Re: how to get multiple SSL with name based vhost ?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Brian wrote:

>> To back up a moment, though -- another way to do this is to define
>> multiple IPs on the network card and run multiple instances of apache,
>> each with different config files.
> [snip]
>
> That's only if he has multiple IP addresses available on the network,
> right? If we assume this is a public sever, that means he needs
> multiple public IP addresses from his ISP that route to this server.
> That's certainly a possibility, in general, but I want to make sure
> I'm not missing something awesome.

Yes, it certainly depends upon his environment.  If he's doing this on the
job, it's likely that multiple IPs are available.  If he's on an economy
hosting service he probably only has one IP and no way to get another. 
There are some hosting services that will give you more than one IP for a
fee.  Probably could work up something slick with NAT'd VMware instances
on a linux box that would only use one IP but that assumes he's using a
box in his home or at a colocated site where he has admin access (and if
it's a co-lo, probably would be able to get additional IPs I would think).
>From the posting, it wasn't clear what kind of environment he was dealing
with.

There are drawbacks to any potential solution that I know of.  Some places
won't allow wild card DNS for security reasons (both my current job and my
previous job are such places).  SNI is cool but it isn't really released
yet, is it?  I thought that was coming in version 2.4.  it's going to
prevent people using old browsers from seeing the site judging by the
discussion here.  If he's trying to use the sites for e-commerce he may
not want to alienate potential customers or use a release that hasn't
"burned in" yet.  And of course the multiple-IPs-on-linux approach won't
work if he only has one IP available to him.

I don't consider myself an apache expert, but I've been using it for a
while (started as a web admin back in the NCSA days).  I don't see a
"one-size-fits-all" solution here, it seems just to be a case of which
tradeoff will work best for a given environment -- at least until some
time has passed and SNI support is ubiquitous.

Sheryl


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux