Upload
nguyentram
View
322
Download
2
Embed Size (px)
Citation preview
SNI Implementation Guide v7
GlobalSign Solutions
SNI + CloudSSL Implementation Guide
Hosting Multiple SSL on a Single IP Address
SNI Implementation Guide v7
Contents Introduction ........................................................................................................................................... 3
Why do hosting companies want SNI/CloudSSL? ......................................................................................... 3
Configuration instructions ............................................................................................................................ 4
Introduction ........................................................................................................................................... 4
Webserver specific configurations ......................................................................................................... 5
APACHE .................................................................................................................................................. 5
CUSTOM ................................................................................................................................................. 6
DIRECTADMIN ........................................................................................................................................ 7
NGINX ..................................................................................................................................................... 8
POUND ................................................................................................................................................. 11
Frequently asked questions ........................................................................................................................ 14
GETTING HELP ...................................................................................................................................... 16
SNI Implementation Guide v7
Introduction SNI/CloudSSL is a solution for hosting multiple SSL certificates on a single IP address. It combines two GlobalSign products, SSL Certificates installed via Server Name Indication (SNI) and CloudSSL. The multi- domain (CloudSSL) certificate is used as fallback to support the 8-10% of users that have no support for SNI.
Why do hosting companies want SNI/CloudSSL?
IP shortage- There's a shortage of IPv4 addresses, APNIC and RIPE (EMEA) stock is close to zero
Costs- More hosting companies are starting to ask for a monthly fee per IP. No DNS updates- When using SNI, no DNS updates have to be made when installing an
SSL Certificate because multiple certificates can run on a single IP address. Simplicity- The CloudSSL Certificate is updated & maintained automatically by an
application delivered by GlobalSign. SSL demand- Higher demand for SSL Certificates by regulations and requirements from
sites such as Facebook (to link a website or application). Differentiation- Hosting companies can’t really differentiate on storage or bandwidth
anymore (already high or unlimited)
Overview of Steps
1. Contact a representative to create a test account. 2. Download the application (see below) specific to your operating system. 3. Configuration 4. The initial order needs to get approved, this can be requested to [email protected] 5. GlobalSign sales representative will create a production account on your behalf.
Step 1.Creating a Test Account
For Europe: https://testsystem.globalsign.com/request_en/newpremium.do?domain=systemeu.globalsign.com
For the USA: https://testsystem.globalsign.com/request_en/newpremium.do
Step 2: Download Application Specific to your Operating System
Download one of these files (for your OS), most common are the Linux 32bit (i386) and Linux 64bit (amd64):
https://www.globalsign.com/downloads/cloudssl/sni/snicloudssl-linux-386.tar.gz https://www.globalsign.com/downloads/cloudssl/sni/snicloudssl-linux-amd64.tar.gz
Other supported operating systems are:
https://www.globalsign.com/downloads/cloudssl/sni/snicloudssl-darwin-386.tar.gz
SNI Implementation Guide v7
https://www.globalsign.com/downloads/cloudssl/sni/snicloudssl-darwin-amd64.tar.gz https://www.globalsign.com/downloads/cloudssl/sni/snicloudssl-freebsd-386.tar.gz https://www.globalsign.com/downloads/cloudssl/sni/snicloudssl-freebsd-amd64.tar.gz https://www.globalsign.com/downloads/cloudssl/sni/snicloudssl-linux-arm.tar.gz https://www.globalsign.com/downloads/cloudssl/sni/snicloudssl-windows-386.tar.gz https://www.globalsign.com/downloads/cloudssl/sni/snicloudssl-windows-amd64.tar.gz
Step 3. Configuration instructions
Introduction
Apache
Custom
DirectAdmin
NIGINX
Pound
cPanel
Introduction
INSTALLATION If you encounter any problems using the program please make sure you have downloaded the right version of this program for your kernel. To determine which version of the application you need to download, you can use the command "uname -m" in a Linux-based environment. The following indicators should help you determine if you are using a 32-bit or 64-bit operating system. x86_64……...64-bit kernel i686………….32-bit kernel You can also use the command "getconf LONG_BIT" which should return either 32 or 64. Then execute the following command to download and extract the application. cd /opt wget [filename] tar zxf snicloudssl.tar.gz rm snicloudssl.tar.gz Configure the program The program needs some information to request and update certificates. You also need an API user name and password. Please ask your account manager for these details and make sure that your server is whitelisted to access the production API. After your test account is activated, please start the configuration procedure.
