Question regarding web hosting ip addressing

Gerald gcoon at inch.com
Fri Jul 12 21:53:47 UTC 2002


This thread lasted much longer than I think necessary for a simple
question, but I had to comment/correct one thing:

On Fri, 12 Jul 2002, David Terrell wrote:

>
> On Fri, Jul 12, 2002 at 07:17:35AM -0700, Scott Francis wrote:
> > On Fri, Jul 12, 2002 at 08:25:25AM -0400, kramert at mlrnoc.navy.mil said:
> > > Odd.  I've run multiple "https:" sites on one IP.  The browser
> > > will complain about the certificate but you can always have
> > > a different certificate for each site while using one IP address.
> > > (Correct me if I'm wrong!)
>
> You're wrong.  :)  The SSL exchange happens before the HTTP protocol over
> SSL can begin, and so the server has no idea which cert to send; or more
> practically, just has one cert configured per (host,port).

Careful. You could come accross harsh. The internet doesn't route
sarcasm well.  What they are talking about is sorta possible.

You can setup Name-based virtual hosting and have 1 and only 1 SSL site on
that IP address. Any other sites on that IP that you setup with SSL get
the usual SSL complaint that the cert does not match the site name. This
is not acceptable for business class customers and as said before will
generate complaints.

SSL has to be tied to one IP, nothing says you can't virtual host the rest
of the http(without SSL) sites on that same IP (Even though that gets
messy pretty quick I think).

In practice/pricing it's easiest to just include the cost of one
additional IP on the machine for each SSL site and then name-based on
the server's primary IP won't cause you any problems.

## Examples...

This is the clean way to set it up:
# All name based hosts on the server would point to 10.4.10.1 in DNS.
10.4.10.1 # primary machine's IP setup for name based virtual hosting
10.4.10.2 # SSL site1 and alias1 IP on the network interface
10.4.10.2 # nonssl version of the same site1 on alias1 IP
10.4.10.3 # SSL site2 and alias2 IP on the network interface...etc
10.4.10.3 # nonssl version of site2 on alias2 IP (sometimes people don't
want or need the nonssl versions...but it works just the same.)

But this sorta works even if it is a bit unclean in my opinion:
10.4.10.1 # SSL site ssl.domain.com
10.4.10.1 # nonssl.domain.com
10.4.10.1 # nonssl2.domain.com
10.4.10.2 # SSL site 2 and alias1 on the network interface
10.4.10.2 # nonssl3.domain.com

We've strayed far from network operation discussion, and moved to web
server setup. I hope this will complete this thread. There is also
much of this similar discussion available on google since like I said
before it was a hot topic when ARIN temporarily changed their policy on
web server addressing.

If anyone wants more granular detail and this still doesn't make sense:
	- after reading the documentation from your web server
	- AND checking google groups for this discussion
	- e-mail me off list, but I can't promise to be as cordial there.
	  ;-)

This is a stretch for a nanog discussion. (...though not the first)

Gerald

P.S. I'm a sysadmin not an English teacher. Grammar/Spelling problems
happen.




More information about the NANOG mailing list