Friday, 10. March 2006
PermaLink Multiple SSL sites, single Domino server
For Show-n-Tell Thursday.

OK. It's Friday. Sue me.

Here's a question that often pops up over at dW - how to run multiple SSL web sites on a single Domino server (recent example).

Well, it's actually pretty easy once you know these facts:
  1. SSL sites must have a unique IP address.

    That is https://site1.example.com cannot be on the same IP address as https://site2.example.co.uk.

    This is a limitation of SSL itself, not Domino.

  2. It is very easy to create multiple IP addresses on a single physical server with a single physical NIC.

The instructions below relate to a Windows server but similar results are possible on any host OS supported by Domino.

Assumptions

  • You have a static allocation of several IP addresses and have sufficient addresses to spare to allocate one per SSL site.

  • You are using firewall NAT.

  • You will be creating three separate SSL secured sites on public IP addresses 240.1.1.1, 240.1.1.2 and 240.1.1.3

Host OS (W2K here but W2K3 similar)

Edit the properties of the network adapter in the host OS.

NIC

Edit the properties of "Internet Protocol (TCP/IP)".

TCP/IP

Here, name servers may be your ISP's name servers or your own if you have them. All IP addresses on this NIC will use the same name servers.

Click "Advanced".

Advanced properties

This is where you add IP addresses. Click "Add" in the "IP addresses" box.

Add an IP address

Repeat this as many times as you need. You should now see something like this at the "Advanced TCP/IP Settings" dialog.

Advanced properties

Save these settings. The ipconfig OS command line command will verify that the host OS now sees all IP addresses.

If using NAT (clearly we are in this case), you will also need to configure your firewall to forward a unique public IP address to each of these IP addresses on the Domino host OS - 240.1.1.1 --> 10.44.55.10 and so on..

Now you're ready to use these on the Domino server.

Set up DNS pointing

For site1.example.com on 240.1.1.1 you will need a host A record in public DNS pointing site1.example.com to 240.1.1.1 and a PTR record pointing 240.1.1.1 to site1.example.com.

Repeat this for sites 2 and 3.

SSL certificates

I won't go through that again here. The process is the same as outlined last week for SMTP TLS.

Domino Config

You probably want Domino to keep using the same IP address as it always has used and to reserve the new IP addresses purely for your secure sites. Do this by adding additional TCPIP ports in notes.ini, but setting them to disabled.

Sample notes.ini settings

; Existing TCPIP port
TCPIP=TCP, 0, 15, 0
TCPIP_TCPIPAddress=0,10.44.55.10
;
; New TCPIP ports
TCPIP2=TCP,0,15,0
TCPIP2_TCPIPAddress=0,10.44.55.20
TCPIP3=TCP,0,15,0
TCPIP3_TCPIPAddress=0,10.44.50.30
;
; Disable the additional ports
Ports=TCPIP ; ... and any other enabled ports
DisabledPorts=TCPIP2,TCPIP3 ; ... and any other disabled ports
;
; What port to bind SMTP (if using SMTP on the same server)?
; You probably don't want SMTP listening on all of those new ports
SMTPNotesPort=TCPIP

Internet Site Document

Internet Site doc

Notes on Internet sites:

  • Never make an SSL site the default web site.
  • In Host names or addresses... list
    1. the fully qualified host name of the secure site (site1.example.com)
    2. the local IP on which that site is available (10.44.55.10)
    3. the public IP of the site (not strictly necessary, but a useful reminder)

Repeat this for every site.

You now have multiple SSL secured web sites served by a single Domino server with a single NIC.

Category: SnTT
Technorati:

Comments :

1. Florian Steinel10/03/2006 17:04:17


You don't have to use multipe IP adresses, see http://wiki.cacert.org/wiki/VhostTaskForce .
But i don't know if Domino supports this...