SNI Implementation Guide v7
cd /opt/snicloudssl/bin/ ./snicloudssl -configure Initiate the program You need to initiate the program to order a CloudSSL certificate for each IP address. cd /opt/snicloudssl/bin/ ./snicloudssl -initiate -ip 192.168.0.1
Webserver Specific Configurations
Please continue reading the webserver specific instructions for your server.
APACHE
Configuration for domain control validation Configure a global rewrite rule for the GlobalSign user agent in Apache "httpd.conf” by creating a symbolic link to the file /opt/snicloudssl/etc/apache.conf in your httpd.conf directory. Command to create the symbolic link: ln -s /opt/snicloudssl/etc/apache.conf /etc/apache2/conf.d/snicloudssl.conf Then you need to make sure that all name-based virtual host websites (websites that run on a single IP address) are configured to inherit the global rewrite configuration. <VirtualHost {ip}:{port}> # Add these lines to your name-based virtual host for GlobalSign CloudSSL RewriteEngine on RewriteOptions inherit </VirtualHost> Running the program This should work on any Linux server or desktop with Apache installed. The "apachectl" program should be in the $PATH, you can check that by typing "apachectl" in the command line. Then go to the bin directory of the program and start "./snicloudssl", please note that this needs to be executed from the bin directory! cd /opt/snicloudssl/bin/; ./snicloudssl When you completed the initial order and you retrieved your order ID you can schedule the following command in your scheduler (for exmaple cron). You should run this command every few hours. cd /opt/snicloudssl/bin/; ./snicloudssl -ip 192.168.0.1 -orderid CECO1211191692 After the first run After running the program for the first time you need to update the configuration of your default website for this IP address. We will configure the CloudSSL Certificate that has been requested by
SNI Implementation Guide v7
the program on the default website for this IP address. The default website for an IP address is the configuration file that will be loaded first, for example 000_default.conf. When the webserver could not find a match based on the host header or the SNI indicator (when available), the webserver will show the default (first) website. More information on Apache virtual hosts: http://httpd.apache.org/docs/current/vhosts/examples.html#ip The default virtualhost (000_default.conf) should be configured to load the CloudSSL certificate from the "/opt/snicloudssl/ssl" directory. NameVirtualHost 92.243.31.204:443 <VirtualHost 92.243.31.204:443> SSLEngine on SSLCertificateFile /opt/snicloudssl/ssl/192-168-0-1.pem SSLCertificateKeyFile /opt/snicloudssl/ssl/192-168-0-1.key SSLCertificateChainFile /opt/snicloudssl/ssl/192-168-0-1-ca.pem </VirtualHost>
Apache FAQ Q: The program is giving an error message that "apache2ctl" can't be found. A: Make sure that the Apache "apachectl" command is listed in your PATH environment (for example: "export PATH=$PATH:/opt/apache2/bin") If you are running the program from crontab make sure that this PATH is included in your config or that you specify the file with "-file=/opt/apache2/bin/apachectl". Q: When I run the program from the crontab it's not working. A: Make sure that your "apachectl" is available in the current PATH. You might need to set the PATH variable in the crontab file. http://askubuntu.com/questions/23009/reasons-why-crontab-does-not-work
CUSTOM
Legacy support program for Server Name Indication (SNI) This file contains some information on how to get started when using an Nginx webserver. Please read the general README file before you continue reading here. If you are using a unsupported webserver or load balancer you can still use this program to generate and maintain the CloudSSL Certificate. In this case you can use a text file that contains one public resolving site per line. The program will extract all Subject Alternative Names for the certificates installed on these websites and request a GlobalSign CloudSSL Certificate. When using this custom implementation you can create a custom script (for example via bash) to copy or upload the resulting certificate to your webserver or load balancer. Running the program
