I'm setting up a multisite setup (using separate databases for the sites, on the same server) and can't figure out the security problem. I need login pages, forms, etc, to be secure, which normally I'd use Secure Pages for.
Problem is installing a site certificate that'll handle the different domains. It seems clear that SSL can only apply to one domain per IP address. As I understand it, TLS Extensions seem to take care of this problem, but is not supported in many common browsers so I can't go that route.
The other solution I've come across is IP aliasing, which would mean I'd assign a different IP to each domain on the same server, then hope a certificate can be applied across all of those IPs. Is this what people do? Am I missing something? With all the people running multisite setups, I can't believe all of them are sending their login info in the clear. This is especially important in my situation since I will tie logins to Active Directory using LDAP Authentication and don't want user logins to be vulnerable.
Suggestions and ideas are very welcome! I am having a hard time finding posts that talk about this, other than the one that says multiple domains via SSL is not possible. Thanks!
Comments
From my experience it's not
From my experience it's not possible what you're talking about w/o purchasing / installing a cert per domain. Annoying but it's an unfortunate cost of doing business on dah web. Only possibility I can think of is if you have the sessions, users, authmap tables shared, protected 1 site as the login for all sites (if they are related that is) and then they login there and the session is pervasive across all sites in the "network" on that server.
Dono if that's possible but figured I'd throw it out there at least for some investigation
"Plaguing the world with Drupal; One Plone, Moodle, Wordpress, Joomla user at a time since 2005." ~ btopro
http://elearning.psu.edu/
http://elearning.psu.edu/projects/
http://elearning.psu.edu/drupalineducation/
Ex Uno Plures
http://elmsln.org/
http://btopro.com/
http://drupal.psu.edu/
Should be possible if you are using subdomains
If you get a wildcard cert *.domain.com then you should be able to use that one for all your domains. Again that would only work if you are using sub domains.
Maybe I'm missing something here...
We do have a wildcard certificate and they are all subdomains, but they are all running on the same server. My reading of http://drupal.org/node/278298 is that it's not possible to use more than one certificate per IP address, and that each certificate has to apply to a single domain on that IP address. So that's why I'm wondering if the solution is to use IP aliasing to give each subdomain its own IP. Then the question is whether I can make the wildcard certificate apply to all of those.
btopro, I've thought about doing what you mentioned and using the main domain for all pages that need to be secure (logins as well as form submissions and that sort of thing), but that definitely adds a level complexity that I'd like to avoid if possible.
I'm not doing anything unusual (just a basic multisite I think!) so I'm hoping the solution is common as well -- I'm probably just not asking the question well. Any more thoughts? Thanks!
If you look at this link
If you look at this link it's possible using a wildcard cert
http://phaseshiftllc.com/archives/2008/10/27/multiple-secure-subdomains-...
The problem I think they might be having with the link you provided is they never said or offered using a wildcard cert. Have you tried it with the wildcard cert and it doesn't work?
perfect!
That link looks exactly like the help I was looking for! No, I had not tried it yet. I was trying to work out the details before asking my network admin to apply the certificate. He's not a drupaler. Anyway, thanks so much for this link, and for everyone's help!
it works!
Just want to pass on my experiences after the above post. We got the wildcard cert going, but then had to work out the virtualhost settings since before i'd used name-based virtualhosts. As mentioned in that link, you can't use name-based virtualhosts with a wildcard cert. A variation on their example virtualdocumentroot entry (minus the ssl lines -- these were unnecessary for me because the certificate was already being applied without that) caused apache to serve the correct domain homepages. Interior pages didn't work though because of clean urls, which was solved by uncommenting RewriteBase / in the respective .htaccess files as described in comment 6 of http://drupal.org/node/118569 . Hope this helps someone. For a while there I thought this just wasn't going to work.
Awesome
It will help me because we are planning on doing this on Tuesday.