1

Background

We have number of web servers serving services and pages behind a single IP address we want to use SSL to secure the connection from the clients to those servers.

We access the web servers from the outside using subdomains and a reverse proxy (IIS 7) listening to the traffic and routing accordingly. E.g. client1.customers.example.com goes to one webserver and client2.customers.example.com goes to another webserver.

What we need

My question is how to access those resources from the outside using SSL? Do I need to put a wildcard certificate on the reverse proxy itself that is signed on *.customers.example.com? (and what are the down sides of using a wildcard certificate?) or should I use different certificate for each domain? or maybe something compeletly different?

Additional points:

  1. We don't care that the connection within our network (between the reverse proxy and the web servers itself) wouldn't be under SSL.
  2. I currently have around 4 subdomains (clients 1 throught 4) this number shouldn't grow dramatically but I do want to have some kind of scalability.
  3. I need to have the middle subdomain (customers.example.com) cause example.com goes to a different IP (not the one that has reverse proxy listening)

Trying to get this SSL thingy once and for all :)

EDIT: There's no other option except for SNI and a "wildcard certificate". I'm now looking for ways to make the reverse-proxy on IIS 7.5 to work with SSL/TLS SNI certificate.

Related questions I've found:

  1. Securing Two Sub domains on IIS7.5 with SSL on port 443
  2. Multiple SSL domains on the same IP address and same port?
  3. Using several SSL certificates on same IP with IIS 7

SOLVED using a wildcard for subdomains under my domain and a ARR extension on my IIS 7.5 server.

Community
  • 1
Uri May
  • 111
  • 3
  • possible duplicate of [Multiple SSL domains on the same IP address and same port?](http://serverfault.com/questions/109800/multiple-ssl-domains-on-the-same-ip-address-and-same-port) – Shane Madden Sep 12 '12 at 06:27
  • @ShaneMadden thanks for the link, I guess that question has most of the answers I needed except for how to work with SNI in IIS enviroment and a reverse proxy – Uri May Sep 12 '12 at 07:43
  • 4
    @UriMay You can't. As I noted in [my answer](http://serverfault.com/a/417580/126632) to that question, SNI support on IIS requires IIS 8. Microsoft was _very_ late to the party, again. – Michael Hampton Sep 12 '12 at 07:45
  • @MichaelHampton can I use IIS 7.5 URL Rewrite to and rewrite the url to regular http and with the correct internal address after the reverse proxy terminated the SSL session? – Uri May Sep 12 '12 at 08:28
  • 2
    No. You must have IIS 8 or another server which supports SNI. Again, see the answer I already posted. – Michael Hampton Sep 12 '12 at 08:32
  • 1
    @MichaelHampton commercial software vendors are late to the party whenever marketing believes they would get away with it. No reason to create a superb and innovative product if you could sell a mediocre one for the same amount of money as well - preferably repeatedly. – the-wabbit Sep 12 '12 at 09:18
  • @UriMay If your reverse proxy is terminating SSL, then it's the system that would need SNI support. What software does it run? – Shane Madden Sep 12 '12 at 17:45
  • @ShaneMadden I ended up using a wildcard certificate for the subdomains under my domain and an IIS server running ARR and url re-write to make sure the requests gets to the right internal server. Oh and the proxy is terminating the SSL. Thanks everyone for replying. – Uri May Sep 29 '12 at 17:15

0 Answers0