SNI Implementation Guide v7
When you completed the initial order and you retrieved your order ID you can schedule the following command in your scheduler (for example cron). You should run this command every few hours, optionally followed by your custom script(s) to upload the new certificate to your server or load balancer. cd /opt/snicloudssl/bin/; ./snicloudssl -ip 192.168.0.1 -orderid CECO1211191692 -source=text -file=/tmp/sites.txt
DIRECTADMIN
Configuration for domain control validation First you need to check if you are using a custom configuration file. If you are using a custom config a file named "virtual_host2.conf" should be located in "/usr/local/directadmin/data/templates/custom". If you have no custom configuration we need to create one with the following command (only if you don't have a custom config already): cd /usr/local/directadmin/data/templates cp virtual_host2*.conf custom cd custom Now we can modify the custom configuration by opening the file "virtual_host2.conf" in your favorite editor and add the "Rewrite..." lines to the virtualhost section to inherit the global rewrite configuration. When you’re finished editing "virtual_host2.conf" you have to make the same change to "virtual_host2_sub.conf". <VirtualHost |IP|:|PORT_80| |MULTI_IP|> # Add these lines to your name-based virtual host template for GlobalSign CloudSSL RewriteEngine on RewriteOptions inherit </VirtualHost> As we only changed the template we have to ask DirectAdmin to rewrite all configuration files by running the following command. echo "action=rewrite&value=httpd" >> /usr/local/directadmin/data/task.queue Now add the following line to "/etc/httpd/conf/extra/httpd-includes.conf" and reload the httpd server. Include /opt/snicloudssl/etc/apache.conf Scheduler Run this command once a hour (or less) from your scheduler (for example cron) cd /opt/snicloudssl/bin; ./snicloudssl -ip 192.168.1.7 -orderid CECO1303012883 > /opt/snicloudssl/lastrun.log 2>&1
SNI Implementation Guide v7
DirectAdmin configuration Add the following line to you DirectAdmin configuration at "/usr/local/directadmin/conf/directadmin.conf". enable_ssl_sni=1 Now add the following default virtual host to "/etc/httpd/conf/extra/httpd-includes.conf". <IfModule mod_ssl.c> <VirtualHost 192.168.1.7:443> ServerName host123.youserver.com SSLEngine on SSLCertificateFile /opt/snicloudssl/ssl/192-168-1-7.pem SSLCertificateKeyFile /opt/snicloudssl/ssl/192-168-1-7.key SSLCertificateChainFile /opt/snicloudssl/ssl/192-168-1-7-ca.pem </VirtualHost> </IfModule> And then move the following lines up under the line that loads "httpd-ssl.conf" in "/etc/httpd/conf/httpd.conf" # For user configurations not maintained by DirectAdmin. Empty by default. Include conf/extra/httpd-includes.conf
NGINX
Legacy support program for Server Name Indication (SNI)
This file contains some information on how to get started when using an Nginx webserver.
Please read the general README file before you continue reading here.
Example Configuration of SNI-based SSL sites
The server blocks below show the basic configuration of SSL-based websites configured to run
multiple SSL Certificates on a single IP address. For readability we have skipped all non SSL related
information from the example.
server {
listen 192.168.1.144:443; ## listen for ipv4
server_name www.example1.com;
ssl on;
ssl_certificate /etc/ssl/www.example1.com.pem;
ssl_certificate_key /etc/ssl/www.example1.com.key;
SNI Implementation Guide v7
include /opt/snicloudssl/etc/nginx.conf;
}
server {
listen 192.168.1.144:443; ## listen for ipv4
server_name www.example2.com;
ssl on;
ssl_certificate /etc/ssl/www.example2.com.pem;
ssl_certificate_key /etc/ssl/www.example2.com.key;
include /opt/snicloudssl/etc/nginx.conf;
}
Configuration for domain control validation
To configure the rewrite on all virtual hosts the following include line should be added to
the "server {}" block.
include /opt/snicloudssl/etc/nginx.conf;
If you don't want to use an include statement you can also decide to include the contents of
this file directly in the server configuration block.
