I’m trying to host my handful of web sites on Amazon, but in EC2 machines there’s support for only one IP (private and public) and, as you know, SSL/TLS encryption let you have only one domain name per IP address: this is a heavy limit (with a reason), but it’s unacceptable for some reasons (public IP addresses scarcity, cost and management overhead).
Besides other solutions (multi-domain certs for example), I would like to go for the most reasonable way: virtual hosted SSL/TLS web sites, exactly the same way we all use today for non-encrypted web sites. I use Apache and for it there are a couple of solutions in the works that implement SNI or Server Name Indication: an extension to TLS protocol that “… permits the client to request the domain name, before the certificate is committed to by the server“. The support in browsers can be also a problem, but every recent browser supports it (with the exception of IE 6 and 7, apart from Vista); try your browser here.
The solutions I found involve are three (I don’t exclude there are other ones):
- mod_ssl: the standard Apache SSL/TLS modules, which in turn is based on OpenSSL
- mod_gnutls: uses the GnuTLS library and not OpenSSL
- using a SNI-aware web server (like lighttpd or nginx) as frontend/proxy, but this can generate some administrative overhead because I don’t know them at all.
OpenSSL is in fact part of the problem: the support for SNI was introduced in v. 0.9.8f (October 2007) as a TLS extension and fixed in a later version, but these are enabled by default only in 0.9.8j (January 2009). There also no official support yet in mod_ssl for Apache 2.2 (apart from some code and patches for the current and development Apache versions, see here and here).
I finally decided to try the mod_gnutls module way: because of some dependencies on my Centos 5.2 test environment (libgcrypt and GnuTLS itself) it took me some time, but now I have a working SNI web server with how many secure web sites I want (and user’s browsers permit) with only one IP address.
BTW, if you need to generate self-signed certificates, look here.
Update: I used nginx without too much worries, compiled latest version with this command and substituded the official Centos 5.2 version after installing it (don’t do it!), and used it as a proxy in front of apache:
./configure --prefix=/usr --sbin-path=/usr/sbin/nginx \ --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log \ --pid-path=/var/run/nginx.pid --lock-path=/var/lock/subsys/nginx \ --user=nginx --group=nginx --with-http_ssl_module --with-http_flv_module \ --with-http_gzip_static_module --http-log-path=/var/log/nginx/access.log \ --http-client-body-temp-path=/var/lib/nginx/tmp/client_body/ \ --http-proxy-temp-path=/var/lib/nginx/tmp/proxy/ \ --http-fastcgi-temp-path=/var/lib/nginx/tmp/fastcgi/ \ --with-openssl=../openssl-0.9.8k/