2. Chris Linfoot10/03/2006 17:45:22


Domino definitely doesn't support that. It's not even clear to me that it falls within the SSL standard though having a single cert with multiple common names would theoretically work. Of course you may not want a user examining your cert to see what other sites it is used on...



3. Florian Steinel11/03/2006 12:02:11


If you are using *.chris-linfoor.net in the cert and sites like top-secret.chris-linfoot.net and example.chris-linfoot.net, the user can't.
(BTW: The Mozilla.org site is using this for e.g. https://bugzilla.mozilla.org/ )



4. Chris Linfoot11/03/2006 14:05:40


Quite right. Trouble is, here we have several secure sites in completely different domains so a wildcard *.example.com won't do.



5. Martijn de Jong21/03/2006 09:34:13


That's a nice explanation. I was the poster of the "example" on Notes.net and your explanation helped me set up SSL for my main domain. My main challenge now is to setup SSL for some of the other domains. I have only one public IP address, so in my router I can forward my port 443 to only one NAT IP address. I'm looking at Apaches mod_proxy module to see if that might solve my problems, but haven't quite figured it out yet



6. Christy07/08/2006 07:57:00


Hi,
I found this article while trying to solve another problem and I've put it away for future reference (Multiple SSL sites, single Domino server).
In a non SSL environment though, where hosting is of ordinary http sites, it doesn't seem possible to host multiple sites in Domino 7 with one IP address? This was dead easy in Domino 6 but seems to be strangely difficult in 7.
When I say difficult, Domino will host them alright and providing visitors know the correct path, they can find them ok. But why cant domino serve requests to multiple sites when they are phrased in the normal way (www.example.com, www.secondexample.com?).
Do you know any work arounds?
Cheers
Christy



7. Chris Linfoot07/08/2006 08:28:09


D7 can do this just fine. The server hosting this site serves many different HTTP sites as well as HTTPS, all on different host names.

The trick is using Internet Sites documents correctly.



8. pat26/09/2006 03:59:19


Hi, i have a single domino sever(single ip BTW) hosting 2 websites(www.mysite1.com and www.mysite2.com) and have a .kyr file for each, but i have no idea how can I set up server documents to make them work. Actually I use one .kyr file (for mysite1) in server document, and mysite2 gives a SSL warning because domains don't match.
I'll appreciate any help from you.
Best regards



9. Chris Linfoot26/09/2006 08:24:11


If the two sites are in different domains, then this can't be done and you will need a separate IP address for each site (though both IP addresses could be on the same physical NIC).

If the two sites are in the same domain (host1.domain.example and host2.domain.example) then a wildcard SSL cert for *.domain.example would work.

This is not a Domino limitation - it is a constraint of SSL itself.



Unable to post a comment? Please read this for a possible explanation...
Add Manual Trackback
Please enter the details of the trackback post. Your trackback will not appear on the site until it has been verified. This won't be immediate, as trackbacks are validated on a scheduled basis. Be patient.











Search
Popular Categories
Blogs
Coffee and Cats
Computing Systems Fundamentals
DNSBLs
Domino Administration
Domino Whitelist
Dumb and Dumber
Flickr
SMTP AUTH
Show n Tell
Software
Spam
Spam Statistics
T'Internet
Trunk Monkeys
Viruses and Worms
Wallace and Gromit
Whitelisting
Wii
Monthly Archive
2008
2008
2008
2008
2008
2008
Full Archive
Other stuff
Anti-Spam Tools
Misc Links
Land banking information
ClustrMaps
Locations of visitors to this page
Contact Me
email - Chris Linfoot
skypeme
Meta
Proudly powered by IBM Lotus Domino 8 Proudly powered by IBM Lotus Domino 8

Subscribe to articles Subscribe to articles feed

Subscribe to comments Subscribe to comments feed

ROR info ROR info


My Amazon wish list Wishlist


Wikio - Top Blogs - Technology
Like what I do?
Research Autism Then please consider a donation to support the work of Research Autism.
Idea Jam
Planet Lotus
Dilbert