: Port numbers for SSL We have an existing web site with HTTP on port 80 and HTTPS on port 443. I'm adding a second site to that now, and from what I understand, I cannot host two sites

@Cugini213

by considering your last comment and after reviewing expert's answers, i can recommend two solutions.

Best solutions is:

Purchase wildcard ssl certificate that will allow you to secure unlimited sub.domain.com that is hosted on same IP (SSL certificate require dedicated IP).

Alternate solutions:

You can buy two different SSL certificate, one for each website. Here you can not host them on same ip.

Vote Up Vote Down

@Sent6035632

In IIS (as with other web servers) there are three key identifiers that identify your site for incoming requests:


IP address
TCP port
Host header


If you are running multiple websites on a single web server at least one of those three must be different for each site. In many environments, a server is only given a single IP address, so that then leaves the TCP port and host header that can be changed. It is possible to run an https website on a different port, you just have to specify the port in the URL which is not always desirable (this would look something like www.foo.com:32000/index.html). More often than not, you want to run all of your websites on port 80 (http) or 443 (https) so that you end up with clean URLs. That then leaves the host header as the one item that you want to change.

In IIS, you can have multiple sites on the same IP/port combination that use SSL and host headers. The key is that you need to use either a wildcard certificate or a SAN (Subject Alternative Names) certificate that specifies multiple host names in the certificate itself. You cannot set the host header bindings for host headers on an SSL site in the IIS Manager UI. You have to either do it via command line or manually edit the applicationHost.config file on the server.

Information from Technet on setting this via command line can be found here.

There was a post on the IIS Forum with a similar issue to this as well which can be found here.

After running the command or manually editing the config file, your applicationHost.config file might look similar to this:

<site name="first.mycompany.com" id="10">
...
<bindings>
<binding protocol="http" bindingInformation="192.168.10.100:80:first.mycompany.com" />
<binding protocol="https" bindingInformation="192.168.10.100:443:first.mycompany.com" />
</bindings>
...
</site>
<site name="second.mycompany.com" id="11">
...
<bindings>
<binding protocol="http" bindingInformation="192.168.10.100:80:second.mycompany.com" />
<binding protocol="https" bindingInformation="192.168.10.100:443:second.mycompany.com" />
</bindings>
...
</site>


You will then see the bindings in IIS manager. Hope that helps.

*EDIT*
The above information assumed this issue was related to IIS7. If it is for IIS6, there is a different procedure to follow. Information about that can be found here.

Vote Up Vote Down

@Frith620

Traditionally you need one IP address per SSL binding. It's not possible to add a host header when setting up the bindings. The reason for this is because the host header is part of the HTTP headers sent by the browsers and these headers are encrypted as part of the SSL traffic. In order to read the host name header, the server must first decrypt the traffic but to do that it needs to know which certificate to use. For that it would need the host header for so you get into a vicious circle.

A solution would be for the server to try all it's installed certificates and try to decrypt the request. Although this might work with a few certificates installed, it won't for servers with tenths or hundreds of SSL websites. It would dramatically slow down the server as the server would have to do this for each incoming request.

The solution for this is an extension to the SSL protocol called Server Name Indication (SNI). This adds the host name to the SSL protocol which allows the server to see the host header before it has to decrypt the SSL traffic. This extension is not supported by any version of IIS earlier than IIS 8 (Windows 2012). On the client side SNI is supported by OS X 10.5.6 and Windows Vista or higher. SNI is not supported by the SChannel on Windows XP and thus not supported by any version of Internet Explorer (even 8.0) on Windows XP.

Vote Up Vote Down

@Nickens628

Actually you CAN host multiple SSL sites on port 443. The following code in your apache config file will do the trick.

Otherwise, you can use whatever ports you want. The disadvantage will be that users will have to include the port number in the URL (eg. yourdomain.com:445/)
## SSL (HTTPS) PORT 443
Listen 443
NameVirtualHost *:443

LoadModule ssl_module modules/mod_ssl.so
SSLPassPhraseDialog builtin
SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout 300
SSLMutex default
SSLRandomSeed startup file:/dev/urandom 256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin

<VirtualHost *:443>
ServerName host1.com

SSLEngine on
SSLOptions +StrictRequire
SSLProtocol -all +TLSv1 +SSLv3
SSLCipherSuite HIGH:MEDIUM:!aNULL:+SHA1:+MD5:+HIGH:+MEDIUM
SSLCertificateFile /etc/httpd/ssl/host1.crt
SSLCertificateKeyFile /etc/httpd/ssl/host1.key
SSLVerifyClient none
SSLProxyEngine off

SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x "%r" %b"

DocumentRoot /var/www/host1/

<Directory "/var/www/host1/">
Options Indexes FollowSymLinks
AllowOverride All
Order Allow,deny
Allow from all
</Directory>

</VirtualHost>


<VirtualHost *:443>
ServerName host2.com

SSLEngine on
SSLOptions +StrictRequire
SSLProtocol -all +TLSv1 +SSLv3
SSLCipherSuite HIGH:MEDIUM:!aNULL:+SHA1:+MD5:+HIGH:+MEDIUM
SSLCertificateFile /etc/httpd/ssl/host2.crt
SSLCertificateKeyFile /etc/httpd/ssl/host2.key
SSLVerifyClient none
SSLProxyEngine off

SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x "%r" %b"

DocumentRoot /var/www/host2/

<Directory "/var/www/host2/">
Options Indexes FollowSymLinks
AllowOverride All
Order Allow,deny
Allow from all
</Directory>

</VirtualHost>

Vote Up Vote Down

@Ogunnowo487

When you say "second site" - do you mean a second domain name? As in, you're currently hosting www.mycompany.com on one cluster and you want to host www.yourcompany.com on that same cluster? I think what you're looking for is "virtual hosting": support.microsoft.com/kb/q190008
You'll still need to buy a second SSL certificate, but you'll be able to host both at the same IP address under the standard ports (which, at the very least, will boost user confidence in your site).

Vote Up Vote Down