(i couldn't find similar posts 'cos my browser kept on wanting to download the php file, hmm...)

I have multiple virtual hosts with their domains all under the same IP. Recently i decided to venture into SSL.

All the 4 vhosts are served through HTTP. For two of them, i want HTTPS. This poses an immediate chicken-n-egg problem as one can't have two SSL vhosts under the same ip/port. I won't bring SNI into the subject since that doesn't seem to be mature yet.

I guess i'll hav'em under different ports then, which poses another problem, easier to solve i think, although not elegant. I'd have to direct requests to https://domain.com:unusualPort

Could i have the firewall - i'm using shorewall, so by fw i mean the kernel's pf - to the de/cryption? In that case from the fw to the server the requests could be already in plain text. Just a wild thought.

I've found some links on how to be your own CA and that's what i'll use since these sites aren't (very) commercial. I won't mind about the popup as most users just ignore it anyway.

One issue i stumble upon is content organization. Should i have one single site with regular http content and some other content that's only available though https? It's fairily ok if i'm only filtering with scripting+db, but throwing https into the mix kinda makes things messy if i keep using the same pages for different access levels.

Or should i have the public site - login - the private site? Seems more clean.

What about the files themselves, on the server, should i keep the http site under /whatever/site/ and the https content under /whatever/site/ssl/ ? Or /whatever/site_ssl/ ?

How about the transition? There'll be a login form, of course (and its handling something i should look into better), but should it be served as http and have its action point to https or be served as https directly? Maybe the latter.

I'm mostly sure of the answers, as well as the work it'll imply after work already done. I'd like to hear some opinions though, especially from those who have experience.

I'm using X/HTML, CSS and PHP (5.2.10), maybe some XSLT (much) later. I'm running debian unstable with nginx 8.10 +FastCGI and MySQL 5.1.37. All in UTF-8. I'm not using a CMS but rather doing it almost from scratch (the login system i got elsewhere), since this is academic/hobby work and i want to learn.

Any rtfm links are more than welcome.

TIA,
Nuno

But Sir, O, how you can!

Apache would kind of blow, if you couldn't. Here's what I do:

But... AFAIK SSL encrypts the http header, including the Host:, so you can't know which vhost it belongs to until you decrypt - and you need the vhost's key for that.. 'sides, i'm not using apache, but thanks.

Hm, that does sound like a reasonable explanation of why it shouldn't work. However, lo-and-behold, I run multiple secure vhosts on my box and it Just Works (tm)

That's too damn bad.

What are you using though?

How many SSL certs do you have? Do you have a wildcard?

It is true that they use the same certificate. And yes, I use the wildcard setup described above.

Well if it's the same certificate it makes sense
I'm using nginx.

How do you separate public content (http) from private (https)? I.e. how's your login form like? Straight https or the action="" is https?

I hadn't heard of nginx before -- do you prefer it? What do you like about it?

As for the http/https separation: for certain <Location>'s of my site, I have a redirect like this:

However, since my vhosts are necessarily bound to either :80 or :443, for "important" stuff (webmail) I just simply dont setup a corresponding HTTP host (which would otherwise serve the same content, unencrypted.)

I haven't used apache extensively so i can't compare them both, however, i am a bit 'allergic' to apache's ubiquity. Not that it's the most widely used - i think that's great for the OS world -, but that everyone in linux assumes you're using it. I also don't like huge applications and apache is pretty big. Silly rant, i know.

From what i've searched around, nginx is much faster and light than apache (although with correct versions and modules apache can become almost as fast as nginx), and doesn't have the memory-leak problems lighty has/had. Like i said, this is all hearsay, i haven't personally benchmarked them both, but 99% of the reviews out there praise nginx when compared to apache, as well as with others.

A common approach for big sites is to have nginx as a front end load-balancer and an apache farm in the back end.

For me i like the syntax of the .conf files, the extra modules it has and the very active community.

For you... dunno, try it out

Btw,

From what i've seen so far, you either use different ports for the same IP, or use SNI. The downside is that server and browser compatiblity with SNI isn't all that great yet.

@vesperto: Not sure if you're still reading this thread (almost a month later), but here are some ideas anyway...

Since we're brainstorming, one option that comes to mind is adding two more http namevirtualhosts that redirect to your https content. i.e.: Requests to http/foo.your.host would be redirected to https/your.host/foo, and requests to http/bar.your.host would be redirected to https/your.host/bar.

I haven't tested this out. Just a thought.