SSL on Shared IP? Switching to VMware ESXi..

Hey All.

Can’t find a recent answer to this question – need to know if Interworx v4 supports multiple SSL on shared IP address.

Moving to a new data center and only have 4 WAN IPs available.

Will be routing 2 IPs to one of the server NICs which will run a CentOS 5.5 VM with Interworx (our production web server). Not sure if I can trick Interworx into seeing vLAN IPs as “real” IPs; if so, then I can break out SSL onto dedicated virtual IPs, otherwise, will need more pricey WAN IPs to get SSL working.

Keep posted…


Bump, anyone?

Seems simple question, does Interworx support multiple SSL certs on a shared IP?

I assume not, given the number of views and zero replies. Would be nice, IPs are limited and customers need SSL…

need to know if Interworx v4 supports multiple SSL on shared IP address.

The issue is that the web server can only support one SSL certificate per IP address on the server. That hasn’t changed.

Not sure if I can trick Interworx into seeing vLAN IPs as “real” IPs;

I’m not sure either, because I don’t really understand the situation. If the IP addresses are IPs bound to the InterWorx server, then you can mark them as dedicated and use SSL on them.


Paul, thanks.

If Apache can only bind SSL to IP 1:1, then, SOL short of creating a shared cert, something I’d like to avoid.

There must be a way to setup port forwarding on external firewall (in our case, Cisco router) such that all Interworx created domains are routed to a single WAN IP, but internally on the LAN forward domains x, y, z to, .2, .3 and have Interworx use the LAN IPs in Apache virtual hosts where SSL certs are defined.

Apache does not care if the virtual host entry is a WAN or LAN IP, just that it’s unique.

Of course, even if it can be pulled off, will add a layer of complexity to managing siteworx accounts – maybe I’ll spend the extra $3/month/IP ;–)

The whole PNAT thing is not worth it, trust me. Browsers won’t automatically load on different ports. Users won’t remember to add the :port# in the url. I’m not sure the search engines will even pick them up if you request indexing. All in all, just not worth it.

Just pass the monthly cost of the IP on to the customer as part of the cost for SSL. Most places do so in one way or another. If a site really wants to be serious on any level in regards to security $36/yr (assuming pass on at cost) is nothing to pay for the added sense of security a properly loading SSL cert will provide them and their customers.

$3/mo/IP sure feels like you’re getting bent over, though. I guess I shouldn’t complain about my rate anymore!

Right, agreed.

$3/IP/month is not great, but then again for my 2U server and Cisco firewall, I pay $110/month colo fee, with 1mbs bandwidth and 100mbs port.

I do pass the IP fee onto the customer of course!

Would just be nice to minimize IP usage, and consolidate as much as possible – if the SSL issue did not exist, I’d be putting the 20 client sites I host on a single shared IP, don’t think there’s a huge performance hit vs. dedicated IPs…

There is a minimal performance hit in using vhosts vs dedicated IPs these days. 10-12 years ago it was a different story.

right, my concern in new server I’m setting up is how will Interworx/production web server perform under VMware ESXi? New box will be a powerhouse compared to load (PowerEdge 2970 2X 6-core CPU, 32GB RAM, 6X 73GB SCSI 2.5", 2X single port NICs), but first venture into virtualization.

Bare metal setups I’m familiar with…

Uhm… as long as the OS you install has para-virtualized I/O drivers (in particular, storage ) you will have NO worries. That’s a beast of a machine. I’ve run enterprise critical heavy access DBs on machines not even half that and never came close to topping the machine out.

I’ll need to check that out, going with CentOS 5.5 x64 for the virtual production LAMP web server.

Bottleneck will be those SCSI drives – with RAID 10 I’ll effectively be getting a single logical disk at 3X 15K speed, decent throughput for sure, but as I add on more VMs, they’ll be competing for disk resources.

In an ideal world one would have a huge budget and buy a powerhouse box with multiple RAID controllers and SSD drive stripes dedicated to server applications (e.g. separate VMs for MySQL, Apache/PHP, Java/Grails, Ruby on Rails, Mail server, etc.) – that kind of setup would absolutely rip ;–)

Maybe one day, the one I have spec’d out is a beauty, can’t complain, moving from an SC 1425 2X single core CPU, 2X 160GB SATA, 2GB RAM, lol

Honestly… I’d build a “cheap” solaris/zfs nas/san box. I’ve seen stats on custom built units for less than $5,000 that absolutely scream. The thing to remember is that with disk i/o the more platters the better. You can actually be better off with many cheap SATA drives than a few SCSI/SAS/FC drives when it comes to I/O OPS. The nice thing about a solaris/zfs solution is that you don’t really need a RAID controller. You just need enough SATA ports & drives to give you your desired I/O OPS. ZFS handles RAID 6 in software and is quite quick to rebuild if a drive failed. You can also use a couple SSD drives for a read and write cache and dramatically increase performance once again. Then just use the system as an iSCSI target and vmware is more than happy to use it.

It’s in my budget, $5K is about what I’ll be spending on the server + Cisco ASA 5505 + VMware essentials license. I can spend more of course, just trying to be reasonable, I make diddly off of hosting, all of this is just playing games and creating a performant remote development environment.

Nice thing about the Dell machine is, it’s all just plug and pray ;–)

Building an enterprise solution as you’re suggesting, yes, the way to go for an environment that demands it; namely, tons of client sites, high server load, and constant disk I/O – not the case at present, just a small web hosting outfit here.

I will check out your suggestion, however, have been in intensive research mode since I made the decision to go with a Vmware solution (appropriate given how much more complex virtualization is compared to bare metal OS setup)

Is it possible to improve Interworx for shared SSL like described in texts?