What is the optimal arrangement for multiple HTTP + HTTPS websites?

#1
Aloha!

Edited: Inserted #5 in case it is important or convenient. (Oct 28th)

Consider the following scenario, which does actually work.
1. Three VHOSTS: www.example.com, www.example.org, and www.example.net.
2. Each has a corresponding domain name, and each has a domain alias without the www.
3. Each has a rewrite to add www if it is missing, and switch to HTTPS if the request is HTTP.
4. None has SSL configured on the VHOST.
5. Each VHOST has one static context configured, for URI '/', just to add a default charset and a customer header operation to 'set X-Robots-Tag noindex'.
5. Three listeners on port 80, one for each VHOST, and only mapped to that one VHOST with domains set to *.
6. Three listeners on port 443, configured the same as the ones for port 80, plus each has SSL configured on the listener.

Thank you for reading that. Is there a way to simplify this or do it more optimally? Especially, it feels that I should be able to have just two listeners (80 and 443), and map each to all three VHOSTS, and place the SSL config on the VHOSTS. If so, could you please explain how? All my attempts have failed. Or if there's any other way to improve on this, please share.

Mahalo,
Steve
 
Last edited:

Cold-Egg

Administrator
#2
Correct, only need HTTP and HTTPS two listeners and map to all virtual hosts. Please make sure you enter "www.example.com, example.com " for the www.example.com virtual host domain mapping instead of "*"
About cert, you will need to set a cert to HTTPS listener, all vhost will use the cert from it. FYI, the SSL cert in the virtual host will overwrite the listener's cert.

scenario 1, 2, 3, 4 5 looks fine to me.
 
#3
Correct, only need HTTP and HTTPS two listeners and map to all virtual hosts. Please make sure you enter "www.example.com, example.com " for the www.example.com virtual host domain mapping instead of "*"
About cert, you will need to set a cert to HTTPS listener, all vhost will use the cert from it. FYI, the SSL cert in the virtual host will overwrite the listener's cert.

scenario 1, 2, 3, 4 5 looks fine to me.
Thanks! Lemme see if I have this right, OK?

1. There is a one-to-one mapping of HTTPS listeners to certs.
2. That means that if all three of these domains are on a single SSL cert (e.g. it's a wildcard cert or it's using the magic of a subject CN and multiple ANs), a single HTTPS listener will do.
3. That also means that if those sites are on separate certs (e.g. one for example.com, another for example.net, &c.), that each will need its own HTTPS listener.

Did I get that right?

Further,
1. Can you elaborate on why the mapping should use "www.example.com, example.com" rather than "*". Is one better than the other when a Listener is mapped to a single VHOST vs when it is mapped to multiple?
2. When would we put a cert in the VHOST(s) rather than the Listener?

Mahalo, and you should get paid for this.
 
#4
Thanks! Lemme see if I have this right, OK?

1. There is a one-to-one mapping of HTTPS listeners to certs.
2. That means that if all three of these domains are on a single SSL cert (e.g. it's a wildcard cert or it's using the magic of a subject CN and multiple ANs), a single HTTPS listener will do.
3. That also means that if those sites are on separate certs (e.g. one for example.com, another for example.net, &c.), that each will need its own HTTPS listener.

Did I get that right?

Further,
1. Can you elaborate on why the mapping should use "www.example.com, example.com" rather than "*". Is one better than the other when a Listener is mapped to a single VHOST vs when it is mapped to multiple?
2. When would we put a cert in the VHOST(s) rather than the Listener?

Mahalo, and you should get paid for this.
Eric and everyone,

I've been able to reduce the number of listeners by almost half now. All my sites are HTTPS, and any HTTP access will be rewritten to HTTPS and redirected with a 301. Therefore, I've been able to replace all of the per-domain HTTP listeners with a single HTTP listener. That single listener maps to every virtual host. Each virtual host mapping lists the domains that the server should respond to on HTTP. This is typically a www and naked domain name (non-www) pair (e.g. www.example.com,example.com). For domains with multiple subdomains, only one of them should have the naked domain name also listed.

I'm still experimenting with the HTTPS listeners.
 
#5
Eric and everyone,

I've been able to reduce the number of listeners by almost half now. All my sites are HTTPS, and any HTTP access will be rewritten to HTTPS and redirected with a 301. Therefore, I've been able to replace all of the per-domain HTTP listeners with a single HTTP listener. That single listener maps to every virtual host. Each virtual host mapping lists the domains that the server should respond to on HTTP. This is typically a www and naked domain name (non-www) pair (e.g. www.example.com,example.com). For domains with multiple subdomains, only one of them should have the naked domain name also listed.

I'm still experimenting with the HTTPS listeners.
Got it. I'll rewrite all this in a while to get verification from Eric or someone that I found the correct way to have just two listeners (80 and 443), but it's working for me now.
 
Top