Traditionally, it was only possible to have an SSL-enabled site running on Apache if it was bound to one particular IP address. This is due to the SSL protocol’s design which doesn’t add any domain name information of the HTTP request in its headers.
That means that if you had only one IP address you could only have one SSL-enabled site.
With Apache 2.2.12 and support for the SNI (Server Name Indication) extension to the SSL protocol, this has changed completely. Now you can configure name-based HTTPS sites, just as you can configure name-based HTTP sites. The bottom line is that the five IPs that you needed today to run five SSL sites can be reduced to one IP.
There are some prerequisites, however:
- The server, obviously, must use Apache 2.2.12 or higher.
- It must also use OpenSSL 0.9.8f or later and must be built with the TLS extensions option.
- And Apache must be built against this version of OpenSSL as it will enable SNI support if it detects the right version of OpenSSL — the version of OpenSSL that includes TLS extension support.
Finally, as far as browsers go, not every browser yet supports SNI, but the most popular browsers do, and some have for quite a while. This includes Firefox 2.0 or later, Opera 8.0 or later, Internet Explorer 7.0 or later (unfortunately, only on Vista), Google Chrome, and Safari 3.2.1 (unfortunately only on OS X 10.5.6 or later).
For configuration, here is an example of what to put in your Apache configuration file:
In case the client’s browser didn’t support SNI, what the above line SSLStrictSNIVHostCheck on does is to throw an error in the Apache logs:
[error] No hostname was provided via SNI for a name based virtual host
and throw a 403 error to the client.