[NTLUG:Discuss] Multiple Apache-SSL Servers / Same Pass Phrase

[David]

On Tue, Jul 01, 2003 at 03:39:28PM -0500, Greg Edwards wrote:
> The mod_ssl module will only support 1 host name so virtual hosting is 
> not possible with SSL.  It's not like the other modules, SSL is a server 
> unto itself.  Maybe we can get Neil to explain this better than I can?? 
>  nudge-nudge ;)

I'm not Neil, but I'll have a whack at it.

Apache does two kinds of virtual hosting: name-based and IP-based.
IP-based hosting is the older type.

In IP-based hosting, each virtual server has its own IP address or
port number, different from all the others.  Apache checks what IP
address and port it was contacted at, and uses the corresponding host
setup.  

In name-based hosting, all virtual servers listen at the same address
and port.  The client requests include a header, "Host: {host-name}".
Apache uses the given host-name to determine which virtual server is
being requested.  The "Host:" request header is necessary because the
normal HTTP request line -- "GET /xyz HTTP/1.0" -- uses a URI, rather
than a URL.  As you can see, the URI does not include a host name.

Now that all works fine, until we get to SSL-encrypted sites.  SSL is
a layer below the HTTP applications protocol, so it has to be set up
first.  Part of that setup is the exchange of X.509 certificates,
which include the server's hostname.  This is why name-based hosting
cannot be done with SSL sites.  The HTTP request cannot be sent until
the SSL setup is complete, but we need the Host: header from the
request to know which X.509 certificate to use at the SSL layer.  It's
a chicken-and-egg problem.

If you're doing multiple virtual SSL servers, then, you must either
have multiple IP addresses, or you must have multiple ports on a
single address. 

-- 
David Hayes
david at hayes-family.org