Don’t host multiple websites with one IP address if one of the sites uses SSL

I just figured this out yesterday and it’s probably obvious to most people, but since I hadn’t thought of it before – maybe this will help someone else.

You can use host headers to publish multiple websites on the same IP address, but this doesn’t work when using SSL because the host header is encrypted so the web server can’t route based on this value. This means you can only bind 1 web site to a given IP address using SSL.

You can publish Site1, Site2, and Site3 on the same IP address using http and then bind SSL to Site1 on the same IP address, so that all of these would work:
http://Site1
http://Site2
http://Site3
https://Site1
(In DNS, Site1, Site2, and Site3 all resolve to the same IP address.)

What just occurred to me yesterday (when a client of mine pointed it out) was that if you browse to https://Site2, you will get the standard certificate error that browsers give when something doesn’t look right with the certificate.  In this case – the certificate is for Site1 but the user is browsing to Site2.

If the user clicks the button to proceed in spite of the error – now you’ve got a problem.  They think they are at Site2, but what they are seeing is Site1.

It had just never occurred to me that someone would specifically type https to get to a site that wasn’t set up for SSL.

Posted in IT