Yes, you can use host-headers for non-SSL sites. Part of the HTTP/1.1
request includes a Host: HTTP header which tells the server which server you
wish to connect to, eg:

GET /default.asp HTTP/1.1
HOST: www.yourcompany.com

However, this isn't possible with SSL sites because the HTTP request is
encrypted (including the HTTP Host: header), which means that the server
can't work out which website should respond/decrypt the request. Hence, host
headers can't be used to delineate SSL websites hosted on the same IP/port
combination.

Cheers
Ken

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From: "Andreas" <andreas@q...>
Subject: [security_asp] RE: SSL Setup and ASP usage


: You're right Ken, to be honest I haven't tried to set up multiple sites
: using SSL without having one static ip address assigned to each site.
:
: Though - you can use http headers for separating traffic for sites that
: doesn't use SSL. A lot of companies that hosts small sites usually does
: this for minimizing the number of required ip addresses.
:
: Regards:
: /andreas.q3p
:
: -----Original Message-----
: From: Ken Schaefer [mailto:ken@a...]
: Sent: den 13 februari 2003 03:54
: To: Security_asp
: Subject: [security_asp] RE: SSL Setup and ASP usage
:
: Neither of the two responses is 100% correct.
:
: Andreas is correct in that you can have multiple certificates on a
: single
: webserver.
:
: However, he is incorrect when he says:
: <quote>
: : but if you must use the same IP address for all sites
: : you can play around with host headers or TCP ports for separating
: : traffic.
: </quote>
:
: If you have multiple certs, then each site must have a unique
: combination of
: IP address + TCP Port. You can not use different host-headers to
: separate
: each site. Why? The HTTP Host header that is sent by the client is part
: of
: the HTTP request, and as such is at a higher level than SSL operates at.
:
: Cheers
: Ken
:
: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
: From: "Andreas" <andreas@q...>
: Subject: [security_asp] RE: SSL Setup and ASP usage
:
:
: : Whoa.... wait a min...
: :
: : > Problem with IIS (not sure if this exists in apache) is, you can
: only
: : have > 1 cert per webserver... meaning, you can't have 5 sites on 1
: : webserver all
: : > using their own certificate... kinda bites.
: :
: : Nope, this is incorrect. You may have noticed that you can create web
: : sites in the IIS mmc? Each of those can have it's own SSL certificate,
: : I've done this many times.
: :
: : The interesting part is how you separate traffic for the different
: : sites, if you can have one static IP address for each site it's the
: : recommended setup but if you must use the same IP address for all
: sites
: : you can play around with host headers or TCP ports for separating
: : traffic.
: :
: : PS: Regarding the SSL setup, configure your site to only allow secure
: : connections - then everyone trying to reach the site by using HTTP://
: : will get an error. If you would like to redirect users from here do it
: : in a custom error page instead - then you don't have to make sure that
: : you've included the file for redirecting.
: :
: : Bottom line: You can have "n" number of certificates installed on a
: box
: : running IIS.
: :
: : Regards:
: : /andreas.q3p
: :
: : -----Original Message-----
: : From: MacKenzie, Colin [mailto:cmackenzie@i...]
: : Sent: den 22 januari 2003 17:04
: : To: Security_asp
: : Subject: [security_asp] RE: SSL Setup and ASP usage
: :
: : Nothing is needed in the actual asp page.  Install the cert in IIS and
: : verify you're asp page is running off of https instead of http... you
: : can
: : have a simple include file that checks
: : request.servervariables("server_name") for https, if it finds it,
: you're
: : secure, if not grab the path of the script currently running and
: : redirect
: : (with javascript so it does actually redirect) to
: : https://(server)/(script
: : path).
: :
: : Problem with IIS (not sure if this exists in apache) is, you can only
: : have 1
: : cert per webserver... meaning, you can't have 5 sites on 1 webserver
: all
: : using their own certificate... kinda bites.
: :
: : Cheers,
: :
: : Colin MacKenzie
: :
: : -----Original Message-----
: : From: Jeremy Simpson [mailto:jsimpson34@e...]
: : Sent: Wednesday, January 22, 2003 9:14 AM
: : To: Security_asp
: : Subject: [security_asp] SSL Setup and ASP usage
: :
: : What is required in ASP for a page to use SSL security? A budy of mine
: : says this: Once the SSL cert server is loaded, I think the
: : trick is just doing an include on each page that says "use that cert".
: : Is he correct? I want my ASP to allow Internet Users to logon using
: SSL.
: : What is involved when using SSL?
: :
: : Thanks
: :
: : %%email.unsub%%
: :
: :
:
:
: %%email.unsub%%
:
: