Allowing one IP address to serve multiple hostnames
Server Name Indication
This note describes how the server makes use of the Server Name Indication (SNI) protocol to allow more than one HTTPS hostname per IP address.
The RWSERVE software implements the HTTP/2 protocol with Transaction Layer Security (TLS) cryptography. This means that communication between browsers and the server are encrypted and made safe from the prying eyes of other participants (who are legitimately involved in the transmission of data, but who have no need to be privy to what that data is).
TLS is the replacement for the now obsolete Secure Sockets Layer (SSL). One of the key tenants of the original SSL protocol was that users should be confident that the server they are communicating with is indeed the one and only server answering to that name. This requirement assures users that bad actors can't impersonate the real server. Certificate authorities, who dole out the SSL certificates used in this authentication process, create those certificates for a particular DNS hostname.
When a user makes an initial request using the
https: scheme, the browser converts the hostname into a server IP address with the help of a DNS resolver. The browser then initiates the TLS handshake protocol with the server listening at that IP address, by sending the server the hostname that it wants to communicate with. The server responds by sending back the certificate for the requested hostname. The browser examines the certificate and verifies that the hostname implanted into it by the certificate authority is the desired hostname.
Initially, this handshake protocol only worked when there was one, and only one, hostname/certificate pair answering to a given IP address. This meant that virtual server hosting, which was commonplace for the
http: scheme, could not be used for
The Server Name Indication (SNI) protocol specified in IETF RFC 3546 Transport Layer Security (TLS) Extensions removes that restriction. The RWSERVE software implements SNI.
The configuration file's
server section has
port entries, which together are termed the authority. This authority is what browsers initially connect with during the handshake.
The configuration file's
host section has a
hostname entry, and a
tls subsection which specify the SSL certificate and private key used in the authentication process. The configuration file may have more than one
host section, with the only restriction being that each must have its own unique
No other configuration settings are needed for SNI to work.
|ip4-address||::=||unsigned-number '.' unsigned-number '.' unsigned-number '.' unsigned-number|
|ip-address-entry||::=||'ip-address' SP ip4-address CR|
|port-entry||::=||'port' SP (443 | [1024..65535]) CR|
|server-section||::=||'server' SP LEFT-CURLY-BRACKET CR|
|file-system-chars||::=||(ALPHA | DIGIT | †)*|
|absolute-path||::=||GRAVE-ACCENT file-system-chars* GRAVE-ACCENT|
|private-key||::=||'private-key' SP absolute-path CR|
|certificate||::=||'certificate' SP absolute-path CR|
|tls-section||::=||'tls' SP LEFT-CURLY-BRACKET CR|
|hostname-entry||::=||'hostname' SP (ALPHA | DIGIT | FULL-STOP | HYPHEN)* CR|
|host-section||::=||'host' SP LEFT-CURLY-BRACKET CR|
† Legal file system characters vary by platform
Example 1: server with two hosts
Key points to remember:
- The RWSERVE software supports multiple virtual hosts using the
https:scheme using Server Name Indication.
- Configure the server's IP address and port in the
- Configure each virtual host in separate