Running the program
When you completed the initial order and you retrieved your order ID you can schedule the
following command in your scheduler (for exmaple cron). You should run this command every few
hours.
cd /opt/snicloudssl/bin/; ./snicloudssl -ip 192.168.0.1 -orderid CECO1211191692
-source=nginx -file=/etc/nginx/nginx.conf
After the first run
After running the program for the first time you need to update the configuration of your default
SNI Implementation Guide v7
website for this IP address. We will configure the CloudSSL Certificate that has been requested by
the program on the default website for this IP address. The default website for an IP address is
the server that has "default_server" option in your listener. When the webserver could not find a
match on the SNI indicator or when this header is not available, it will present the SSL Certificate
configured for the default website.
server {
listen 192.168.1.144:443 default_server;
server_name cloudssl1.myserver.com;
ssl on;
ssl_certificate /opt/snicloudssl/ssl/192-168-0-1.pem;
ssl_certificate_key /opt/snicloudssl/ssl/192-168-0-1.key;
}
Make sure you apply these other optimizations
The ssl_protocols, ssl_ciphers and ssl_prefer_server_ciphers settings are best practice
and have nothing to do with Server Name Indication in itself. If your server does
not yet support TLSv1.2 and/or TLSv1.1 Nginx will ignore them.
Add the following lines to your "http {}" block:
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers
AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
SNI Implementation Guide v7
Adding OCSP stapling will improve the performance of your website. The resolver needs to be
configured to perfom DNS lookup to the OCSP server. This can be any DNS resolver you have access
to, 8.8.8.8 is an open revolver provided by Google.
resolver 8.8.8.8;
ssl_stapling on;
POUND
Pound is a reverse proxy, load balancer and HTTPS front-end for Web servers. Server Name
Indication (SNI) has been available since June 2010 as of the 2.6 series of Pound.
http://www.apsis.ch/pound
You need to configure the CloudSSL Certificate as the first certificate on your IP number so that it
will act as a fallback when no specific certificate can be located (for example because of a missing
server name in the SSL/TLS handshake).
The "Cert" configuration option of pound is pointing to a PEM certificate store. You can simply
create a PEM store by listing your key and certificates as a base64 encoded DER certificate in the
order: Server Certificate -> Intermediate Certificate(s) -> Private key.
A base64 encoded DER certificate is enclosed between "-----BEGIN CERTIFICATE-----" and "-----END
CERTIFICATE-----".
The file "/opt/snicloudssl/html/index.html" needs to be served by a local webserver on the
loopback address 127.0.0.1.
Please be aware that Pound has issues handling SSL Certificates with Subject Alternative Names in
combination with Server Name Indication (SNI). This issue does not affect the default website,
where the CloudSSL certificate is installed.
Example Configuration
ListenHTTPS
Address 192.168.1.144
Port 443
Cert "/opt/pound/ssl/cloudssl.pem"
Cert "/opt/pound/ssl/site01.pem"
SNI Implementation Guide v7
Cert "/opt/pound/ssl/site02.pem"
Cert "/opt/pound/ssl/site03.pem"
# Return this file only to the GlobalSign user-agent
# when running the SNI/CloudSSL program locally
# /opt/snicloudssl/html/index.html
Service
HeadRequire "User-Agent:.*GlobalSign.*"
BackEnd
Address 127.0.0.1
Port 80
End
End
Service
HeadRequire "Host: .*site01.demo1.oneclickssl.eu.*"
BackEnd
Address 74.125.132.100
Port 80
End
End
Service
BackEnd
Address 157.166.255.18
Port 80
End
SNI Implementation Guide v7
End
End
cPanel
Before you get started you need to check if you are running a version of cPanel & WHM of 11.38+
that provides support for Server Name Indication (SNI). It's also important that you are using an
operating system that comes with a version of OpenSSL that has support for SNI. CentOS 6+ is the
first release of CentOS that ships with support for SNI.
Configure a rewrite rule for the GlobalSign user agent in Apache by creating a symbolic
link to the file /opt/snicloudssl/etc/apache.conf in your user data standard virtual host
includes directory.
Execute the following commands to create an includes directory, a symbolic link and rebuild
the httpd.conf:
mkdir -p /usr/local/apache/conf/userdata/std
ln -s /opt/snicloudssl/etc/apache.conf /usr/local/apache/conf/userdata/std/snicloudssl.conf
/scripts/rebuildhttpdconf
Finally you have to restart the Apache webserver. You can do this from the WHM control panel or
by resarting Apache with the following command.
service httpd restart
Now you got issued the first CloudSSL certificate you can change the default virtual host that will
only be used to serve an SSL Certifite to users that do not include the Server Name Indication
header. The virtual host will not be used to provide any web content.
