Hey Jesse,
From what I understood SNI is not fully supported by all browsers yet.
If you need the private key of the root CA to sign a certificate this is
very bad for anything in CA's world.
The idea as far I know to use a signed certificate which will provide
everything needed to validate and encrypt the needed data.
I have never used SNI but I heard about it.
I assume that if it's part of openssl it just means that it's good and
secure.
Many providers use wildcard certificate which for example akamai and
Amazon offers\use.
I think that less about the need for that option there is a need to
encourage using more of the resources you have.
For now if there is a need for SNI nginx can provide the SSL part.
I was interested in comparison of nginx vs squid in the cache angle.
I know that squid "persistent" cache is better then nginx since nginx is
not really 100% committed to be "cache" but more like a web server.
It wont save headers and there for the response will be different while
fetched from source and served from cache(persistent).
Regards,
Eliezer
On 11/5/2012 4:27 PM, Jesse Smith wrote:
> Hello everyone, thought i'd share our recent endeavor about getting
> Squid to work with multiple SSL domains (single set of certs and one IP).
>
> We were able to get that working, but didn't do us much good as we had
> to be our own Root CA. We didn't want to have to have the users download
> our cert into their browser, just to use our site. In other words,
> everything was to remain transparent.
>
> It is impossible to use a Root CA (Commercial like Verisign), because
> you would have to have their private key to sign the generated certs.
>
> Our solution was to use the Nginx web server, which supports multiple
> SSL domains using a single IP. The server also acts as a reverse proxy.
> Nginx uses SNI to get this configuration working.
>
> I only mention this as Squid should do the same and potentially make it
> a priority as places are looking for this kind of configuration
> increasingly.
>
> Anyway, that's the story ... thanks for reading and hope it will provide
> more insight to your own situation if using multiple SSL domains hosted
> by a single IP.
>
> Thanks
-- Eliezer Croitoru https://www1.ngtech.co.il IT consulting for Nonprofit organizations eliezer <at> ngtech.co.ilReceived on Mon Nov 05 2012 - 15:02:18 MST
This archive was generated by hypermail 2.2.0 : Tue Nov 06 2012 - 12:00:03 MST