I have a HTTPS website hosted by IIS. In this site I embed another HTPPS website within a iframe. The content of this iframe is hosted by Apache. Both servers, IIS and Apache, are on the same server.
Do we need to have the same SSL certificates on both webservers?
The first listens on port 8443 and the second one on port 443. Do we need to separate public IPs? Is there another way to root internally?
How would be the proper setup having two different webservers (IIS, embeded Apache) and only one external IP?
Do we need to have the same SSL certificates on both webservers?
No, you could bind different SSL certifcate if you bind different domain for your IIS or apache server.
The first listens on port 8443 and the second one on port 443. Do we need to separate public IPs? Is there another way to root internally?
No, we access the site by using the same ip with different ports.
How would be the proper setup having two different webservers (IIS, embeded Apache) and only one external IP?
In my opinion, the only things is that you should make sure the port is free for each web server.
For example, if IIS use 80, the Apache couldn't use 80.
Related
I have two iis websites. One I have a localhost on port 80 and was setup for dydns with ssl port forwarding external: 443 and internal port:1124 and the website is working perfectly with dydns access.
I wanted to setup another website with the ssl port but was unable to do so. As when I set the port forwarding external Ssl:443 and the internal ssl port:1129. the other dydns entry redirects to the first website. This website does not work without https.
So. How do I setup two websites for ssl port forwarding on the same machine?
Any help is appreciated.
You don't necessary need an entirely different port for each website you host on the same machine. You can use the same http/80 and https/443 to serve multiple website through virtual hosts.
I'm not familiar with IIS, but I do know that it's possible on IIS just like Apache and NGINX does. You can read about setting up virtual hosts on IIS here. Also I answered a similar question here.
I have a server running IIS on port 80.
The same server also has Apache installed, which is listening to other ports.
What I would like to achieve is the following:
1. Set up Apache so that it also listens on port 80, but only for a specific CNAME/alias.
2. Change the IIS web site settings, so that it ignores requests made to that specific CNAME.
Basically, if someone tries to access the web site using the specified CNAME, they should receive the content hosted on the Apache server. If they access it using another alias/host name, or by specifying the IP address, they should get the content from the IIS web site.
Is there any way I could achieve that?
You can't bind two processes to the same port, on the same IP.
Your options are this:
Run Apache and IIS on different IPs, but both on port 80.
Run Apache and IIS on different Ports, but on the same IP.
Run Apache on port 80, IIS on 81, and have Apache proxy requests for specific domain names or URLs to IIS. This will be done transparently to the user. Apache will act as the front-end, handling it's own websites, and sending everything else to IIS, which will return back to Apache the results.
It sounds like what you want is #3.
I have tomcat installed and running on an ubuntu 12.04 LTS system utilizing port 443 for https requests (GeoTrust certificate installed).
On the same machine, apache2 responds to requests on port 80.
Now I was given to task to secure the webapps (php) running on apache2 with SSL as well, but with a different server certificate.
Is this possible at all? - My assumption would be "no", because I cannot have two servers listening on the same port, but I'm not too sure and haven't found any helpful information about this so far.
Any help would be highly appreciated..
These days, you'll still have difficulty serving more than one certificate on a single interface/port combination (e.g. 0.0.0.0:443). IF you want to use two separate ports for HTTPS, it's no problem. If you want to bind to different interfaces (e.g. 1.2.3.4:443 and 4.3.2.1:443) it's no problem. If you want them both on the same interface/port, you'll have to rely on Server Name Indication which may or may not be supported by your web server version and/or client.
If you want different certificates, you probably want different hostnames, too, so maybe you can get a second interface configured on the machine. Note that you don't need to have multiple NICs on the machine just to enable a different interface: your OS should be able to create another interface with a different IP address and still share the NIC. Then you just set DNS to point each hostname to a different IP address and make sure you bind each SSL VirtualHost to the proper IP address (instead of using 0.0.0.0 or * for the hostname).
Honestly, SNI is the easiest thing to do: just use VirtualHosts with SSL enabled (with different certs) in each one the way you'd "expect" it to work and see if the server starts up without complaint. If so, you'll need to test your clients to see if it's going to work for your audience. For the SNI scenario, I am assuming that Apache httpd would handle all of the SSL traffic and that you'd use something like mod_proxy_* or mod_jk to proxy to Tomcat.
For the split-IP scenarios, you can do whatever you want: terminate SSL within Tomcat or use httpd for everything and proxy for dynamic content to Tomcat.
What's use to have a Apache Web Server listening on more than one port?
Can any one explain me the use case?
You may want to use both IPv4 and IPv6, use HTTP and HTTPS, etc.
http://httpd.apache.org/docs/2.2/bind.html
You may have multiple network providers, and multiple IP's provided by each. Though listening to 0.0.0.0 will listen to all addresses, sometimes you may want to listen to selected addresses, not all of them.
Edit: Forgot: also an important reason is when you have to serve multiple sites and multiple domains from one host (one IP). You will then use different ports for each different site. They are so called name-based virtual hosts.
If you'll need it, here's a link on how to name-based virtual hosts from apache docs.
I can see at least two possible use cases for that:
Assuming that your application is accessible to the public via port 80. But you wish to manage your database via phpmyadmin (a php tool to manage MySQL servers). Because of that you could configure Apache web server in a way, that it would listen on some other "private" port for phpmyadmin calls. This way, only you and your team can access it.
When you don't have registered domain names with you, you can create multiple sites running on your server and assign different ports to different sites. This way, you could test your site until your domain name gets registered.
well... for http the default port is 80 and HTTPS default is 443
and you can serve in another port for some reason.
When having multiple domain names point to the same server. But you only have a certificate for one of these domains, is it possible to block the other domains in Apache. But only when HTTPS is used not when HTTP is used.
I tried using a NameVirtualHost setup for 443 port. But when the domain is not found Apache simply defaults to the first virtual host. I would like it to refuse the connection. In this way when connecting directly through HTTPS on one of the not supported domains the connection is refused rather then having the browser display warning screen because of a wrong identity.
Any thoughts?
Not possible.
This is a chicken and egg problem - to verify an https connection the browser connects and tries to validate the certificate/common name and the given URL. The first handshake / connection to port 443 has to be encrypted.
The only way to handle this problem would be to setup dedicated IPs for all domains - or for at least the domain using HTTPS.
It's far from ideal, but another option would be to use a non-standard for your HTTPS site and not have the server listening on port 443.