Imagine It Productions Blog » Thursday http://imagineitproductions.com/blog The PC Builder, The Gamer, The Developer Wed, 24 Nov 2010 04:24:11 +0000 en hourly 1 http://wordpress.org/?v=3.0.1 LAMP Thursday – SNI http://imagineitproductions.com/blog/index.php/2010/11/18/lamp-thursday-sni/ http://imagineitproductions.com/blog/index.php/2010/11/18/lamp-thursday-sni/#comments Thu, 18 Nov 2010 22:08:07 +0000 Steve Y http://imagineitproductions.com/blog/?p=433
Recently, my company decided to point two different domain names at the same web server with two separate SSL certificates. Normally, Apache can handle such requests as long as certain requirements are met. These requirements include:

  1. Having each domain name point to 2 different IP addresses on the same computer. This also requires having two different network cards on the same computer.

    Listen 80

 <VirtualHost 172.20.30.40>
 DocumentRoot /www/example1
 ServerName www.example1.com
 </VirtualHost>

 <VirtualHost 172.20.30.50>
 DocumentRoot /www/example2
 ServerName www.example2.org
 </VirtualHost>
  2. Having each domain point to the same IP, but to different ports (for instance, 80 and 8080). 
    Listen 80
 Listen 8080

 NameVirtualHost 172.20.30.40:80
 NameVirtualHost 172.20.30.40:8080

 <VirtualHost 172.20.30.40:80>
 ServerName www.example1.com
 DocumentRoot /www/domain-80
 </VirtualHost>

 <VirtualHost 172.20.30.40:8080>
 ServerName www.example2.com
 DocumentRoot /www/domain-8080
 </VirtualHost>
  3. SNI or Server Name Indication [SNI]

You can obviously rock a wiki on this term (I even gave you the link above), but I’ll at least point out here a small definition and the application of SNI to our server. Server Name Indication is the ability of the server and client to map two separate domain names with two different SSL certificates to the same IP address on the same port (i.e. IP address 192.168.1.100, port 443).

Normally, this situation wreaks havoc on web servers, and they are forced to ignore the separation and serve up the first SSL certificate it sees in a configuration file. However, if you navigate to the domain that does not match that default certificate, the browser will give you an SSL error (see below).

When Apache released their HTTP Server version 2.2.12, the software auto-corrected this issue, but it takes a while for browsers, especially old and unsupported ones, to catch up, if they ever do. KDE Konqueror, IE on Windows XP, Safari on Windows XP, Windows Mobile older than 6.5, and namely Blackberry browser (all versions) suffer from this issue.

The main concern for my company is Blackberry Browser, as we have just started working on a mobile version of our website which uses the SSL certificates. Our only other option is to use #1 from the list above. This alternative is advantageous because it will also provide some redundancy to our system, as well.

It took me a little while to research this on the Internet, even in our Google-infested day and age. I hope this helps anyone with a similar issue, or even anyone just looking to learn more about Apache.

Cheers!

]]> http://imagineitproductions.com/blog/index.php/2010/11/18/lamp-thursday-sni/feed/ 411