Hosting Multiple SSL Sites On A Single IP

A traditional problem associated with hosting multiple SSL-enabled sites on the same server is that each SSL enabled site had to have its own dedicated IP address. This was less of a problem in the past when there were plenty of IP addresses and web servers frequently came with many IP's by default. However, these days the number of available IPv4 addresses is now very limited so the need to for SSL sites to share IPs just as non-SSL sites do is now more pressing than ever.

The problem

Encrypted communication between a web server and a browser is achieved with an SSL certificate. These certificates are created for a domain name such as https://www.memset.com and will only work without browser errors when they are used for their associated domain.

The issue that kept SSL-sites to a single IP is that when a browser requested an encrypted session from the web server the browser would not identify which website it wanted to access the encrypted connection was created. This meant that the web server would send the first SSL certificate that was configured on that IP address in order to start the encrypted session. If the client wanted to view a site other than the first then there would be a certificate/domain mismatch and the browser would issue a warning. The only way to avoid this was for a single SSL site to exist on each IP ensuring that such a mismatch could never occur.

The solution

This situation didn't go unnoticed by the technical community who came up with a solution; Server Name Indication. As the name suggests the problem is overcome by the browser requesting an encrypted sessions AND specifying the domain in the initial request. The web server is then able to select the correct SSL certificate with which to create the encrypted session and send that to the browser. SNI is, therefore, able to host as many SSL enabled sites as are required just as has been possible with non-SSL sites.

Limitations

In order for SNI to work it must be supported by the web server and the browser.

The web server that we will use for this guide; Apache, has supported SNI from version 2.2.15 and later. Most of the linux images available as Memset miniserver images i.e. Debian, Ubuntu and CentOS provide versions of Apache that support SNI from their standard repositories. With the exceptions being the Centos 5.

All majour browsers have supported SNI for some time including those on mobile platforms. The only majour exception being any version of IE on Windows XP. A full list of supported browsers can be found on the Wikipedia SNI page.

SNI will, therefore, be supported by the majority, but not 100% of users.

Installing and configuring Apache with SNI

SNI is actually very easy to deploy using Apache on the linux distributions offered by Memset. Due to this simplicity, this guide will cover instaling and configuring SNI on all three linux distributions offered by Memset; Debian, Centos and Ubuntu.

Debian 7 / 8 and Ubuntu 14.04

These two distributions have the same Apache configuration files and directory structure so they will be gone through together.

Apache is not installed by default so it first needs instaling:

apt-get update
apt-get install apache2

The OpenSSL apache module needs enabling and apache restarting to load the module:

a2enmod ssl
service apache2 restart

Apache is now ready to serve multiple SSL-enabled sites from the same IP!

All that remains to do is to test the setup by configuring a couple of test sites with their own certificates and see if we can get them served.

Site configuration files on debian and ubuntu are placed into:

/etc/apache2/sites-available

Typically given the name of the domain that they will host e.g. example.com.conf . The minimum that this file must contain is as follows:

<VirtualHost 1.2.3.4:443> 
	SSLEngine On 
	ServerName secure.example.com
	DocumentRoot /var/www/example
	SSLCertificateFile /etc/ssl/certs/example.com.crt 
	SSLCertificateKeyFile /etc/ssl/private/example.com.key 
</VirtualHost>

In this VirtualHost file the domain being shown is secure.example.com, its website files are located under /var/www/example.

The SSLCertificateFile and SSLCertificateKeyFile directives must point to the location of the SSL certificate and its associated private key. In the above example, I have placed them into the system directories for keys and certificates under /etc/ssl. However, you can put them anywhere you like but the key must only be readable by root so you should make sure its owner is root and it has its permissions set to 600 and is located out of the website directory.

A second such website configuration file would look like:

<VirtualHost 1.2.3.4:443> 
	SSLEngine On 
	ServerName secure.anotherdomain.com
	DocumentRoot /var/www/another
	SSLCertificateFile /etc/ssl/certs/anotherdomain.com.crt 
	SSLCertificateKeyFile /etc/ssl/private/anotherdomain.com.key 
</VirtualHost>

This will serve the domain secure.anotherdomain.com on the same IP address with its key and certificate in the same locations as the first website.

Apache will automatically serve the correct certificate when the encrypted session is initiated by a modern browser. No additional configuration is required to get SNI working.

Centos 6 / 7

First apache2 needs installing along with the OpenSSL module:

yum update
yum install httpd openssl mod_ssl

Apache is now installed and has SNI support loaded and functioning.

Next the VirtualHost configuration that was placed into unique files for Debian/Ubuntu needs to be added to the bottom of the httpd.conf file. The httpd.conf file is located at:

/etc/httpd/conf/httpd.conf

You must copy and paste all of the same configuration between and including the <VirtualHost> </VirtualHost> tags (as shown above) at the bottom of the httpd.conf file. Then restart apache:

service httpd restart

SNI has no limit on the number of SSL-enabled sites that can be run from a single IP address.

Last updated 28 June 2017, 13:38 GMT