 1 or 2 caveats before beginning and before anyone begins ripping out and handing back IPs to their ISPs.
1. Firefox 2.0+ works on all platforms (Mac/Windows/Linux) - it has its own TLS implementation - if you have SSLv2 enabled for VMware tools, Firefox doesn't work either, but by default Firefox comes with v2 disabled by default
2. Windows XP does not support SNI and still has 40% share in the world so you could alienate a lot of people unless they are using Firefox on XP.
3. Browsers like Safari/Chrome/IE only work on Vista or greater because they use the O/S TLS implementation
4. Safari/Chrome only work on 10.5.7 or above on Macs
Let's assume you have written a cool Web 2.0 app behind an SSL which only runs in the latest and greatest browsers because of excessive amounts of Javascript the everything I said above will be fine because your website won't work anyway in the older browsers O/Ses anyways without Firefox.
You can test if your browser is passing SNI by visiting here: https://sni.velox.ch/
Let's begin:
With Godaddy you normally have you import a gd_bundle into Apache with the following OpenSSL directive:
For more information on why this couldn't be done prior to OpenSSL 0.98g or with GnuTLS please refer to http://en.wikipedia.org/wiki/Server_Name_Indication.
I will mention that Virtual Hosting SSLs on the same IP address has 1 or 2 caveats before beginning and before anyone begins ripping out and handing back IPs to their ISPs.
1. Firefox 2.0+ works on all platforms (Mac/Windows/Linux) - it has its own TLS implementation - if you have SSLv2 enabled for VMware tools, Firefox doesn't work either, but by default Firefox comes with v2 disabled by default
2. Windows XP does not support SNI and still has 40% share in the world so you could alienate a lot of people unless they are using Firefox on XP.
3. Browsers like Safari/Chrome/IE only work on Vista or greater because they use the O/S TLS implementation
4. Safari/Chrome only work on 10.5.7 or above on Macs
Let's assume you have written a cool Web 2.0 app behind an SSL which only runs in the latest and greatest browsers because of excessive amounts of Javascript the everything I said above will be fine because your website won't work anyway in the older browsers O/Ses anyways without Firefox.
You can test if your browser is passing SNI by visiting here: https://sni.velox.ch/
Let's begin:
apt-get install libapache2-mod-gnutls
a2dismod ssl
a2enmod gnutls
Edit /etc/apache2/ports.conf and add the following line:Listen 443Also comment out the following in /etc/apache2/ports.conf:
Finally create a file called /etc/apache2/ssl.conf:
# SSL name based virtual hosts are not yet supported, therefore no
# NameVirtualHost statement here
Listen 443
NameVirtualHost xx.yy.zz.kk:443Add in an include line in /etc/apache2/apache2.conf:
ServerName secure.domain1.com:443
GnuTLSEnable on
GnuTLSCertificateFile /etc/apache2/ssl-certs/secure.domain1.com.crt
GnuTLSKeyFile /etc/apache2/ssl-certs/secure.domain1.com.key
GnuTLSPriorities NORMAL
DocumentRoot /web/www1
ServerName secure.domain2.com:443
GnuTLSEnable on
GnuTLSCertificateFile /etc/apache2/ssl-certs/secure.domain2.com.crt
GnuTLSKeyFile /etc/apache2/ssl-certs/secure.domain2.com.key
GnuTLSPriorities NORMAL
DocumentRoot /web/www2
Include "/etc/apache2/ssl.conf"Finally restart Apache2 with:
apache2ctl restart
Note on Godaddy SSLs:With Godaddy you normally have you import a gd_bundle into Apache with the following OpenSSL directive:
SSLCertificateChainFile /etc/apache2/ssl-certs/gd_intermediate_bundle.crtIn order to use this root certificate in GnuTLS simply run:
cat gd_intermediate_bundle.crt >> /etc/apache2/ssl-certs/secure.domain1.com.crt
This simply appends the bundle to the end of the certificate and GnuTLS is very happy using it.
No comments:
Post a Comment