Juggling HTTP and HTTPS content for multiple virtual hosts.
(i couldn't find similar posts 'cos my browser kept on wanting to download the php file, hmm...)
I have multiple virtual hosts with their domains all under the same IP. Recently i decided to venture into SSL. All the 4 vhosts are served through HTTP. For two of them, i want HTTPS. This poses an immediate chicken-n-egg problem as one can't have two SSL vhosts under the same ip/port. I won't bring SNI into the subject since that doesn't seem to be mature yet. I guess i'll hav'em under different ports then, which poses another problem, easier to solve i think, although not elegant. I'd have to direct requests to https://domain.com:unusualPort Could i have the firewall - i'm using shorewall, so by fw i mean the kernel's pf - to the de/cryption? In that case from the fw to the server the requests could be already in plain text. Just a wild thought. I've found some links on how to be your own CA and that's what i'll use since these sites aren't (very) commercial. I won't mind about the popup as most users just ignore it anyway. One issue i stumble upon is content organization. Should i have one single site with regular http content and some other content that's only available though https? It's fairily ok if i'm only filtering with scripting+db, but throwing https into the mix kinda makes things messy if i keep using the same pages for different access levels. Or should i have the public site - login - the private site? Seems more clean. What about the files themselves, on the server, should i keep the http site under /whatever/site/ and the https content under /whatever/site/ssl/ ? Or /whatever/site_ssl/ ? How about the transition? There'll be a login form, of course (and its handling something i should look into better), but should it be served as http and have its action point to https or be served as https directly? Maybe the latter. I'm mostly sure of the answers, as well as the work it'll imply after work already done. I'd like to hear some opinions though, especially from those who have experience. I'm using X/HTML, CSS and PHP (5.2.10), maybe some XSLT (much) later. I'm running debian unstable with nginx 8.10 +FastCGI and MySQL 5.1.37. All in UTF-8. I'm not using a CMS but rather doing it almost from scratch (the login system i got elsewhere), since this is academic/hobby work and i want to learn. Any rtfm links are more than welcome. TIA, Nuno |
Quote:
Apache would kind of blow, if you couldn't. Here's what I do: Code:
NameVirtualHost *:80 |
But... AFAIK SSL encrypts the http header, including the Host:, so you can't know which vhost it belongs to until you decrypt - and you need the vhost's key for that.. 'sides, i'm not using apache, but thanks.
|
Quote:
Quote:
What are you using though? |
Quote:
|
Quote:
|
Well if it's the same certificate it makes sense :)
I'm using nginx. How do you separate public content (http) from private (https)? I.e. how's your login form like? Straight https or the action="" is https? |
Quote:
As for the http/https separation: for certain <Location>'s of my site, I have a redirect like this: Code:
RewriteCond %{HTTPS} !=on |
Quote:
From what i've searched around, nginx is much faster and light than apache (although with correct versions and modules apache can become almost as fast as nginx), and doesn't have the memory-leak problems lighty has/had. Like i said, this is all hearsay, i haven't personally benchmarked them both, but 99% of the reviews out there praise nginx when compared to apache, as well as with others. A common approach for big sites is to have nginx as a front end load-balancer and an apache farm in the back end. For me i like the syntax of the .conf files, the extra modules it has and the very active community. For you... dunno, try it out :) |
Btw,
From what i've seen so far, you either use different ports for the same IP, or use SNI. The downside is that server and browser compatiblity with SNI isn't all that great yet. |
@vesperto: Not sure if you're still reading this thread (almost a month later), but here are some ideas anyway...
Quote:
I haven't tested this out. Just a thought. |
All times are GMT -5. The time now is 07:53 PM. |