[Gllug] Couple of questions about HTTPS

Ian Norton bredroll at darkspace.org.uk
Wed Nov 17 20:26:19 UTC 2004


Richard Jones wrote:

>... for all you experienced web technicians out there.
>  
>
I wouldnt call myself that really :-)

>(1) The easiest way for us to deploy it is to have the images sent
>over SSL.  The reason is that the <img> links are all site-relative
>(/image/foo.gif instead of http://example.com/image/foo.gif), and
>changing it to work any other way is a pain.  Is this going to be a
>problem, load-wise?  Does anyone have any experience on how this
>scales?
>  
>
Encryption as opposed to compression is not really tied to the content 
of the message, ssl is not truly sensitive to the content. Other than 
taking longer to encrypt large images browser caching should help ease 
this,

>(2) We need to get a certificate, and last time I looked into this,
>one needed to get a separate certificate for each and every site,
>_and_ run them all on separate IP addresses.  
>
As far as I am aware apache ssl requires you to use 1 ip per SSL site as 
it does not support http/1.1 and the 'host' directive used where you do 
virtual hosting. If you are at a hosting company, IP addresses tend to 
be farily cheap anyway, if memory serves not more than a tenner for 5 or 
so each year.

>Running the sites on
>separate IP addresses isn't an option for us.  Paying lots of money
>for a certificate for each site also isn't an option.  Can we run them
>on the same IP address and either share a certicate or get very cheap
>/ free certificates?  The site names aren't related to each other -
>for example although we run lots of *.team-notepad.com and
>*.merjis.com sites, we also host intranets for companies as
>"intranet.company.com" and a ton of other random domains.
>
>  
>
You can become your own signing authority, and sign your user sites from 
that authority, most people wont notice or care that much really, as 
long as you remain consistant and present clear information about your 
certs when people go to login you wont have that much trouble, that 
said, getting signed wont do you much harm, make sure you have 
everything all working perfectly before you do though,

Ian
-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug




More information about the GLLUG mailing list