Lighttpd 1.4.24 finally introduces TLS SNI
The developers of lighttpd just released version 1.4.24 and with it they introduced a feature that was pending for nearly three years (Ticket #386). By including TLS SNI lighttpd is now able to serve multiple ssl certificates over a single IP. Prior to that it was required to assign each certificate an own IP adress.
Let's see how to configure lighttpd to use different certificates:
$SERVER["socket"] == "10.0.0.1:443" {
ssl.engine = "enable"
ssl.pemfile = "www.example.org.pem"
}
$HTTP["host"] == "foo.example.org" {
ssl.pemfile = "foo.example.org.pem"
document.root = "/var/www/foo.example.org"
}
The first block opens a socket to listen on port 443, enables SSL to use the PEM-file given. The second block matches if the hostname of the web request was "foo.example.org". In that case an alternative PEM-file gets used.
Sadly, not even debian testing currently provides 1.4.24, so I'm very limited to test this feature on my production machines.
Comments
Currently I use special build Arch Linux packages in my Debian system. That way I can use Lighttpd 1.4.25 but it seems that there is a bug in the SNI implementation. The first (sometimes a few) connection works, but then it drops to the default certificate. May be I'm doing something wrong, bnut the configuration looks like your exemaple :-).