2

I have a couple of sites that I want to move to Amazon EC2. All the sites uses ssl so it needs to have a dedicated ip address to each one. My question is: Even if I host all the sites in the same instance, do I need to get one elastic ip for each site?

brpaz
  • 179
  • 1
  • 2
  • 9
  • While a dedicated IP for each SSL identity is preferred for compatibility - you cannot associated multiple elastic IP addressed with a single EC2 instance, so would need multiple instances as well for your scenario. (With VPC you can add 2 elastic network interfaces, and associate an elastic IP with each, but that still only allows a small number of IP addresses to be associated with a instance) – cyberx86 Jun 03 '12 at 16:09

2 Answers2

1

While there are some solutions that allow multiple SSL identity certificates on a single IP address, in general if you require good browser compatibility, then you will require an IP per Certificate. There are some details on why this is the case in this question

The problem for standard Name-based Virtual Hosts is basically that the first thing that the https server does during the TLS/SSL handshake is send the SSL certificate with a "common name" identifying itself as www.mysecuresite.com - However Name virtualhosts relies on a "Hosts:" header to decide which site which is sent later during the HTTP phase.

Hence (using traditional... SSL v1, old browsers etc, Windows XP) there can only be 1 SSL identity per IP address, because the first thing the servername is already known as www.amazon.com, which it cannot change afterwards...

Notes -generally these are for fairly niche situations, such as intranet or *.mydomain.com wildcard certs.

Server Name Indication, is a solution for hosting multiple SSL certs on a single IP, but it has poor support:

  • not XP or old safari, or old android - works with only 1 IP - http://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI"

  • Wildcard certs, not suitable in this particular situation because the servers names are domain level, eg badger.com and monkey.com, rather than badger.server.com and monkey.server.com

Community
  • 1
Tom
  • 11,176
  • 5
  • 41
  • 63
  • SAN certificates are more widely supported than SNI and are a good solution if you only have a few domains. Most of them support up to 25. – Ladadadada Jun 04 '12 at 00:52
1

You can't associate multiple Elastic IP addressees with a single normal EC2 instance.

You can have multiple ELB's in front of a single instance with each one getting its own IP address and proxying to a different port on the instance.

Eric Hammond
  • 11,163
  • 1
  • 36
  • 56
  • Plus, you can do SSL termination at the ELB level, which simplifies SSL certificate management. That way, you wouldn't even need to proxy to different ports on the actual instance - a single port will do, receiving regular HTTP traffic. – Nikhil Dabas Jun 04 '12 at 20:12
  • Not correct anymore. Its nowadays supported with multiple elastic ips to one ec2. – Philip May 29 '18 at 08:32