: SSL Protect Unlimited Sites Under a Single vHost Without Server Restarts I am creating a platform similar in concept to Wix for hosting websites. I wish to ensure that all the sites (except
I am creating a platform similar in concept to Wix for hosting websites. I wish to ensure that all the sites (except where specific issues prevent this on a site by site basis) will be protected by https.
The basics of the system are a theoretically unlimited number of domains will be able to map to a load balancer which will connect to a number of virtual servers all running the same PHP application under the default Apache vHost with all port 443 traffic being directed to the PHP application.
As there could be an unlimited number of domains used to access the application, and as there will be new domains added every single day, I am trying to find out what the appropriate type of certificate is to achieve this.
Ideally I am after a solution or certificate type that will meet the following...
No domain level restriction (ie: don't want to have to regenerate the certificate each time a new site is added to the database
Does not need to be aware of the domain names that may connect to it as these as stored in a database and do not appear on the server anywhere
Ideally some form of automated process if possible as the virtual servers will be destroyed and re-provisioned frequently with new IP addresses and new server names.
I know how to do this with single certificates per vhost for more classical site hosting in Apache through automated services such as LetsEncrypt but the above is stumping me and I have been unable to find anything online on this.
More posts by @Jessie594
1 Comments
Sorted by latest first Latest Oldest Best
There are three ways to connect use SSL certs with domain name:
Buy a certificate for the domain. Run a server on a unique IP address for that domain. (Classic SSL)
Buy a single certificate that covers multiple domains. Run a server on a unique IP address for all these domains. Re-issue the certificate when you add domains. This is knows as Subject Alternate Name (SAN) or Unified Communications Certificate (UCC).
Buy a separate certificate for each host. Host everything on one IP address. Specify the certificate in the virtual host configuration. This is known as Server Name Indication (SNI) and it now has 98% browser support. Only some older Android and IE browsers don't support it.
Your requirement of adding new host names without re-issuing certificates means that you will need to use SNI.
However, your second requirement that the server not be aware of the domain name that connects to it is incompatible with SNI. SNI negotiates the correct certificate to use based on the host name. That is why the SSL certificates are typically configured in the Apache virtual host. Apache negotiates the HTTPS connection and needs to be aware of the host name for that process.
Apache does have functionality for adding virtual hosts with restarting the server. Apache supports a configuration reload without restart. You would typically add the configuration files for the virtual host with the SSL certificate. Then you would run a command to have Apache reload the configuration to start serving the new host without a restart. I use Ubuntu, on Ubuntu the command is:
sudo service apache2 reload
Terms of Use Create Support ticket Your support tickets Stock Market News! © vmapp.org2024 All Rights reserved.