[Gllug] Couple of questions about HTTPS

Tethys tet at createservices.com
Thu Nov 18 12:32:09 UTC 2004 

Richard Jones writes:

>(1) The easiest way for us to deploy it is to have the images sent
>over SSL.  The reason is that the <img> links are all site-relative
>(/image/foo.gif instead of http://example.com/image/foo.gif), and
>changing it to work any other way is a pain.  Is this going to be a
>problem, load-wise?  Does anyone have any experience on how this
>scales?

No problem whatsoever. We handle 5 million HTTPS hits per day, and
the only thing that causes the web servers to even break into a sweat
is tomcat. Our httpd processes have negligible impact.

>(2) We need to get a certificate, and last time I looked into this,
>one needed to get a separate certificate for each and every site,
>_and_ run them all on separate IP addresses.  Running the sites on
>separate IP addresses isn't an option for us.

You can't run them on the same IP address. Name based virtual hosting
and SSL are incompatible. One of the Apache guys was looking at a
clever solution to this where the first part of the header was sent
over HTTP, and then once the correct virtual host was ascertained,
the transaction would switch mid-stream to HTTPS. That was a while
back, though, and I haven't heard of it making it through into a
production ready state.

>Paying lots of money for a certificate for each site also isn't an
>option. Can we run them on the same IP address and either share a
>certicate or get very cheap / free certificates?

Simple answer: no. Certificates simply exist to assure the end user
that the site to which the they're sending their data is the one it
claims to be. That means the site name in DNS has to match the site
name on the certificate, hence you need one per site.

You can, as others have mentioned, self sign your certificate. That
will trigger a warning in the browser, but that may be acceptable,
depending on the site. If you control the client machine, you can
install your own certificate into the browser, so that it recognises
the self signed cert and doesn't issue the warning. Obviously this
won't work for publicly accessible sites like http://merjis.com

If you want cheap certificates, then try http://freessl.com, which
contrary to the name, no longer issues free certificates. For a single
machine, you can get a cert for US$29, though, which undercuts Verisign
by quite a considerable margin.

Tet
-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug

More information about the GLLUG mailing list