Wednesday, July 7, 2010

Multiple SSL/HTTPS web sites on one IIS server

An SSL certificate can be attached only to a physical IP address – so if you have multiple web sites with different host names on the same server and you want them all to be secure (SSL/HTTPS) then you need one of the 2 following scenarios:

1. A ‘wildcard’ SSL certificate (e.g., *.foo.com) which costs more, ~$200/year.
If you choose this solution, the certificate needs to be installed on all web site nodes in the IIS admin and further command line functions need to be done (see http://blumenthalit.net/blog/Lists/Posts/Post.aspx?List=35b60df2-0af2-4e52-8c6f-d3a64a542f45&ID=14&RootFolder=* for more details)


2. If you have separate different certificates each one for a different host name (e.g., one for site1.foo.com and the other for site2.foo.com) , you will need to add IP addresses (GoDaddy say they must be real IPs, other web sites claim internal NAT IPs can be enough) – the dedicated control panel can be used for issuing a new “real IP” (up to 3 are given), the godaddy firewall needs to be configured for this new IP and the dedicated host needs to be configured for it too.
[note that accessing godaddy PIX firewall for a dedicated server requires you to downgrade your java because the latest java can't access the control panel - i will add a post for this too ]

I got mail from their support detailing the steps for scenario #2 above:

To request additional IP addresses:



  1. Log into your Account Manager.

  2. Under the My Products section, select Servers.

  3. Click Launch Manager next to the server account that you would like to manage. The virtual Dedicated/Dedicated Hosting Manager opens in a new window.

  4. Click Request Additional IP and allow the system several minutes for the IP address to be allocated.


NOTE:If you use Parallels Plesk Panel , the new IP address will need to be re-read from the Parallels Plesk Panel under Server > IP Addresses. Without Parallels Plesk Panel, you will need to add your IP addresses to your server's IP address pool through the applicable means before it will work.


Additional IP addresses past the first three cost extra.


Before we can allocate additional IP addresses to your server, we will need the following information submitted in a trouble ticket:



  1. How many additional IP addresses you would like us to allocate to your server (up to 3 at a time).

  2. The reason that you need additional IP addresses.

  3. The host name for your server.

  4. The last 4 digits of the payment method on file that you want to use.


Once you have requested another IP address, you would need to add the IP address to your server, there are instructions for this here : http://help.godaddy.com/article/1478. You would also need to add the IP translation rules to your firewall on the server.

Some of the information in this article is advanced material we make available as a courtesy. Please be advised that you are responsible for properly following the procedures below. Customer Support cannot assist with these topics.


Translation rules must be added for all new IP addresses. When the Cisco PIX 501 hardware firewall is installed, the translation rules for existing IP addresses are created automatically.


For each new IP address, you create two static translation rules, one outside traffic and one for inside traffic.


NOTE: For this example, we will use 22.33.44.55 to represent the new IP address. It is assumed that the next available internal IP address is 10.0.0.2.


To Add an IP Address to the Cisco PIX 501 Firewall



  1. In a Web browser, navigate to: https://[your firewall management IP address]/

  2. You may receive a number of security certificate warnings. If you accept the certs and save them as "Trusted," you will avoid warnings in the future.

  3. Enter your User name and Password, and then click OK.

    NOTE: Your browser must have Java enabled and allow pop-ups from your firewall management IP.



  4. In the Device Manager toolbar, click the Configuration icon.

  5. Click the Translation Rules tab.

  6. Click the Translation Rules radio button.

  7. Click the New Rule icon.

  8. In the window, enter the following information:

    • Interface: Inside

    • IP Address: 10.0.0.2

    • Mask: 255.255.255.255

    • Translate address on interface: outside

    • Translate address to: select (x) static IP Address: 22.33.44.55



  9. Click the New Rule icon.

  10. In the window, enter the following information:

    • Interface: Outside

    • IP Address: 22.33.44.55

    • Mask: 255.255.255.255

    • Translate address on interface: inside

    • Translate address to: select (x) static IP Address: 10.0.0.2



  11. Add 10.0.0.2, the internal IP address, to your server.


    • Windows In the advanced section of your local area network TCP/IP settings, add the internal IP, using the 255.255.255.0 netmask.


    • Linux At root, copy "/etc/sysconfig/network-scripts/ifcfg-eth0" to "/etc/sysconfig/network-scripts/ifcfg-eth0:0". Edit /etc/sysconfig/network-scripts/ifcfg-eth0:0 changing the IP to the new IP and change the DEVICE to equal eth0:0. Restart your networking with: service network restart




NOTE: IP address allocation is monitored. Attempting to add IP addresses to your server that have not been purchased is a violation of your terms of service agreement and may result in the suspension of your account.



Once these steps have been completed, we would be able to install the second IP address on your server for you.

2 comments:

  1. I've recently secured a domain and plan to include resource/knowledge/support sub domains so a Wildcard SSL is perfect for this.

    ReplyDelete
  2. Wildcard certificates are designed to secure unlimited sub domains over a single FQDN. With single wildcard you may secure the primary domain name as well all the sub domains and also plenty of website pages over all sub domains.

    ReplyDelete

Feel free to comment. No links/URLs allowed in comments.