[FX.php List] [OFF] Basic SSL & DNS clarification

Steve Winter steve at bluecrocodile.co.nz
Fri Feb 15 02:02:03 MST 2013 

Joel

I suspect based on your thread on the FM board that you may had found a way round this anyway, but anyway… Phil has given the most complete and accurate answer - I've added a few notes below for additional thought/clarity...

> The answers given so far are incorrect.
> 
>>>>> 1) Given the following two sites:
>>>>> abc.domain.com/apples/
>>>>> abc.domain.com/bananas/
>>>>> 
>>>>> Is it correct that these two sites:
>>>>> a) Can share one SSL cert
> 
> Yes. 
> 
>>>>> b) Must be on the same server
> 
> No. You can use different servers.

However - if they're not on the same server then you're going to have to do something clever with some other 'device' which is on the same IP...

> SSL certificates are not tied to IP addresses, nor machines. The only requirement is that the hostname of the HTTP request resolve to the hostname in the certificate. For the server to actually use the certificate it must also hold the private key tied to the certificate -- sometimes this can be difficult to arrange.
> 
> Think about a big site which uses round-robin DNS with https. E.g. https://www.google.com. Multiple IP addresses are returned for that domain name query, and each IP address has a server which answers to www.google.com on port 443. 

Whilst accurate, this isn't (entirely) relevant, since each of those servers which 'answers' to google.com offers the 'complete' google.com feature set.

If I understand what Joel was asking correctly, could 'apples' be delivered by server A, while 'bananas' is delivered by server B, then the answer is slightly different. (though not from the perspective of the SSL cert - it doesn't care, and as Phil has said, the same cert could be used on 100 different machines, all responding to the same domain name).

If you point the same domain name at two different servers, then both those servers need to know how to deliver the content for /apples and /bananas - or, provide a way to full fill those requests.

One way of achieving this would be to use a load balancer, and for that device (could just be a correctly configured Apache web server, or a more specialised application/piece of kit) to respond to abc.domain.com, then to pass requests for /apples to one server, and /bananas to another server, both of which are running 'behind' the load balancer.

A second alternative, in a similar vain, would be to configure the web server on the box which delivers content for /apples to proxy the content from the server which does /bananas when someone requests content from /bananas on it, but this is going to have a performance impact, particularly if the servers are on different LANs...

>>>>> 2) Given the following two sites:
>>>>> apples.domain.com/
>>>>> bananas.domain.com/
>>>>> 
>>>>> Is it correct that these two sites:
>>>>> a) Must each have their own SSL cert
> 
> No. You can use a wildcard SSL certificate.

As per my previous post, that's true so long as you're not trying to use EV. if you want EV (when the SSL icon in a user browser turns green) then that requires an individual certificate for each domain name. The other thing with wildcard certs is that they only become cost effective at about 4 sub-domains...

>>>>> b) Can be on the same server or on two different servers
> 
> Yes to both. Multihosting SSL sites on a single IP requires browser support, but it is supported by all the modern browsers. See http://serverfault.com/questions/109800/multiple-ssl-domains-on-the-same-ip-address-and-same-port.

One item in the excellent article above worth highlighting is
	Internet Explorer (any version) on Windows XP
which may not be too much of an issue for you, however in my experience there are sadly still rather a lot of users who through the requirements of their corporate IT systems fall into that category..

Coupling this with your question on the FM list, then your solution there, would allow the first option above to work rather well - deliver your content from /apples and /bananas on the same server… (is it at all possible that this may be a client of yours I've also done a little work for…?)

Cheers
Steve

> Regards,
> Phil.
> 
> _______________________________________________
> FX.php_List mailing list
> FX.php_List at mail.iviking.org
> http://www.iviking.org/mailman/listinfo/fx.php_list

Steve Winter
+44 777 852 4776
steve at bluecrocodile.co.nz



-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.iviking.org/pipermail/fx.php_list/attachments/20130215/18c35353/attachment.html

More information about the FX.php_List mailing list