Page 2 of 2 FirstFirst 12
Results 16 to 23 of 23
  1. #16
    Join Date
    May 2004
    Location
    Miami
    Posts
    1,276
    Points
    21,307
    Level
    63
    Quote Originally Posted by mdeinhardt View Post
    Not sur if I understood you correctly, but if you have a dedicated IP for SNI, you can't install a SSL certificate on any other shared IP.
    What I mean is SNI runs on Apache, not an IP address. So any site on any shared IP address on your server can run with SNI. I just decided to move them onto one IP to avoid a non-SSL site being accessed by https and then defaulting to the first SSL site vhost, showing incorrect content for the domain name being accessed (make sense?). If all the sites on a shared IP have SSL, then that can't occur.

    But then I realized adding a special vhost file, kind of like a catchall, I was able to grab any non-SSL sites on https and redirect back to that same site on http, avoiding a site mismatch. So technically at this point I could mix all my SNI HTTPS sites and HTTP sites on one IP with that in place, but since I already moved them I'm going to leave them as is.

    Quote Originally Posted by mdeinhardt View Post
    Lowering the ttl also takes time until it propagated, but after that the switch is fast, thats true. I have the experience though that some DNS servers don't follow the TTL and cache entries much longer, so someone somewhere might get an error when browsing to the website in question.
    Yeah, if you don't just leave it at 5 mins all the time, you'd have to make that change to 5 mins, then wait whatever the previous timeout was. Plus, like you said, some bad DNS cache stuff themselves like you said, longer than the TTL time.
    [ JUSTIN ]
    [ OFF unit ]
    [ WEB DESIGN / DEVELOPMENT, GRAPHIC DESIGN, OTHER STUFF
    ]

  2. #17
    Join Date
    Jun 2014
    Posts
    150
    Points
    2,569
    Level
    21
    I fully understand what you're saying, but I have never gotten a ssl certificate to work on any other IP than the one I have dedicated to SNi, so I assumed this is some limitation.

  3. #18
    Join Date
    May 2004
    Location
    Miami
    Posts
    1,276
    Points
    21,307
    Level
    63
    How did you setup your SNI? For me, I just started using it this year. All I did was enable it in NodeWorx Settings and it applies to the whole server. Basically there wasn't anything I needed to do, except add a SSL Certificate to a domain.

    The only time I would guess SNI headers wouldn't be sent out is if an IP is static, not a name virtual host. Then maybe SNI stuff isn't sent because it's not needed?
    [ JUSTIN ]
    [ OFF unit ]
    [ WEB DESIGN / DEVELOPMENT, GRAPHIC DESIGN, OTHER STUFF
    ]

  4. #19
    Join Date
    Apr 2012
    Posts
    1,971
    Points
    17,910
    Level
    58
    Hi Justin and Michael

    I believe Justin is correct as above

    If static non shared ip, only 1 ssl can be assigned and SNI would not be involved

    If shared ip - any number of ssl can be setup and SNI is involved

    I am thinking there maybe some misunderstanding of Justin term dedicated ip for ssl - which I believe Justin meant a shared IP address which is only used for ssl and another shared ip only used for non https

    I'm sorry if I'm wrong

    Also, google and some browser are alerting users of no https is available or used, more so when accessing login pages etc... and I believe google Seo is not scoring websites highly as it once did, if not accessed by https

    Many thanks

    John

  5. #20
    Join Date
    May 2004
    Location
    Miami
    Posts
    1,276
    Points
    21,307
    Level
    63
    Quote Originally Posted by d2d4j View Post
    I am thinking there maybe some misunderstanding of Justin term dedicated ip for ssl - which I believe Justin meant a shared IP address which is only used for ssl and another shared ip only used for non https
    Good catch, I probably should have been more clear.

    Right now I have X number of Dedicated IPs (don't remember the exact number) and then I have 2 system IPs setup as Shared.

    The 2 IPs that are Shared can both run SNI, but I have moved all my SNI websites onto 1 of the Shared IPs and left the other Shared IP with just HTTP (non-SSL) sites.
    This was to avoid a situation where you could go to https://site1.com (site1 does not have SSL installed) and then it shows webpages from site2.com (which is setup for SSL and happens to be the "default" SSL that comes up by how it comes up in Apache config.

    Since all IPs on the "SNI Shared IP" are dedicated there could be no mixing.

    I've also setup a SSL "catch all" custom vhost for the non-SNI Shared IP. After doing that, I realize I could have had all my SNI Sites on the same shared IP with the non-SSL sites with this vhost in place, but I've decided to leave it separate. One benefit is when I click the globe on the Shared IP I used for SNI sites, I can get a quick glance of all websites that are running SSL.


    Quote Originally Posted by d2d4j View Post
    Also, google and some browser are alerting users of no https is available or used, more so when accessing login pages etc... and I believe google Seo is not scoring websites highly as it once did, if not accessed by https
    From what I've read about Google is you get a slight boost in rank if you put your full site (not just login pages, etc., but EVERYTHING) into SSL mode. There isn't a negative impact right now, but if you are tied with someone else on a keyword for 1st rank, this would give you the edge. Not sure if they also give more boost in rank if you go into HSTS mode, as far as I know they don't.
    [ JUSTIN ]
    [ OFF unit ]
    [ WEB DESIGN / DEVELOPMENT, GRAPHIC DESIGN, OTHER STUFF
    ]

  6. #21
    Join Date
    Apr 2012
    Posts
    1,971
    Points
    17,910
    Level
    58
    Hi Justin and Michael

    I could be entirely wrong sorry, and the cost maybe higher but thanks to Justin idea over multiple ip in vhost, a thought came to me, which as I said, could be totally wrong so I apologise in advance

    Easy high availability clustering

    The basic premise is as follows

    Setup an independent MySQL server
    Setup a NFS /home directory
    Setup a full cluster on a unique ip
    Setup a secondary full cluster on a different IP address

    Now, using Justin vhost for adding more A records into the vhost file, add both of the unique ip addresses assigned above

    This I think would give independent failover if a cluster manager goes down , by accepting both ip addresses, and because you had setup a MySQL server separately, the MySQL would still correctly function and also /home is also separate, no loss of websites, email etc...

    As I said, the cost is double, and you could even use NS1 from 1 node, giving its IP address and NS2 from the second node, giving its IP address, and therefore, a higher degree of load balancing would happen

    It's just a thought

    Many thanks

    John

  7. #22
    Join Date
    Dec 2016
    Posts
    4
    Points
    117
    Level
    2
    You hover over the certificate icon and shows you which domain it's attached to.

  8. #23
    Join Date
    Apr 2012
    Posts
    1,971
    Points
    17,910
    Level
    58
    Hi bestellen

    Many thanks

    The ssl icon you refer to only shows the first the cert used. This icon was mainly for dedicated ip addresses with ssl, and not SNI

    Many thanks and thanks for your post, it's good to know users are helping

    John

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •