2


QUESTION: Does Domino need an IP for each "Web Site" ?
CONTEXT:
- The server has "Load Internet configurations from Server\Internet Sites documents:" enabled.
- Two domains www.domain1.com and www.domain2.org lead to this server.
- SSL certificate, Keyring and "Home URL:" are differents for this two domains.

How could I define this TWO "web site" (in administrator/Configuration/Web/Internet Sites) if they have the SAME IP? How to identifiy them according to their domain?

thanks in advance
N.B. with 2 different IP it works (I made the test but didn't suceed with only one IP)

Emmanuel Gleizer
  • 163
  • 1
  • 6

2 Answers2

3

If you want to use SSL, then each site must have its own IP. This is because the Domino server is not able to encrypt and thereby identify each site before it knows what SSL keyring to use to decrypt the SSL connection.

Domino does not need an IP for each non-SSL site. You can have multiple non-SSL web sites on one IP.

First, you need to setup the DNS A record for the web sites to point to the public IP of the Domino server (of course).

Then in the Internet Site Web document you just identify each site by the domain name(s). Here are examples of two web sites:

Site A:

Site Information    
Descriptive name for this site: Site A
Organization:   Site B
Use this web site to handle requests which cannot be mapped to any other web sites:  No
Host names or addresses mapped to this site:    domain1.com
                                                www.domain1.com
Domino servers that host this site: *

Site B:

Site Information    
Descriptive name for this site: Site B
Organization:   Site B
Use this web site to handle requests which cannot be mapped to any other web sites:  No
Host names or addresses mapped to this site:    domain2.com
                                                www.domain2.com
Domino servers that host this site: *

The name and orgnization can be whatever you want, but the host names must match the DNS.

Per Henrik Lausten
  • 535
  • 2
  • 12
  • I take good note for the SSL, thanks. But what about the keyring? I mean some of the users have to log in (authentificate) this is done by with the keyring, so according to me this also need a separated IP. –  Mar 26 '12 at 16:30
  • Concerning the "Home URL:", I've made the test it's works even on the same IP (each site has his own different Home) –  Mar 26 '12 at 16:39
  • I don't quite understand your questions on keyring and Home URL. The keyring is for the SSL connection. Home URL defines the starting point for each site. – Per Henrik Lausten Mar 26 '12 at 16:49
  • I'm not sure to anderstand "This is because the Domino server is not able to encrypt and thereby identify each site before it knows what SSL keyring to use to decrypt the SSL". If a user make a GET https://www.domain1.com (SSL encrypted) the NAME of the server would also be encrypted? –  Mar 26 '12 at 16:50
  • Yes, the name is encrypted. Only the IP is sent unencrypted. Apparently this is because of the SSL protocol version that Domino uses. – Per Henrik Lausten Mar 26 '12 at 16:56
  • Worth noting in general regarding multiple HTTPS sites on a single IP that is actually possible if either: 1) the sites use the same certificate (wildcard or SAN certificate) or 2) the client and server both support SNI (server name indication). I do not know the specifics of Domino in this regard. – Håkan Lindqvist Apr 06 '14 at 12:51
0

In the case someone needs an official IBM response :

This is [name removed] from IBM support regarding the SSL issue. Yes, this is also valid for version 9.

In order to be able to use two domains with SSL, two seperate IP addresses are needed. Domino is capable of loading multiple SSL configurations using internet site documents as long as each website has its own IP address. This is working as designed.

Internet site documents work by retrieving the Host header sent by the client. For a web browser, this Host header is the server name or IP address entered in the URL. Domino compares this header to the internet site documents and uses the matching site (or the default if no specific match).

Please see also:

Title: SSL connection uses first match for IP address instead of match for host name entered by web browser

Doc #: 1173919

URL: http://www.ibm.com/support/docview.wss?uid=swg21173919

Thank you!

Emmanuel Gleizer
  • 163
  • 1
  • 6