SNI多域的SSL阿帕奇IIS [英] SNI multiple domain ssl apache iis

问题描述

我们需要托管多个站点不同的域。
例如

we need to host multiple site with different domains. for instance

a.test.dk
b.test.dk
a.test.fi
b.test.fi

现在从我知道的是，无论是在Apache或使用域的SSL证书时，IIS就需要1个IP /主机，这意味着我们将不得不购买
4证书和4个IP地址来托管他们在

Now from what i know is that being either in apache or iis you would need 1 ip/host when using a domain ssl certificate, that means we would have to buy 4 certificate and 4 ip addresses to host them on

另一种选择是使用通配符证书，如果我们买了* .test.dk，我们可以使用2个IP /地址和两证，因为我们的IIS / Apache的托管站点的相同数量的* .test.fi可以使用SNI。

another option is to use wildcard certificates , if we buy a *.test.dk and a *.test.fi we can use 2 ip/addresses and 2 certificates to host the same amount of sites since our iis/apache can use sni.

但现在我真正的问题：
也有一些所谓的多域的SSL

But now my real question : there is also something called multiple domain ssl

这将允许运行在1个IP地址的所有4个网站？

will this be allowed to run all 4 sites under 1 ip-address?

由于我们正在与我们在这一刻使用外部IP-addressess的strugling。

because we are strugling with our use of external ip-addressess at this moment.

推荐答案

好吧你混淆了两个不同的东西。你混淆通配符证书和SNI（服务器名称指示）。他们是类似的问题肯定是不同的解决方案。

Well you're confusing 2 different things. You're confusing wildcard certificates and SNI (Server Name Indication). They are definitely different solutions to similar problems.

通配符证书不靠头检查加密流量，你只要点在你想要的IP地址，DNS和你的要求去到任何网站，你已经在IIS中配置。

Wildcard certs do not rely on header inspection to encrypt your traffic, you just point the DNS at the IP address you want and your request goes to whatever site you've configured in IIS.

SNI是不同的，是你想要的。 SNI检查每个HTTP请求，并计算出哪些IIS您可以根据主机头想要的网站。之前SNI存在一些不能在SSL请求检查头，因为头太加密。

SNI is different and is what you want. SNI inspects each HTTP request and figures out what IIS site you want based on the host headers. Before SNI existed you couldn't inspect headers in SSL requests because the headers were encrypted too.

使用SNI，假设你为每个站点证书（证书通配符或单点的证书，证书UCC，或那些的组合），可以使用SNI检查每个HTTP请求和服务于适当的SSL证书和站点。你可以尽可能多的网站做到这一点，只要你愿意，分享1 IP：跨越所有这些端口组合

With SNI, assuming you have certificates for each site (wildcard certs or single site certs, UCC certs, or some combination of those) you can use SNI to inspect each HTTP request and serve up the appropriate SSL cert and site. You can do this for as many websites as you'd like and share 1 IP:port combination across them all.

下面是一个维基百科的文章，解释它在一个更详细一点：

Here is a WikiPedia article that explains it in a little more detail:

http://en.wikipedia.org/wiki/Server_Name_Indication#Background_of_the_problem

这里是如何在IIS 8.0及以上配置的一篇文章

的https://www.digicert.com/ssl-certificate-installation-microsoft-iis-8.htm#multiple

在步骤18中这些说明是你让SNI。

In step 18 in those instructions is where you enable SNI.

这里是如何的Apache 2.2.12及以上配置的一篇文章

的https://www.digicert.com/ssl-support/apache-multiple-ssl-certificates-using-sni.htm

这篇关于SNI多域的SSL阿帕奇IIS的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！