Apache: Multiple SSL websites on a single IP address
Update: This is a new update from a cPanel Tech
“There is nothing to enable. As long as you are using cPanel & WHM version 11.38 on CentOS, RHEL, or CloudLinux version 6 or newer, SNI works out of the box”.
One of the frustrating limitations in supporting secure websites has been the inability to share IP addresses among SSL websites.
When website administrators and IT personnel are restricted to use a single SSL Certificate per socket (combination of IP Address and socket) it can cost a lot of money. Well we can actually share IP addresses for multiple secure websites. Solving this limitation required an extension to the Transport Layer Security (TLS) protocol that includes the addition of what hostname a client is connecting to when a handshake is initiated with a web server. The name of the extension is Server Name Indication (SNI). SNI is supported in Apache v2.2.12 , and OpenSSL v0.9.8j or later.
With SNI, you can have many virtual hosts sharing the same IP address and port, and each one can have its own unique certificate
Prerequisites to use SNI
Use OpenSSL 0.9.8f or later
Build OpenSSL with the TLS Extensions option enabled (option enable-tlsext; OpenSSL 0.9.8k and later has this enabled by default).
Apache must have been built with that OpenSSL (./configure –with-ssl=/path/to/your/openssl). In that case, mod_ssl will automatically detect the availability of the TLS extensions and support SNI.
Apache must use that OpenSSL at run-time, which might require setting LD_LIBRARY_PATH or equivalent to point to that OpenSSL, maybe in bin/envvars. (You’ll get unresolved symbol errors at Apache startup if Apache was built with SNI but isn’t finding the right openssl libraries at run-time.)
Setting up SNI with Apache
The configuration is pretty simple and straight forward, though I recommend making a backup of your existing httpd.conf file before proceeding.
# Ensure that Apache listens on port 443 Listen 443 # Listen for virtual host requests on all IP addresses NameVirtualHost *:443 # Go ahead and accept connections for these vhosts # from non-SNI clients SSLStrictSNIVHostCheck off # Because this virtual host is defined first, it will # be used as the default if the hostname is not received # in the SSL handshake, e.g. if the browser doesn't support # SNI. DocumentRoot /www/example2 ServerName www.linuxwebhostingsupport.in # Other directives here SSLEngine On SSLCertificateFile /path/to/linuxwebhostingsupport.in.crt SSLCertificateKeyFile /path/to/linuxwebhostingsupport.in.key SSLCertificateChainFile /path/to/CA.crt DocumentRoot /www/example2 ServerName www.abdulwahabmp.co.in # Other directives here SSLEngine On SSLCertificateFile /path/to/abdulwahabmp.co.in.crt SSLCertificateKeyFile /path/to/abdulwahabmp.co.in.key SSLCertificateChainFile /path/to/CA.crt
That it!!!. Just restart APache service. Now go and check your Websites using https. That should be working.
Plesk support SNI from 10.2.x version onwards.
SNI will work on following Operating systems out of box
OpenSuSE Linux 11.3 or later.
Ubuntu Linux 10.4 or later.
Debian Linux 6.0 or later.
RedHat Linux 6.0 or later.
CentOS Linux 60.0 or later
Supported Desktop Browsers
Internet Explorer 7 and later
Firefox 2 and later
Opera 8 with TLS 1.1 enabled
Supported on Windows XP on Chrome 6 and later
Supported on Vista and later by default
OS X 10.5.7 in Chrome Version 5.0.342.0 and later
Chromium 11.0.696.28 and later
Safari 2.1 and later (requires OS X 10.5.6 and later or Windows Vista and later).
Note: No versions of Internet Explorer on Windows XP support SNI