Unixbhaskar's Blog

Saturday, March 20, 2010

Configure Apache to handle multiple SSL site with single IP address

It's been an feature add to Apache( Web Server version 2.2.12 onwards called SNI(Server Name Indication). With the help of this feature we can have multiple SSL (Secure Socket Layer) site with have only one IP address.Before that it not possible to do that kind of thing with Apache.

I do not issue any guarantee that this will work for you.

First of all look into this site to figure it out what it offers..go here ApacheSNI

With Apache 2.2.12 and support for the SNI (Server Name Indication) extension to the SSL protocol, this has changed completely. Now you can configure name-based HTTPS sites, just as you can configure name-based HTTP sites. The bottom line is that the five IPs that you needed today to run five SSL sites can be reduced to one IP tomorrow (provided, of course, you use the newer Apache).

There are some prerequisites, however:

* The server, obviously, must use Apache 2.2.12 or higher.
* It must also use OpenSSL 0.9.8f or later and must be built with the TLS extensions option.
* And Apache must be built against this version of OpenSSL as it will enable SNI support if it detects the right version of OpenSSL — the version of OpenSSL that includes TLS extension support.

Finally, as far as browsers go, not every browser yet supports SNI, but the most popular browsers do, and some have for quite a while. This includes Firefox 2.0 or later, Opera 8.0 or later, Internet Explorer 7.0 or later (unfortunately, only on Vista), Google Chrome, and Safari 3.2.1 (unfortunately only on OS X 10.5.6 or later).

In practical terms, this means that for a serious e-commerce Web site or one that needs to have broad appeal, this solution won’t work — yet. Expect in the next year or so for more people to upgrade and more browsers to support SNI.

For testing purposes or for internal sites where you can have some say over client browser installation (and also considering that such old versions of Firefox support SNI), using SNI can be quite useful.

For configuration, here is an example of what to put in your Apache configuration file:

Listen 443
NameVirtualHost *:443
SSLStrictSNIVHostCheck off

DocumentRoot /srv/www/

DocumentRoot /srv/www/

What the above does is enable Apache listening to port 443 and turns on listening for virtual host requests on all IPs. The new keyword SSLStrictSNIVHostCheck is disabled, meaning we will not throw a 403 error if the client does not support SNI; instead, they will be redirected to the SSL site defined first ( in the example), so be sure to define your default site first.

That is pretty much all there is to it. The largest hurdle here is the client browser support, but that will come in time. The Apache requirements and configuration, by contrast, are very simple and straightforward.

Hope this will help.

Bhaskar Chowdhury

No comments:

Post a Comment