[olug] Building a web server for both security and performance in 2011

[Christopher Cashell]

On Thu, Sep 1, 2011 at 10:05 AM, Lou Duchez <lou at paprikash.com> wrote:
> This discussion reminds me of a sad truth about SSL and HTTP: you can have
> only one zone / domain certificate per port.  In other words, if you've got
> two domains ("foo.com" and "bar.com") and you want to set up SSL sites for
> "secure.foo.com", "secure.bar.com", "private.foo.com", and
> "private.bar.com", they all have to be on different ports, and only one of
> them can get the coveted default port of 443.  This is because the SSL is
> sorted out long before the HTTP request's headers have been picked apart, so
> the Web server can't look for the "right" certificate only after figuring
> out which virtual domain the request is for.  Rather, the Web server has to
> decide which certificate based on the port, and once that's done, the HTML
> headers had better agree with the certificate.

You can work around this by using multiple IP addresses.  Give each
domain/hostname that needs SSL a separate IP address, and have the Web
Server bind a given host to it's own IP.  Much cleaner than using
non-standard ports, although, it can present challenges if you have a
limited pool of IPs.

-- 
Christopher