PDA

View Full Version : Correction in docs + more ideas


NdK
14th April 2011, 18:10
Hi.

It's me again :)

Per http://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI it seems it's not needed to specify IP for SSL sites on SNI.

Another useful feature could be to add in the default sites a "hosted sites" list, with links.

Another idea could be to (optionally) have two ports listening for every SSL-enabled site: 443 and user-defined. This way a non-SNI-enabled client could access a SNI-requiring site after accessing the default-ssl one (could even support dynamic redirection based on supplied hostname).

Hope these ideas help to make ISPConfig even better!

BYtE,
Diego.

till
14th April 2011, 18:16
Per http://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI it seems it's not needed to specify IP for SSL sites on SNI.

SNI is not the same then normal ssl with mod_ssl. SNI is a new feature which is not supported by older browsers. So if you are in a company enviroment where you can force your users to use only specific browser versions, then sni is fine. But ist not a fuill replacement for internet use yet. This might change in a few years when no older internet explorer versions are in use anymore.

NdK
14th April 2011, 21:22
I know. But current doc is at least incomplete.

If you use a fairly recent distro (even Debian Squeeze, that have not the most up-to-date packages... for good reasons), SSL sites w/ SNI work just like the non-SSL ones, so it's really possible to use both "IP-based SSL hosts" (specifying a different IP for every host that uses SSL), or "SNI-based vhosts" (just using * as IP), or a mix of the two as needed. All on a single server.
It just misses "port-based SSL vhosts", that still requires manual editing of config files.

Too bad browsers still don't use _https._tcp TXT DNS record :( It wouldn't have required SNI...

PS: if someone knows a browser that can do SNI on XP, I'd like to know...

till
14th April 2011, 22:01
ISPConfig does not support sni based vhosts as they do not work in many browsers and Windows XP is still a frequently used operating system. So the doc is complete if it tells you that sni is not supported in ispconfig.