Server Multi-site multi-domain HTTPS implementation

Suppose there is a scenario where we have multiple sites (such as site1.marei.com,site2.marei.com and site3.marei.com) bound to the same ip:port and distinguish between different host headers. We have requested and installed a certificate for each SSL site. When browsing the Web site, the user still sees a certificate mismatch error.

1. Implementation in IIS

• Cause of the problem

When an HTTPS request arrives at the IIS server, the HTTPS request is encrypted and requires a corresponding server certificate decryption request. Because the certificates for each site are different, the server needs to determine which certificate to decrypt with the different host headers in the request, but the master header is also encrypted as part of the request. Eventually, IIS had to use the first site certificate decryption request that was bound to the ip:port, which could result in a failure of the request to another site.

• Solution Solutions
  1. The first solution binds each HTTPS site to a different port. But then the client must manually specify the port when it browses the page, for example https://site.domain.com:444
  2. The second solution is to assign a separate IP to each site so that conflicts are resolved and even the host header is not added.
  3. The third solution is to use a wildcard certificate. We use a wildcard certificate issued to . Domain.com, for our example, the certificate issued to the. marei.com should be used so that any request to access the domain can be decrypted by the certificate, and the certificate matching error will no longer exist.

  4. The fourth solution is to upgrade support for SNI (server Name Indication) added to IIS8,IIS8, and the server can extract the corresponding host header from the request to find the appropriate certificate.

     Please refer to the http://www.iis.net/learn/get-started/whats-new-in-iis-8/iis-80-server-name-indication-sni-ssl-scalability for SNi opening method.

2. Implementation in Nginx

Open the Nginx installation directory under the Conf directory to open the Nginx.conf file and locate

2. server {
4. listen 443;
6. server_name domain1;
8. ssl on;
10. ssl_certificate 磁盘目录/订单号1.pem;
12. ssl_certificate_key 磁盘目录/订单号1.key;
14. ssl_session_timeout 5m;
16. Ssl_protocols tlsv1 tlsv1. 1 tlsv1. 2
18. ssl_ciphers AESGCM:ALL:!DH:!EXPORT:!RC4:+HIGH:!MEDIUM:!LOW:!aNULL:!eNULL;
20. ssl_prefer_server_ciphers on;
22. location / {
24. root html;
26. index index.html index.htm;
28. }
30. }

On the basis above, add another section of the configuration

2. server {
4. listen 443;
6. server_name dommain2;
8. ssl on;
10. ssl_certificate 磁盘目录/订单号2.pem;
12. ssl_certificate_key 磁盘目录/订单号2.key;
14. ssl_session_timeout 5m;
16. Ssl_protocols tlsv1 tlsv1. 1 tlsv1. 2
18. ssl_ciphers AESGCM:ALL:!DH:!EXPORT:!RC4:+HIGH:!MEDIUM:!LOW:!aNULL:!eNULL;
20. ssl_prefer_server_ciphers on;
22. location / {
24. root html;
26. index index.html index.htm;
28. }
30. }

Support multiple certificates in Nginx with the above configuration

Apache configuration HTTPS Virtual host shared 443 port

2. Listen 443
4. NameVirtualHost *:443
6. <VirtualHost *:443>
8. ……
10. ServerName www.example1.com
12. SSLCertificateFile common.crt;
14. SSLCertificateKeyFile common.key;
16. SSLCertificateChainFile ca.crt
18. ……
20. </VirtualHost>
22. <VirtualHost *:443>
24. ……
26. ServerName www.example2.com
28. SSLCertificateFile common2.crt;
30. SSLCertificateKeyFile common2.key;
32. SSLCertificateChainFile ca2.crt
36. ……
38. </VirtualHost>

Server Multi-site multi-domain HTTPS implementation