Oh The Huge Manatee

A blog about technology, open source, and the web... from someone who works with all three.

Multiple SSL Sites on One AWS Instance

It’s a familiar problem - you can’t really host multiple SSL sites on a single IP address.  There’s a fancy workaround if you get a pricey multi-domain certificate, of course.  But separate sites, with separate certificates just won’t work.  The reason is simple - put yourself in Apache’s shoes.

When you’re using name based virtualhosts, Apache uses the request headers to determine which vhost should get the request.  But HTTPS headers are encrypted!  So there’s no way for Apache to tell which virtual host should get this message, without decrypting it furst.  But it can’t decrypt without knowing the correct virtual host…

There’s a great workaround for this with Amazon, using their Elastic Load Balancer (ELB) system.  You simply set up a load balancer, and forward port 443 to, say port 8443 on your instance, and have Apache listen on 8443 for SSL connections.  Recently Amazon rolled out the ability to terminate SSL on the load balancer, so you can actually have the ELB listen on 443, decrypt the traffic with your certs, and forward the request to your Instance the clear, on port 80.

There is one weakness.  ELBs cannot be addressed by IP address. They can only be addressed by CNAME - and can anyone think of why this might cause problems?  If you said “your root DNS record can’t be a CNAME”, go get yourself a glass of milk and some oreos, you’ve earned them.  Now this is one of those DNS rules that is often ignored.  For most people, having a CNAME for swearingatcomputers.com really isn’t going to break anything.  But for anyone who uses email on their domain, this is an important rule to follow.  Your MX records require that there be an A record for the domain.

Still, this will get you to a pretty good place.  You can have https://secure.swearingatcomputers.com , separate from http://www.swearingatcomputers.com , and that fits a lot of use cases.

Not all of them, though.  Sometimes you have a client who simply MUST have SSL for everything.  Now you’re in trouble.  Here are your options:

1) Set up your own load balancer on a separate, micro instance.  ELB is nice, but if it can’t do what you want, you gotta do it the old fashioned way.

2) Set up a simple Apache instance with the certs installed, and “redirect permanent” to www.swearingatcomputers.com, which is your ELB CNAME.

3) Cry about it.

I tried option 3, but it didn’t help.  Which of the other two options would you take?