Allowing one IP address to serve multiple hostnames

Server Name Indication

Preliminaries

This note describes how the server makes use of the Server Name Indication (SNI) protocol to allow more than one HTTPS hostname per IP address.

The RWSERVE software implements the HTTP/2 protocol with Transaction Layer Security (TLS) cryptography. This means that communication between browsers and the server are encrypted and made safe from the prying eyes of other participants (who are legitimately involved in the transmission of data, but who have no need to be privy to what that data is).

TLS is the replacement for the now obsolete Secure Sockets Layer (SSL). One of the key tenants of the original SSL protocol was that users should be confident that the server they are communicating with is indeed the one and only server answering to that name. This requirement assures users that bad actors can't impersonate the real server. Certificate authorities, who dole out the SSL certificates used in this authentication process, create those certificates for a particular DNS hostname.

When a user makes an initial request using the https: scheme, the browser converts the hostname into a server IP address with the help of a DNS resolver. The browser then initiates the TLS handshake protocol with the server listening at that IP address, by sending the server the hostname that it wants to communicate with. The server responds by sending back the certificate for the requested hostname. The browser examines the certificate and verifies that the hostname implanted into it by the certificate authority is the desired hostname.

Initially, this handshake protocol only worked when there was one, and only one, hostname/certificate pair answering to a given IP address. This meant that virtual server hosting, which was commonplace for the http: scheme, could not be used for https:.

The Server Name Indication (SNI) protocol specified in IETF RFC 3546 Transport Layer Security (TLS) Extensions removes that restriction. The RWSERVE software implements SNI.

Configuration

The configuration file's server section has ip-address and port entries, which together are termed the authority. This authority is what browsers initially connect with during the handshake.

The configuration file's host section has a hostname entry, and a tls subsection which specify the SSL certificate and private key used in the authentication process. The configuration file may have more than one host section, with the only restriction being that each must have its own unique hostname and tls values.

No other configuration settings are needed for SNI to work.

EBNF

SP ::= U+20
CR ::= U+0D
HYPHEN ::= U+2D
FULL-STOP ::= U+2E
GRAVE-ACCENT ::= U+60
LEFT-CURLY-BRACKET ::= U+7B
RIGHT-CURLY-BRACKET ::= U+7D
unsigned-number ::= 0..255
ip4-address ::= unsigned-number '.' unsigned-number '.' unsigned-number '.' unsigned-number
ip-address-entry ::= 'ip-address' SP ip4-address CR
port-entry ::= 'port' SP (443 | [1024..65535]) CR
server-section ::= 'server' SP LEFT-CURLY-BRACKET CR
ip-address-entry
port-entry
RIGHT-CURLY-BRACKET CR
file-system-chars ::= (ALPHA | DIGIT | )*
absolute-path ::= GRAVE-ACCENT file-system-chars* GRAVE-ACCENT
private-key ::= 'private-key' SP absolute-path CR
certificate ::= 'certificate' SP absolute-path CR
tls-section ::= 'tls' SP LEFT-CURLY-BRACKET CR
private-key
certificate
RIGHT-CURLY-BRACKET CR
hostname-entry ::= 'hostname' SP (ALPHA | DIGIT | FULL-STOP | HYPHEN)* CR
host-section ::= 'host' SP LEFT-CURLY-BRACKET CR
hostname-entry
tls-section
RIGHT-CURLY-BRACKET CR

† Legal file system characters vary by platform

Cookbook

Example 1: server with two hosts
server {
ip-address 10.20.30.40
port 443
}
host {
hostname login.example.com
tls {
private-key `/etc/letsencrypt/live/login.example.com/privkey.pem`
certificate `/etc/letsencrypt/live/login.example.com/fullchain.pem`
}
}
host {
hostname www.example.com
tls {
private-key `/etc/letsencrypt/live/www.example.com/privkey.pem`
certificate `/etc/letsencrypt/live/www.example.com/fullchain.pem`
}
}

Review

Key points to remember:

  • The RWSERVE software supports multiple virtual hosts using the https: scheme using Server Name Indication.
  • Configure the server's IP address and port in the server section.
  • Configure each virtual host in separate host sections.

Allowing one IP address to serve multiple hostnames