Multiple SSL Certificates on One IP Address

SSL SecurityWhether due to network configuration requirements or load-balancing, configuring multiple SSL sites on a single IP address can often provide more flexibility and ease of maintenance.  The challenge with the implementation is that older browsers can only interact with one SSL site per IP address on port 443.  Addressing this problem are two primary solutions: port redirects and virtual directories.

For a little background information, SSL (Secure Sockets Layer) is the traditional protocol used to encrypt data connections for web traffic.  An SSL-encrypted connection prevents both man-in-the-middle attacks and connection spoofing.  By encrypting each data packet, SSL prevents routers or other users on public Wifi to see the data sent over the network (normally, all data sent on an unsecured Wifi network is visible to any other person on that network).  Additionally, by verifying server identity, SSL prevents connection spoofing, so that malicious hackers cannot create a fake server that pretends to be a bank or government website.

A newer version of SSL called TLS (Transport Layer Security) has been slowly making its way into web servers since 1999.  TLS has a patch called SNI (Server Name Indication) that is similar to Host Header Names, enabling multiple sites to be secured on the same port 443. Although most modern web browsers support SNI, there are several holdouts – most notably any version of Internet Explorer that runs on Windows XP.  Although Windows XP will likely be retired completely in the next two to three years, until then, corporate networks still running Windows XP may need access to the secured website.

Thus for the majority of websites, the most effective method of merging multiple SSL sites onto one IP is port redirection.  While SSL requires a unique IP/port combination per site, it does not require that the SSL port be 443.  For example, one website could use port 443, while another could use port 444 for the secure site.  Both SSL sites can reside on the same IP address, and run on different ports.

In order to implement port redirection, neither SSL site should be directly referenced by any external URLs – the SSL connection link should be dynamically generated based on a centralized configuration file.  In this way, the user will be dynamically switched to the proper SSL site even if the port changes in the future.

The port redirect technique is flexible enough to work on both Linux / Apache and Windows / IIS. Below is a sample configuration for Apache:

<VirtualHost *:80>
  ServerName www.sitedomain.com
  ServerAlias sitedomain.com
  DocumentRoot /var/www/sitedomain.com/
  DirectoryIndex index.php
</VirtualHost>
 
Listen 444
<VirtualHost *:444>
  ServerName www.sitedomain.com
  ServerAlias sitedomain.com
  DocumentRoot /var/www/sitedomain.com/
  DirectoryIndex index.php
  SSLEngine on
  SSLCertificateFile *****.crt
  SSLCertificateKeyFile *****.key
  SSLCertificateChainFile *****.crt
</VirtualHost>

This configuration above is for the secondary site with SSL on port 444.  We assume that the primary site is already previously defined, using Host Header Names on port 80 and SSL on port 443. Accessing the secured secondary site is then as simple as using the following URL:

https://www.sitedomain.com:444/

The alternate method for hosting multiple sites on one IP address is to create one “master” site, and add virtual directories or soft links to the other sites as subdirectories.  The SSL-secured URLs would then be as follows:

https://www.securesite.com/sitedomain/

This method can require programming changes to the content, however, since references to the root URL “/” will point to an invalid site.  In general, it is recommended to use port redirection for fewer bugs in the web application lifecycle.

Written by Andrew Palczewski

About the Author
Andrew Palczewski is CEO of apHarmony, a Chicago software development company. He holds a Master's degree in Computer Engineering from the University of Illinois at Urbana-Champaign and has over ten years' experience in managing development of software projects.
Google+

RSS Twitter LinkedIn Facebook Email

Leave a Reply

Your email address will not be published. Required fields are marked *