Apache SNI: Is it possible to mix non-secure hosts with secure hosts on the same interface?

Nick asked:

On a shared server, we have some sites that only run on port 80. However, there are other sites that run on both port 80 and 443.

For example:

<VirtualHost *:80>
  ServerName unsecure.com
</VirtualHost>

<VirtualHost *:80>
  ServerName secure.com
  RedirectPermanent / https://secure.com
</VirtualHost>

<VirtualHost *:443>
  ServerName secure.com
</VirtualHost>

Requests to https://unsecure.com will be presented the certificate for secure.com. Is there any way to avoid this other than separating out the interfaces (i.e. foo:80 and bar:443 which isn’t possible in this situation). Many of these sites on port 80 are legacy sites, and setting them up to use SSL isn’t as straightforward as we had hoped.

My answer:


You don’t need separate network interfaces, just separate IP addresses. Sites which are deployed with https get one IP address, while sites with http only get the other IP address. When a site is migrated to https, its DNS address records also get chnaged to the other IP address.

In Apache, you will change the Listen directives to correspond to those IP addresses. For example:

Listen 198.51.100.37 80
Listen 203.0.113.252 80
Listen 203.0.113.252 443

This is the only way to do it reliably.


View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.