0

Is it possible to have a single site in IIS6, with multiple domains (not subdomains) some domains using SSL? The domains with SSL using a unique IP.

I've read similar situations, but nothing exactly the same as this. But close enough to think that it might cause problems.

I've possibly seen that wildcard ssl's might help due to them not being as mapped to IP address?

Alex KeySmith
  • 701
  • 2
  • 10
  • 19
  • If any of these answers answered your question, it would be appreciated if you could mark one as accepted and upvote any others that helped you with your question. – Bernie White Feb 18 '15 at 08:32
  • Good point @BernieWhite it was a looong time ago I asked this, I'm in a different world now, but re-reading them I've marked the first response as the answer - as they've got similar content. – Alex KeySmith Feb 18 '15 at 09:30

2 Answers2

1

No, one SSL enabled site requires one IP address. No way around it. You will see people talk about "work-arounds" using wildcard certificates, but they are confusing two different things. They are confusing a subdomain, which a wildcard certificate can be used for, with a different domain which is not what wildcard certificates will work with.

The web server needs to be able to determine which installed SSL certificate on your server to use when it receives a request that has been encrypted with SSL. In a non-SSL based site, the HTTP header contains the requested domain of the site. This is what allows you to use the host headers feature to support multiple non-SSL websites on a single IP address. Meaning, the server looks at the request, determines the requested site based on the host in the header of the HTTP request, and then passes it to the configured site.

When you have an SSL based site, the new page request comes into the web server already encrypted. Since the header of the HTTPS request is also encrypted, the webserver cannot just look at the requested domain and use the host header feature. It must use the SSL certificate bound to a specific IP address to decode the HTTPS request before it can process the header. While it might be possible for a web server to try to decode the request using all installed SSL certificates on the machine to try to implement an SSL based host header feature, this would slow down HTTPS processing considerably. Hence, the only way to do SSL is by having a single IP address per installed certificate.

dmarietta
  • 519
  • 2
  • 6
  • 13
  • Thanks dmarietta, so does this also apply to a site which has a unique IP mapped to one certificate, but also the site having a non https domain on another IP (same site)? So could you have one SSL'd domain, but the others not? – Alex KeySmith Nov 07 '12 at 16:28
  • @alex key, yes, through bindings. but still, only one cert could be used for one top-level domain, regardless. – scape Nov 07 '12 at 18:02
  • Yes, that combination would work fine. The only limitation is any sites with SSL enabled, you are effectively limited to a single SSL eanbled site per IP address. Use can still use host headers on additional non-SSL sites on the same IP. I say "effective" as you could use a non-standard port for SSL, but this gets confusing/alarming for many end users and in my experience, I would not recommend it for anything that is a public access site. – dmarietta Nov 16 '12 at 20:31
1

Yes, it is possible.

To do so you would create a binding for each host name e.g. www.site1.com www.site2.com etc…

HTTP bindings may share the same IP address if you use host headers in the binding. Alternatively you can still use one (1) IP to one (1) host name.

Each HTTPS binding must use a separate IP address, but you can assign more then one IP address to a site. This is because HTTPS is an encrypted tunnel using SSL/TLS. When the tunnel is established, it is between IP addresses because it has no way to tell the web server what host name it wants to connect to. The Host header is a feature of HTTP not TLS/SSL. After the tunnel is established it is too late to choose another binding.

For binding information also see https://serverfault.com/a/445685/94787

Also note that while IIS supports it, the web site will still need to support it, which it may not.

Bernie White
  • 1,024
  • 7
  • 17
  • Thanks @Bernie White, just to confirm, will this work in IIS6? – Alex KeySmith Nov 08 '12 at 09:36
  • Yes. I think it even worked on IIS5. One of the answers here has a screen shot of it if you are not sure http://serverfault.com/questions/47165/how-to-host-multiple-domains-web-sites-on-one-iis6-server. – Bernie White Nov 08 '12 at 10:52