Hi all
Is it possible to setup multiple SSL sites within the Virtualmin without using multiple public IP’s?
Normally we have to use on extra public IP for each SSL site created on our IIS webservers, but I just wanted to know if Apache / Virtualmin are smarter than IIS regarding the SSL setup / usage.
Looking forward to hear from anyone which could en light me on the topic above.
Apache basically supports it, through SNI: http://en.wikipedia.org/wiki/Server_Name_Indication
Unfortunately, Virtualmin does not support that (yet), i.e. you’ll have to configure Apache manually to make use of SNI.
Note though that Internet Explorer (up to version 8) on Windows XP does not support SNI, so if you were to use it on your web pages, you’d lock out a good deal of users.
Hi Locutus
Thanks for your quick response.
Hmm, so I can set it up manually but then I will cut all users on Windows XP using Internet Explorer (which is still quite many).
It might be a solution if the customer accepts that the visitors should use anything else than Internet Explorer 
Do you know when Virtualmin might support SNI through the GUI?
Secondly, I can understand that I need to use an extra public IP for each SSL site I would create on the Virtualmin. Are there an easy how2do it guide for Virtualmin
Eric would be the one who can say something about if and when Virtualmin might support SNI. I don’t know really.
To add extra IP addresses, you can put ranges to allocate from in the Server Template, section “Virtual IP Address”. Then, when creating a new server, you choose “Network interface: Virtual with allocated IP” in the “IP address and forwarding” box.
Well, just to clarify – you need one IP address per SSL certificate (rather than one IP per domain). It’s possible to have multiple domains or wildcards in a given SSL cert.
I unfortunately don’t have a timeline on SNI, though I’ll see if I can get some input on that
-Eric
Hi Eric
I am familiar with the multiple SSL certificate options, but I don’t think I can persuade the customers to share SSL Certificates, especially if they someday want to move to another host
I am looking forward to the implementation of the SNI in Virtualmin, it would be a great option to have S
Yup, if you’re talking about multiple customers, I certainly wouldn’t recommend sharing a single cert.
I’ll look into that SNI support though. Thanks!
-Eric
As Locutus mentioned, SNI won’t work on many of the IE-based browsers on Windows XP (at least, IE6 and IE7).
Being as Windows XP only this month dropped below 50% market share, would you guys really find SNI support useful at the moment?
That’s according to this article:
http://www.tgdaily.com/software-brief/57628-windows-xp-market-share-falls-below-50
SNI requires a newer openssl that exists in the standard Centos 5 (at least) distribution. So, if you wanted to do this, you’ll need to make your own openssl.
For us, it would be useful, if only for admins. Would not deploy out to public at large.
I think it would be a perfect improvement to the Virtualmin setup.
But it might be a problem in the Centos as mentioned by sfatula above regarding the OpenSSL engine.
But if it could be replaced easily for admins, how2guide, then it would be a bigstep forward to use SNI in large Virtualmin hosting setups.
Okay, so, I have some interesting news. SNI already is supported by Virtualmin
I again want to clarify that SNI won’t work in a lot of places… it appears that it won’t work on any IE-based browser on Windows XP, which is a lot of users!
But, if that’s not a problem for your userbase, you can use SNI in Virtualmin.
If Apache/mod_ssl is compiled with SNI support, then Virtualmin will allow you to setup a different SSL certificate for multiple domains on the same IP address.
You’ll see a Virtualmin warning when that occurs, since most people don’t actually want to use SNI.
However, the warning won’t prevent it from working – you can continue from there by setting up as many SSL certs as you like.
I just tested that this works with CentOS 6. It should also work with Debian 6.
I do not believe it’ll work in distros offering Apache versions before 2.2.12, which includes Ubuntu 10.04, CentOS 5, and Debian 5.
For anyone reading this who isn’t yet familiar with SNI – it’s not a silver bullet, and we again don’t think it’s ready for prime-time use, since roughly half the computers on the Internet today won’t work with it. But for folks with a limited or controlled userbase, and having a supported browser isn’t a problem – SNI should work just fine.
-Eric
Yes, so, what I was saying agrees with you, just goes one step further. If someone WANTED to recompile Apache on Centos 5 (at least) to enable SNI, they will fail as openssl is too old. So, they will also need to find a way to update openssl.
Had already been down that road!
I do not believe it’ll work in distros offering Apache versions before 2.2.12, which includes Ubuntu 10.04, CentOS 5, and Debian 5.
Please note that Ubuntu 10.04 currently has APache 2.2.14.
Please note that Ubuntu 10.04 currently has APache 2.2.14.
Well, crap, you’re absolutely right!
I went over to packages.ubuntu.com to test all this out before I posted, but I must have selected the wrong Ubuntu version when I searched for the “apache2” package.
Thanks for setting me straight!
-Eric
You’re most welcome.
I tested it in the “most empirical way possible” on my hosting VM. 
root@orion:~# apache2 -v
Server version: Apache/2.2.14 (Ubuntu)
Server built: Nov 18 2010 21:19:09
Hi Eric
So we have to be running Centos version 6 to be able to use SNI?
We are currently running version 5.6
Correct, SNI does not work by default on CentOS 5. You would need newer Apache, mod_ssl, and openssl packages.
A newer distro such as CentOS 6 comes with packages that have SNI support.
Remember though that roughly half of the browsers in use today don’t support SNI… so even if you upgrade to a newer distro, it won’t work for many people.
-Eric
So we’re willing to bite the silver bullet and start deploying SNI
How would I go for enabling SNI on virtualmin, I am looking for a quick setup way to do this.
Not sure how to check TLS and mod_ssl with sni support is compiled.
Can you provide any pointers?
Thanks
MD
I believe that SNI is available in Apache versions 2.2.12 and after. That should be available in CentOS 6, Ubuntu 10.04, and Debian 6.
You wouldn’t need to do anything to enable it – it would just work. You’d simply need to enable multiple SSL certs on one IP address.
Just note that a number of browsers don’t support that quite yet – there’s some details regarding that that were discussed above.
-Eric
Thanks
I am using Chrome, which has SNI enabled, you can verify it here https://sni.velox.ch/
I have two SSL websites on one IP. Let’s say abc.com and xyz.com
But when I pull https://xyz.com via https, it opens up the abc.com with a certificate error.
If there some config in virtualmin I need to modify?
MD