Login to your Web Host Manager (WHM) and go to Service Configuration >> Apache Configuration >>
Include Editor.
Add the following options (modified to use your own IP address) to the “Pre VirtualHost Include” for
SNI Implementation Guide v7
“All Versions” of Apache as shown in the screenshot below.
<VirtualHost 192.168.1.188:443>
SSLEngine on
SSLCertificateFile /opt/snicloudssl/ssl/192-168-1-188.pem
SSLCertificateKeyFile /opt/snicloudssl/ssl/192-168-1-188.key
SSLCertificateChainFile /opt/snicloudssl/ssl/192-168-1-188-ca.pem
</VirtualHost>
Frequently Asked Questions
Can I run this program on my Windows server? Can I use this solution in combination with CPANEL? Does the program also support wildcard certificates? Will a site/name be removed from the CloudSSL Certificate if it is down?
SNI Implementation Guide v7
How many sites can be hosted on a single IP address? Where can I find actual statistics about the Windows XP market share? Why not use the CloudSSL certificate alone?
Can I run this program on my Windows server? You can run the program on Windows but it can’t communicate with IIS directly. While you probably could import the generated certificate with the Microsoft PowerShell we have no examples for this. Microsoft IIS has Server Name Indication support from version 8 and later.
Can I use this solution in combination with CPANEL? Yes, from cPanel & WHM 11.38 they overhauled the SSL Management system (for Apache). These changes will bring full support for SNI to allow hosting multiple SSL Certificates on the same IP address (among others). cPanel will require CentOS/RHEL 6 on the server side, as the ship with SNI support in OpenSSL.
http://www.linkedin.com/groupAnswers?viewQuestionAndAnswers=&discussionID=223328914&gid=2124565&commentID=129128475&trk=view_disc&ut=1hK7rQnkuF9BI1
http://blog.cpanel.net/ssl-improvements-for-cpanel-whm/
Does the program also support wildcard certificates? Yes, but the domain should resolve to the same IP address (eg. *.domain.com has the same IP address as domain.com)
Will a site/name be removed from the CloudSSL Certificate if it is down? The FQDN will be removed from the certificate when the site has been down or returning an invalid certificate more than 5 times.
How many sites can be hosted on a single IP address? With Server Name Indication you can host as many sites as you like, but as we need CloudSSL for the legacy users we are limited to the technical size limit of the TLS handshake. GlobalSign supports up to 300 names in a certificate, but keep in mind that many certificates are valid for www.domain.com and domain.com, and would take two places on the CloudSSL certificate.
Where can I find actual statistics about the Windows XP market share? You can calculate the actual percentage by taking the percentage of Internet Explorer users (30%) of the percentage of Windows XP users (24%). In January 2013 this number was 7.2%. Including some other clients that do not support SNI, the number falls between 8-10% of the clients. You can download these percentages on http://gs.statcounter.com/.
Why not use the CloudSSL certificate alone? The CloudSSL solution on its own has a few disadvantages. It only allows issuing Domain Validated certificates. This is because of the following reason: There will be one certificate, issued to the hosting company, validated on an organization level. Because domains use extensions of this certificate, they can only be validated on domain level. Partners would not be able to sell OV or EV certificates to their customers using CloudSSL. This setup also means that if a visitor to a CloudSSL
SNI Implementation Guide v7
secured site clicks on the certificate details, they would see the hosting company’s details and all other sites listed in the certificate.
GETTING HELP Every GlobalSign enterprise customer has a dedicated Account Manager who is on hand to help with any
commercial and technical queries you may have about reselling SSL. GlobalSign also provides technical support
through our Client Service departments around the world. www.globalsign.com/support
GlobalSign US & Canada
Tel: 1-877-775-4562
www.globalsign.com
GlobalSign EU
Tel: +32 16 891900
www.globalsign.eu
GlobalSign UK
Tel: +44 1622 766766
www.globalsign.co.uk
GlobalSign FR
Tel: +33 1 82 88 01 24
www.globalsign.fr
GlobalSign DE
Tel: +49 30 8878 9310
www.globalsign.de
GlobalSign NL
Tel: +31 20 8908021
www.globalsign.nl