3

I need to secure 2 different domains that are both on the same EC2 instance.

Reason: 1 is a sales website. the other is the webapp. Both need to access the same MySQL database.

EDIT

Sales website means the website where users look at my pricing plans, etc and sign up. The webapp is a SaaS web application they have access to AFTER they signed up.

END of EDIT

Problem: the webapp domain needs to be using a wildcard SSL certificate that is already purchased.

the sales website needs to use a standard SSL certificate that is also already purchased.

Someone told me that an EC2 instance can only have 1 Elastic IP address.

And I cannot have more than 1 SSL cert on the 1 IP address.

I found this article http://www.invokemedia.com/setting-up-multiple-ssl-domains-on-amazon-ec2-one-ipport/ on usinbg a UCC certificate to workaround this issue.

But I am not sure if

  • a) that will work and I do not wish to unnecessarily spend money and waste it in the end.
  • b) it will work with a wildcard cert and standard cert at the same time.
  • c) using UCC will accidentally defeat the purposes of SSL access for users.
  • d) how to install and use it.
  • e) how to go about getting a UCC since I got both SSL certs from GoDaddy.

Another possible solution I can foresee is that I get the webapp hosted on 1 EC2 instance and the sales website hosted on another EC2 instance which of course will double my monthly hosting costs.

then the problem emerges where my programming assumes that both applications need to be on the same server accessing the same MySQL database.

What is the best way out for me - security-wise, reliability-wise, efforts-wise, costs-wise, in descending order of importance?

Things I have learned

  • 1 SSL cert to 1 IP:Port not 1 SSL cert to 1 IP
  • there is such a thing called UCC SSL cert, not too sure what that means other than it allows you to have SSL for multiple domains at the same time using just 1 IP:PORT
  • there is something called ELB Elastic Load Balancer that allows you to overcome having IP on 1 EC2 instance

End of things I have learned

Kim Stacks
  • 471
  • 1
  • 6
  • 14

1 Answers1

2

You can have more than 1 SSL cert per IP, but you can't have more than 1 SSL cert for each IP:port combination. If you're willing to try to run one of the SSL certificates on a non-standard port (anything but 443) then you can use a single IP address.

You can easily serve up a different SSL certificate on different ports.

It turns out that this can be easily implemented with Elastic Load Balancer. You can redirect port 443 on several elastic load balancer IPs to different ports on your instance.

Someone was kind enough to write a good tutorial, complete with diagrams: http://elwoodicious.com/2009/12/23/using-elb-to-serve-multiple-domains-over-ssl-on-ec2-for-giggles/

The "UCC" cert that you're referring to is a certificate with many names in the SubjectAltName field. Since you already have a wildcard certificate, you may find it to be limiting - how many different domain names are you covering with the wildcard? One advantage of a SAN-based certificate is it can cover multiple domains, but you'll need to enumerate every domain name individually when requesting the certificate rather than allowing a browser to match the wildcard cert.

akramer
  • 556
  • 2
  • 6
  • However, since you're only running a single instance, why not use a less restrictive cloud computing platform? @akramer - I am in Asia. Amazon AsiaPacific just works for me in terms of hosting, speed, price, etc. – Kim Stacks Feb 21 '11 at 02:23
  • I am covering 1 domain name with the wildcard, but potentially thousands of subdomains with the wildcard. eg, user1.webapp.com, user2.webapp.com, user3.webapp.com, etc. – Kim Stacks Feb 21 '11 at 02:25
  • One advantage of a SAN-based certificate is it can cover multiple domains, but you'll need to enumerate every domain name individually when requesting the certificate rather than allowing a browser to match the wildcard cert @akramer - so how does this enumeration impact me? its a bad thing right? – Kim Stacks Feb 21 '11 at 02:26
  • Yes, if you're planning on having thousands of subdomains matched by the wildcard cert you won't be able to use a SubjectAltName cert. If you could put wildcards into the SubjectAltName field then it would work, but I'm not aware of anyone with a root cert that will sign that. If you can find one, please let me know. :) – akramer Feb 21 '11 at 02:31
  • @akramer Sales website means the website where users look at my pricing plans, etc and sign up. The webapp is a SaaS web application they have access to AFTER they signed up. based on this, do you still think your original solution of using portforwarding is the optimal one? – Kim Stacks Feb 21 '11 at 02:57
  • I wouldn't call it "the optimal solution", but I think it's an inexpensive solution to this dilemma. It's a hack in a lot of senses - whichever site you point at the micro instance will have another single point of failure that could break it. On the other hand, it should be easy to automate the build of an instance that does so little, so it ought to be easy for you to keep it running. – akramer Feb 21 '11 at 03:10
  • @akramer Thank you. I am going to leave this question unanswered for another day or so in case I get a better answer. Incidentally I have posted up this request in elance to look for consultants to give me more hand holding. Would you be interested? Let me know how I can independently contact you outside of SF. – Kim Stacks Feb 21 '11 at 06:36
  • I hope someone posts a better answer as well, I'd like to know if I'm missing anything obvious. I don't have time to help set up the instance - sorry. – akramer Feb 21 '11 at 08:07
  • I found a better way and updated my original answer. – akramer Feb 21 '11 at 08:44
  • Thanks akramer. I need more help with filling up the forms in the ELB to try the new solution. I will go get help elsewhere – Kim Stacks Feb 21 '11 at 10:16