0

While my post may look similar to others, it concerns shared accounts at a web hosting provider all utilizing the same IP address (rather than different IP addresses). Here comes what I would like to ask:

My web hosting provider offers:

The provider offers (in increasing order from less costly to more costly):

1. Shared account (including ssh access to a Linux file/web server)
2. Shared account with dedicated IP address.
3. Virtual Private Server (shared resource which acts like a dedicated server)
4. Dedicated server (this is an entire computer reserved for one person)

Question A:

I don't understand how option 1. works. I always thought that a domain name ought to have a unique IP assigned to it, but with option 1 we can have several users on the same host, with each user having one or more domain names, and with each domain name serving a separate website. I thought, if different domain names have the same IP, then they must all serve the same website. Somehow it seems Apache can be configured to pair each domain name with a user-specific sub directory, which I guess is how it's done in practice, but I still don't understand how it works. Can someone please illustrate the underlying protocol, from when the URL is typed in a web browser to when the web page is returned to the web browser (without incurring any browser redirections)? Thanks.

Question B:

I am trying to figure out what I need to be able to use HTTPS to access my site (which is option 1. as described above). I found the following post confirming that to use SSL certificates it is necessary to have a dedicated IP address:

One IP for multiple SSL sites?

But I am confused. When I access my site through https://mysite.com/ I have no SSL certificate installed, but however, I am redirected to https://mysite.com/~jsonderson , and my provider is not telling me how come the server needs to be configured in this way, saying that I need to purchase a dedicated IP and SSL certificate.

Nevertheless, I would like to emphasize that I am being able to use HTTPS without a dedicated IP on my hosting provider,(although there is a redirection happening, which I do not want). This seems to contradict the contents of the above post, which seem to imply you need to have a dedicated IP address to use HTTPS.

Thanks for the clarifications, I really need them.

  • Is `https://mysite.com/~jsonderson` serving HTTPS with or without a certificate warning? – ceejayoz Oct 16 '13 at 16:04
  • When I access the site with Mozilla Firefox and click on the lock key next to the URL I see the message "You are connected to mysite.com which is run by (unknown) You have added a security exception for this site. Your connection to this website is encrypted to prevent eavesdropping.". In fact I think I remember adding the security exception to my web browser manually when I visited the site for the first time. – John Sonderson Oct 16 '13 at 16:16
  • Then when I click on the "More information..." button I can see that under the Security (default) tab I can see in the "Website Identity" group box I can find the information "Website: http://mysite.com/" "Owner: This website does not provide ownership information." and "Verified by: Comodo CA Limited". Then under the "General" tab the address is "http://mysite.com/~jsonderson". – John Sonderson Oct 16 '13 at 16:16
  • It'd be easier to help you if you provided us with the actual domain. – ceejayoz Oct 16 '13 at 16:17
  • Then when I click on "View Certificate" I can see under "Issued To" the following: "Common Name (CN) *.bluehost.com", under "Issued By" I can see "Common Name (CN) PositiveSSL CA" "Organization (O) Comodo CA Limited", Issued On 13/01/2010 Expires On 19/02/2020. Bluehost.com is the name of my provider. – John Sonderson Oct 16 '13 at 16:19
  • When I access the website in chrome with https, the https part appears crossed out and the lock icon also has a cross over it in red. (The connection is encrypted but the server certificate does not match the URL). – John Sonderson Oct 16 '13 at 16:22
  • That fits entirely with how SSL works, then. There's an SSL certificate for the IP your site's hosted at, but it's not **your** SSL. Because of how SSL works, the server will serve the same site to all HTTPS requests for an IP regardless of domain name (as domain name is encrypted in the HTTP request). – ceejayoz Oct 16 '13 at 16:26

1 Answers1

2

A) This is called virtual hosts, and is based on the Host header the browser sends.

B) The server likely has a default SSL for its main IP, possibly self-signed. You should be seeing a certificate error, but it's entirely possible for them to have it work that way. You need a dedicated IP for each certificate.

edit: Now that you've mentioned BlueHost, this is indeed something they put in place for you.

https://my.bluehost.com/cgi/help/126

ceejayoz
  • 32,469
  • 7
  • 81
  • 105
  • As to A: You're right! Now I remember, since HTTP/1.1 the Host HTTP header is mandatory, so besides when the browser connects to Apache via the IP address it also sends this piece of information, which allows Apache to route the request to a specific location on the file server. Together with the contents of the GET or POST http method found in the body of the HTTP message, this allows the web server to retrieve the requested information from the right place. – John Sonderson Oct 16 '13 at 16:30
  • Yes. Virtually every client since the early 1990s has sent the `Host` header. – ceejayoz Oct 16 '13 at 16:31
  • As to B: Yes, as displayed above, the server's default SSL certificate is a 10-year certificate issued by Comodo CA Limited (hence not self signed). However the domain to which the certificate is issued is the provider's domain which differs from my own, hence the "This Connection is Untrusted... etc... ... I understand the risks" page in Firefox. – John Sonderson Oct 16 '13 at 16:33
  • What has become clear to me is that an SSL certificate is not required for encryption, hence https should work everywhere (so long as the web server supports the protocol on port 443 (or 8080 or whatever)). The only problem is that without the certificate you cannot confirm you are really talking to the domain you typed in the URL. – John Sonderson Oct 16 '13 at 16:36
  • Which leaves me with only one question, which is: why is my hosting privider redirecting my https://mysite.com/ requests to https://mysite.com/~jsonderson ??? Purchasing a dedicated IP and SSL certificate should not be necessary to fix this. This is perhaps a difficult question to answer, but why is my web service provider doing this? After all plain HTTP requests to mysite.com are not being redirected. – John Sonderson Oct 16 '13 at 16:38
  • They probably have a default config for HTTPS that at least sends them to your site if someone inadvertently tries accessing it that way. There's nothing really to fix, just don't go around telling people to hit your site on HTTPS. If you want more control, pay for the IP or move to a dedicated/VPS host. – ceejayoz Oct 16 '13 at 16:49
  • Yep, they do. https://my.bluehost.com/cgi/help/126 – ceejayoz Oct 16 '13 at 16:50
  • Yes, they have a default SSL certificate in place. But why are they redirecting https://mysite.com/ to https://mysite.com/~jsonderson when http://mysite.com/ is not redirected to http://mysite.com/~jsonderson . It's nice to have the default BlueHost SSL certificate in place, but the redirection makes no sense to me and is driving me nuts. Would like to get rid of the redirection. Anyways thanks for the link. I will have to purchase an IP and upload my own certificate. – John Sonderson Oct 16 '13 at 17:28
  • Again, because **that's how SSL works**. The domain name is part of the encrypted package, so the server doesn't know *which* domain name to use, so it uses the default. If you want to get rid of it, **you'll have to ask BlueHost** - and I doubt it's possible. – ceejayoz Oct 16 '13 at 17:31