Do I need to forward port for IP-Based Virtual Host to work ?
 

Having trouble visualising how IP-Based Virtual Host (with SSL) would work. Here is my vhosts.conf file:

I want to host a coupld of websites with SSL. So I can, using ip aliasing create two virtual interfaces: eth0:1 and eth0:2 and assign to them 10.10.0.55 and 10.10.0.56 respectively. Now, my question is, will I have to forward port 443 to 10.10.0.55 and 10.10.0.56? I can't forward a port to two ip's at the same time.

Let's say I just want to host one website with SSL. If I do

How will it work? I will need to forward port 443 to the 10.10.0.55 interface right? Without doing that, there is no way this is going to work... is there? And that means that I can't run more than 1 ip-based SSL virtual host on one machine because I can't forward 443 to two different interfaces.

Also, do I use internal ip address or external ip address in the <VirtualHost > tag? I only have one static public ip.

Thanks for all your help in advance :)

multiple ssl certs with one public ip is a huge mess i have had first hand experience with this
why?
because with ssl the tunnel (eg which cert to use) has to be established BEFORE http headers are sent (which host to use), hence by domain alone you are going to get the first virtual host that hits and routing to virtual ip based on domain can't happen either because the encryption has to happen before such negotiations occur
gnutls on apache can semi solve this with SNI (server name identification) but its compatibility with browsers is severely limited (windows vista or higher with ie7 or opera) and firefox
and yes you would need port forwarding but from one separate public IP for each domain otherwise a multi domain or wildcard cert (for multiple subdomains of the same domain) would be necessary unless you have more then one public ip per domain
otherwise you will have to use separate ports and one of the sites will force the end user to explicitly type the port in the url which isn't exactly the best practice

Your static external ip is the one you link to SSL, so no, you can't have two virtual hosts sharing 1 static ip address. You could however have a shared SSL site which both virtual hosts use.
Can you get another static ip from your isp ?

Thanks Frieza and smoker for prompt reply. So one SSL site per public ip. Got it. I've got one questions about ip-based virtual hosting (forget the SSL part in this case). I know with named based virtual hosting, the http header is read to determine which domain the request is coming in for.

With ip-based virtual hosting, http header is read for what info? Apache needs what info from the http packet? Just the ip right? Let's say I have two ip based virtual host running.
If I used internal ip address instead, this won't work right?

If someone could just summarize how packets will eventually come to my interface and how apache will determine which virtual host to read from, I'll greatly appreciate... I read apache document but they don't even tell whether to use external or internal ip...

Basically what I want to know is can I have multiple ip-based virtual host running on one public ip? thanks a lot again

Why would you want to ? (even if you could)
As you say, apache can read the headers to see which host to send requests to, so it doesn't need an ip address.
We call these name based virtual hosts.
If it's ip based it needs to be public ip based.
You can bind multiple ips to one hardware device but again, if you only have 1 public ip it's a waste of time and a place for problems to occur. You also need more than the usual crappy isp provided router to link multiple ips to one device.

You only need public ips for SSL and anonymous FTP. The rest can be name based with no ill effects.

Don't forget the world is running out of ipv4 addresses so the less you use the better.

So the real advantage of ip-based virtual hosting is to consolidate your web servers.

And for ip-based virtual hosting, number of public ip's need to match number of internal ips / physical interfaces (or we could use ip-aliasing). Alright, I understand it now. Thanks a lot smoker :)