On Wed, Dec 8, 2010 at 12:55 PM, <breg@xxxxxxxx> wrote: > Hello, > > On 08.12.2010 13:45, Tom Evans wrote: >>> >>> .. but at this point apache knows that there is something wrong with the >>> request or the configuration, and should throw an error instead of >>> serving >>> the wrong data. >> >> Typically, you don't even get to that point. Most browsers will throw >> a fit if they request www.hostb.com and are served certificates for >> www.hosta.com. > > And the experienced user has seen these warnings often, so he regularly > clicked on "I understand the risks" and accepted the ssl session anyway - > and it's even wiser in most cases to do because mostly you're better off (in > web 2.0 services for example) with an encrypted transfer and non-secure > identity than with both non-secure... What 'experienced' (stupid?) users do is neither here nor there. I rarely trust self signed certs and would never accept a certificate for a host that isn't what it claims to be. Since 'experienced' users do do this sort of thing, don't give them an option to do so. > >> The best way to avoid this problem is not dummy vhosts, it is to not >> serve multiple websites from the same IP ... > > In an ideal world, yes. > But in this world the number of available IPs is restricted, whereas the > quest for new domains seems endless. > ".. over 240 Million active and deleted domains in the .com .net .org .biz > .info .mobi .asia .ie .eu .de .co.uk Top Level Domains.." > ( http://www.hosterstats.com ) IPv4 addresses aren't exactly tricky to lay your hands on, despite the endless yearly warnings that IPv4 will run out in the next N years. > >> ... if you intend on handling SSL >> for any one of those websites and not the others. SSL sites that share >> a certificate (eg, if you have a wildcard certificate) are fine to >> share an IP. > > If there is exactly one SSL site a wildcard cert is not needed and makes > little sense IMHO. > Indeed, I was just trying to make it clear I didn't mean you must have 1 IP per SSL vhost, to avoid someone jumping on that :) If you have one SSL site, and many non SSL sites, you should host on 2 distinct IPs, one for the SSL enabled site, and one for the all the non SSL sites. It's just cleaner and works better. The cost of obtaining a second IP is small compared to the brand cost of having badly served SSL sites. Cheers Tom --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx