SSL Virtual Host Security scheme

Source: Internet
Author: User
Tags web hosting ssl certificate rapidssl certificate ssl connection wildcard ssl wildcard ssl certificate

SSL Virtual Host Security scheme

With the development of virtual host technology, more and more functions, has not only to meet the needs of individual sites, more and more small e-commerce sites have also adopted a virtual host to build a station, how to provide these merchants with economic and convenient SSL solutions, become a virtual host provider of new business growth.

Technical analysis

Why can't I use SSL on a virtual host with multiple domain names under the same IP address?

This question is very professional, some like "first chicken or Egg first" problem. The SSL protocol layer is under the HTTP protocol layer, and when an SSL connection is established, the SSL module communicates with the browser before the Web module and exchanges the certificate, establishing an encrypted tunnel. It is well known that a Web server distinguishes a virtual host by a "host" field in an HTTP packet. While the SSL module sends the server certificate to the browser, has not received any about the HTTP packet, but also does not know the virtual host domain name, therefore the SSL module can only fix the SSL certificate to send to the browser, but cannot according to the domain name to send the certificate selectively. Therefore, you cannot configure more than one certificate for multiple virtual hosts under the default SSL 443 port for an IP address.

Since an IP can only correspond to a single certificate for a port number, we can resolve it in the following ways:

1. Configure a different IP address for the virtual host that requires SSL encryption, and use 443 for the port number. For example: Www.domain1.com SSL uses 202.96.101.1:443 www.domain2.com SSL using 202.96.101.2:443, via https://www.domain1.com and HTTPS ://www.domain2.com access to these 2 SSL websites

2. If there is only one IP address, you can configure different SSL ports for multiple websites. For example: Www.domain1.com SSL uses 202.96.101.1:443 www.domain2.com SSL using 202.96.101.1:1000, via https://www.domain1.com and HTTPS ://www.domain2.com:1000 access to these 2 SSL websites

If multiple virtual hosts are multiple subdomains under 1 primary domain names, the situation has changed because you can request a wildcard SSL certificate.

For example: There are 2 virtual hosts abc.domain.com, xyz.domain.com, you apply for a *.domain.com certificate, according to the principle above, 2 virtual hosts are using the same IP and the default 443 port, when the browser access to the ip:443 port , the SSL module transmits the wildcard SSL certificate to the browser, establishes a legitimate SSL tunnel, and then the Web module receives the HTTP packet to determine the domain name to select the virtual host.

The principle is OK, unfortunately you cannot follow this principle to configure IIS, IIS does not support SSL port configuration domain name. If you rely solely on IIS, you will have to use the 2 methods above (different IP addresses or different port numbers).

If there are only 1 IP addresses, using Method 2 o'clock, abc.domain.com using 443 ports, xyz.domain.com using 1000 ports, you will find a phenomenon, because the SSL port does not differentiate the domain name, so https:// Abc.domain.com or https://xyz.domain.com are all points to abc.domain.com website content, and https://abc.domain.com:1000 or https:// xyz.domain.com:1000 are all pointing to the content of the xyz.domain.com website. Of course, this is also good, you can abc.domain.com a program, the program to determine the domain name, if users visit https://xyz.domain.com immediately jump to https://xyz.domain.com : 1000, there will be no security warning.

Fortunately, with SSL reverse proxy server, you can solve this problem. is to use a third-party SSL module instead of IIS to handle SSL encryption, install the certificate in the reverse proxy server, the browser accesses the SSL reverse proxy server, and then the reverse proxy Server uses the HTTP protocol to access your Web server. You can choose SSL Reverse proxy hard software has: 1, SSL-enabled load balancer, such as F5, Arraynetworks
2. Use the ISA Server 2004 software.
3, the use of free squid software.
4, the use of free Stunnel software.
5, using Porttunnel software.

Recommended SSL Certificates

We recommend that the web hosting provider adopt: (RAPIDSSL) because it has:
• Cost-effective: The RAPIDSSL certificate is the most attractive because it is cheap, considering that customers renting a virtual host are relatively price sensitive.
• Convenient application: By GeoTrust Proprietary online application technology, only verify the domain name ownership, can be issued in 10 minutes, which can not only help the virtual host service to reduce labor costs, but also to achieve user application process automation.
• Simple installation, convenient and quick;
• Strong compatibility: Compatible with more than 99% browsers and Web servers

SSL Virtual Host Security scheme

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.