multiple SSL key's on one IP several Vhosts...
Ulf Zimmermann
ulf at Alameda.net
Thu Apr 17 17:10:15 PDT 2003
On Thu, Apr 17, 2003 at 05:57:10PM -0400, Dave [Hawk-Systems] wrote:
> >> Googling for a result of an issue where I've got more then one SSL key I
> >> want to enable on a site (one that is certified and one that is self
> >> signed) I ran across and issue where Multiple key's appear to not work on
> >> the same IP, is this still the case? even after two years? Who's bright
> >> Idea was it to tie the SSL key to the IP address and domain, and not just
> >> the domain?
> >>
> >> If anyone has a work around for the this, it would be very useful to know
> >> (other then more then one IP assigned to the VH, not an option as a
> >> limitation of jails...)
> >>
> >> thanks in advance..
> >
> >I work at a company where we have many different hosts/domain and
> >everything has to be SSL, although the actual application behind it
> >is the same. The application does present different layout logo per
> >virtual site, but otherwise internal and database wise its the same.
> >Managing multiple hosts behind the load balancer with SSL was a pain.
> >
> >We ended up getting us an Alteon (Nortel) iSD100 setup, which is a
> >SSL offloader. For the frontend we already had an Alteon AD3. The
> >frontside still has all the different IPs per virtual host, but the
> >actual servers only have now 1 IP, one config file with namedbased
> >virtualhosts. You can use two AD3 for failover, as well as up to
> >32 of the iSD100 in a cluster (there are different models I just
> >know the iSD100). Each iSD100 is capable of 7,000 sessions supposely,
> >it has two hardware SSL cards in a 1U case.
>
> from what you describe, you avoid the problem on the web server by moving it to
> another physical server/device... but the problem itself (requires 1 unique
> IP/port conbination per SSL host) still exists.
>
> Bottom line, if you only have 1 IP address you can only use 1 SSL cert UNLESS
> you start assigning other port combinations per SSL cert... messy at best.
>
> Dave
Correct, with the current implementation of SSL/HTTPS it isn't possible
otherwise. I only told about how to avoid at least the management overhead
for multiple machines when you do load balancing. The iSD work as a cluster,
so configuring a HTTPS server, I only do it on the main management IP.
--
Regards, Ulf.
---------------------------------------------------------------------
Ulf Zimmermann, 1525 Pacific Ave., Alameda, CA-94501, #: 510-865-0204
You can find my resume at: http://seven.Alameda.net/~ulf/resume.html
More information about the freebsd-isp
mailing list