Apache2/SSL and Name Based Virtual Hosts

Historically, if you wanted to host multiple SSL enabled Web sites, you had to have a globally unique IP address for each site. With the advent of SNI, however, this is no longer necessary. This article will explain how to enable SNI. It is assumed that you have some working knowledge about Apache 2.

What is SNI?
SNI is a three letter acronym that stands for Server Name Indication. Previously, when a browser connected to a SSL enabled site it just transmitted which encryption mechanisms it was capable of handling. With SNI, the browser now transmits not only which encryption mechanisms it is capable of handling, but also which site it is trying to connect.

Supported Browsers
SNI has only recently gained support in browsers. The browsers that have been confirmed to support SNI are:
 * Opera 8.0+
 * Firefox 2+
 * Internet Explorer 7+
 * Safari 3.2.1+
 * Chrome (NOT Chromium) ((Chromium 11.0.696.28 seems to do sni fine -mt))

Use mod_gnutls or mod_ssl?
There is a separate Apache module called mod_gnutls that supports SNI on an unpatched Apache as part of its SSL implementation. However, the default SSL module, mod_ssl, that ships with Apache 2.2.8 includes support for SNI, so mod_gnutls is not required.

It's a matter of personal choice when it comes to which module to use. As of this writing, mod_gnutls is new and, therefore, considered an unproven method of enabling SSL while mod_ssl is considered a proven method. Furthermore, mod_gnutls has a different syntax for specifying SSL parameters than mod_ssl.

For further information on mod_gnutls, visit the OutOfOrder.cc project page.

Enabling SSL
Before you install Apache, check that the SSL use flag is set.

Then proceed with the installation.

Once Apache has been installed, the start up script configuration file,, needs to be edited to enable virtual hosts and SSL by adding -D DEFAULT_VHOST -D SSL -D SSL_DEFAULT_VHOST on the APACHE2_OPTS line. If you prefer to activate the GNUTLS module, use -D DEFAULT_VHOST -D GNUTLS -D GNUTLS_DEFAULT_VHOST options instead. SSL and GNUTLS are mutually exclusive modules; you may only run one or the other.

Obtaining SSL Certificates
There are several options to obtain SSL Certificates for the Web server. For simple testing purposes, OpenSSL is capable of creating certificates. For production servers, however, a certificate from a reputable authority, such as Thawte or VeriSign, is required to prevent users from seeing a warning about untrustworthy certificates. There are two popular organizations that provide free (as in beer) SSL Certificates: CAcert.org and StartCom's StartSSL. However, no mainstream browser recognizes CAcert as a trusted certificate authority, the result being that many users will see the same warning as if you signed the certificate yourself.

As of September 24, 2009, StartSSL is recognized by all major browsers as a reputable certificate authority.

Configuring Name Based SSL Virtual Hosts
Defining name based SSL virtual hosts is similar to defining standard name based virtual hosts. The exceptions being the port number and the certificate files. Two sample configurations are included here to help get you started.

All the options that are normally used for a SSL enabled site may also be used for a name based SSL virtual host. To avoid users seeing warnings, each site should have its own certificate and key file. For more information on available configuration options, visit Apache's Web site for mod_ssl, and/or OutOfOrder.cc for mod_gnutls.

Starting Apache
Now, start or restart the Apache Server.

Or:

And remember, if you want to have Apache start at boot time, run:

Books

 * Apache: The Definitive Guide by Ben Laurie & Peter Laurie, published by O'Reilly Media, Inc.
 * What's New in Apache Web Server 2.2? by Rich Bowen, published by O'Reilly Media, Inc.