[FX.php List] [OFF] Basic SSL & DNS clarification

Joel Shapiro jsfmp at earthlink.net
Fri Feb 15 12:37:46 MST 2013


Thanks everybody for all your great responses!

My question after Phil's response was *how* one might have two directories of one domain on two separate servers, but Steve seems to have explained how one could set that up.

FWIW: My question on FM's TechNet that Steve referred to was asking whether anyone could see any potential problems with having one Web Server serve both an FM12 site and an FM11 site -- by having the FM12 WPE on the web server and the FM11 WPE on the respective FMS11 DB server (& using the FM API).  This works fine for me on my test servers, but I wanted to check if anyone could foresee any problems.  (And it's not so much that that's a "way round" my questions in this thread; it's more that I'm looking to understand all the options and ramifications before I make my suggestions to the client :-)

Thanks again,
-Joel

p.s. @Steve: No, unless you've been trawling the SF FM/Web market without my knowledge, I don't believe you know this client :)


On Feb 15, 2013, at 1:02 AM, Steve Winter wrote:

> Joel
> 
> I suspect based on your thread on the FM board that you may had found a way round this anyway, but anyway… Phil has given the most complete and accurate answer - I've added a few notes below for additional thought/clarity...
> 
>> The answers given so far are incorrect.
>> 
>>>>>> 1) Given the following two sites:
>>>>>> abc.domain.com/apples/
>>>>>> abc.domain.com/bananas/
>>>>>> 
>>>>>> Is it correct that these two sites:
>>>>>> a) Can share one SSL cert
>> 
>> Yes. 
>> 
>>>>>> b) Must be on the same server
>> 
>> No. You can use different servers.
> 
> However - if they're not on the same server then you're going to have to do something clever with some other 'device' which is on the same IP...
> 
>> SSL certificates are not tied to IP addresses, nor machines. The only requirement is that the hostname of the HTTP request resolve to the hostname in the certificate. For the server to actually use the certificate it must also hold the private key tied to the certificate -- sometimes this can be difficult to arrange.
>> 
>> Think about a big site which uses round-robin DNS with https. E.g. https://www.google.com. Multiple IP addresses are returned for that domain name query, and each IP address has a server which answers to www.google.com on port 443. 
> 
> Whilst accurate, this isn't (entirely) relevant, since each of those servers which 'answers' to google.com offers the 'complete' google.com feature set.
> 
> If I understand what Joel was asking correctly, could 'apples' be delivered by server A, while 'bananas' is delivered by server B, then the answer is slightly different. (though not from the perspective of the SSL cert - it doesn't care, and as Phil has said, the same cert could be used on 100 different machines, all responding to the same domain name).
> 
> If you point the same domain name at two different servers, then both those servers need to know how to deliver the content for /apples and /bananas - or, provide a way to full fill those requests.
> 
> One way of achieving this would be to use a load balancer, and for that device (could just be a correctly configured Apache web server, or a more specialised application/piece of kit) to respond to abc.domain.com, then to pass requests for /apples to one server, and /bananas to another server, both of which are running 'behind' the load balancer.
> 
> A second alternative, in a similar vain, would be to configure the web server on the box which delivers content for /apples to proxy the content from the server which does /bananas when someone requests content from /bananas on it, but this is going to have a performance impact, particularly if the servers are on different LANs...
> 
>>>>>> 2) Given the following two sites:
>>>>>> apples.domain.com/
>>>>>> bananas.domain.com/
>>>>>> 
>>>>>> Is it correct that these two sites:
>>>>>> a) Must each have their own SSL cert
>> 
>> No. You can use a wildcard SSL certificate.
> 
> As per my previous post, that's true so long as you're not trying to use EV. if you want EV (when the SSL icon in a user browser turns green) then that requires an individual certificate for each domain name. The other thing with wildcard certs is that they only become cost effective at about 4 sub-domains...
> 
>>>>>> b) Can be on the same server or on two different servers
>> 
>> Yes to both. Multihosting SSL sites on a single IP requires browser support, but it is supported by all the modern browsers. See http://serverfault.com/questions/109800/multiple-ssl-domains-on-the-same-ip-address-and-same-port.
> 
> One item in the excellent article above worth highlighting is
> 	Internet Explorer (any version) on Windows XP
> which may not be too much of an issue for you, however in my experience there are sadly still rather a lot of users who through the requirements of their corporate IT systems fall into that category..
> 
> Coupling this with your question on the FM list, then your solution there, would allow the first option above to work rather well - deliver your content from /apples and /bananas on the same server… (is it at all possible that this may be a client of yours I've also done a little work for…?)
> 
> Cheers
> Steve
> 
>> Regards,
>> Phil.
>> 
>> _______________________________________________
>> FX.php_List mailing list
>> FX.php_List at mail.iviking.org
>> http://www.iviking.org/mailman/listinfo/fx.php_list
> 
> Steve Winter
> +44 777 852 4776
> steve at bluecrocodile.co.nz
> 
> 
> 
> _______________________________________________
> FX.php_List mailing list
> FX.php_List at mail.iviking.org
> http://www.iviking.org/mailman/listinfo/fx.php_list



More information about the FX.php_List mailing list