Score:0

Can I do https on some domains but not all on my site?

br flag

I have two sites (home server and linode VPS) and I have some subdomains of one domain on one site and some on the other. I also have two or three other domains on both servers. I currently use Apache VirtualHost on both sites. None of them are currently using https.

Is it possible to start rolling out https one subdomain at a time, or is it all or nothing? Do I need to use a front end like nginx or can I do it all in Apache?

Score:1
np flag

You can "start rolling one subdomain at a time". But you can't restrict HTTPS port 443 to be open for just some of the Virtual Domains if you have one IP for all of them.

Name based virtual hosts serve different websites based on the Host HTTP header. Now you have HTTP, when you type "example.com" in your browser, it connects to your IP and adds a Host: example.com in the request headers. That way webserver matches known virtual host or just handles as default virtual host if it's unknown (for example if you directly type an IP in your browser).

Now for the HTTPS part it's a bit different. As the TLS secure connecting has to be established before HTTP headers are sent. So the webserver actually couldn't knew which certificate to present. Be it example1.com or example2.com (for example). Back in the old times that meant that only one valid HTTPS website per IP was allowed (well, multi-domain certificate could work, but I don't remember any CA allowed those). I.e. no virtual hosts. But thankfully for the TLS SNI extension that works similarly to HTTP. Except that instead of HTTP headers the domain name are passed in the TLS session information.

Now considering this, once you enabled SSL for one website example1.com, and generated a certificate for it, if you type https://example2.com it would actually open example1.com website (because it's the only virtual host for the HTTPS listener), but also the browser would complain that website presents certificate for wrong domain (because your webserver don't have both certificate for example2.com and virtual host for it).

To avoid that confusion I'd rather suggest you to test & prepare all the certificates and config for your sites first. And then enable them all at once. At least if you host all of them on the same IP. If you have different IPs for them, I assume you understand that you can enable HTTP for the separately based on the statements above.

Score:1
jp flag

For SSL support in Apache you'll need to configure a VirtualHost on port 443 for each site, so you can do it one sub-domain at a time. See Apache TLS/SSL How-To

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.