Multiple (Named-based virtual hosts) SSL sites on a single IP

tallship · June 12, 2013, 06:39:06 AM

Hey I got SPAMmed by a company called Globalsign (SPAM isn't always bad, but it's always pretty salty), about this technology. They're trying to make a few bucks at it, but I did a little digging and came up with this:

http://www.g-loaded.eu/2007/08/10/ssl-enabled-name-based-apache-virtual-hosts-with-mod_gnutls/

That's an experimental module though, so I was wondering if anyone here is doing this w/Mod_SSL instead. SNI is basically just an extension of TLS, and X-509 v3 enabled this so that pretty much everything supports it client side now except for Internet Exploder on XP - not that anyone cares about people who are using that anymore anyway.

Any handy dandy tuts or HowTos or would anyone like to share their notes on the matter?

I know, not "Strictly" a HostBill question, but economy of IPv4 is getting more important everyday. First we had CIDR and NAT, then Named-based virtualhosting for HTTP 1.1, and now we can do this with so-called SSL too - I think it's important for us to look into this as a serious part of our business product offerings.

Your thoughts, comments, tutorials wrt Mod_SSL on Apache?

Kindest regards,

Patrick · June 12, 2013, 06:01:20 PM

I've been waiting for cPanel to further implement SNI. They are starting to roll with it but not at 100%. I too have been reading about this and though i charish all my Ipv4, i'll be happy not to worry about it anymore. Currently we're not using anything to do with this until we hear more from cPanel about SNI support

Paul · June 12, 2013, 06:59:50 PM

I have SNI running with the open-source control panel I've customized and help develop. It's great and all modern browsers support it, but y'know, IE6 won't.

Fantastic feature, and I'm not sure why cPanel doesn't support it yet. Also, screw cPanel. ahem.

As far as howtos, I would just be googling, same as you. Just wanted to give my testimonial in that we've been running SNI for SSL certs over IPs for over 2 years without a single issue or anyone complaining about incompatibility. I think the fears of it are a little unfounded. Customers certainly like not having to have a dedicated IP or anything.

thetrusteeco · June 13, 2013, 12:53:13 AM

I haven't received the Globalsign SPAM you did TallShip. I'll have to lodge a complaint with their SPAM department.

I have nothing useful to add about mod_gnutls. We've looked into SNI recently because of the IPv4 shortage (especially in Europe and Asia), but unfortunately we're running the cPanel dinosaur, so we haven't implemented anything.

Sorry to go OT but,
Paul, are you willing to share which OpenSource Panel are running? I suspect I know, and if you don't want to post it publicly, feel free to PM me. If it's the Panel I think it is, that would make you the developer named ...Paul. I have looked at most panels in the past few months as I don't like cPanel's development schedule. Seriously, how many years have they been working on v12? Anyway, I am interested in alternate Panels, so please let me know which one you're working on. PM if fine.

tallship · June 13, 2013, 05:32:51 AM

Quote from: Paul on June 12, 2013, 06:59:50 PM
I have SNI running with the open-source control panel I've customized and help develop. It's great and all modern browsers support it, but y'know, IE6 won't.

Fantastic feature, and I'm not sure why cPanel doesn't support it yet. Also, screw cPanel. ahem.

Okay Paul,

You can add me to the cc line of your PM to Thetrusteeco too

I'm interested in what that panel is and one way or another I'll be implementing this for my own sake on boxes purposed for my own uses anyway. I set those machines up by hand and would rather only have a few IPs - it gets a little ridiculous with eth0 eth1 eth0:1 eth0:2 eth0:3 eth1:1 eth1:2; and I would rather just add A RRs instead of more ether aliases on top of that.

One last thing. You're doing this w/mod_ssl or mod_gnutls?

Enterprisevpssolutions · June 14, 2013, 12:46:05 AM

In cpanel I have this working but its not support with them yet http://features.cpanel.net/responses/sni-server-name-indicator-ssl-support-in-cpanel have to use the user nobody to get it to work on the shared ip.

Paul · June 14, 2013, 01:26:05 AM

mod_ssl is the newer way of doing it. can do it since apache 2.2.8, so it's a bit more standardized and overall compatible with virtual host configs and what not than using mod_gnutls. I'll PM you the panel, don't want to share in the open, as it's sort of the secret sauce, shall we call it

Enterprisevpssolutions · June 14, 2013, 01:41:57 AM

Nice work

tallship · June 15, 2013, 05:35:21 PM

Well I guess it was on the heels of being released. I see the announcement here that it has reached their release tier now:
http://releases.cpanel.net/ - specifically: http://releases.cpanel.net/releases/11-38/ssl-management/