Running SNI on your Windows 2008 R2 Web Server
By Sergey Nosov
November 30, 2012
Introduction
The release of Windows Server 2012 brought out-of-the box support for the Server Name Indication (SNI) extension to the Transport Layer Security/Secure Sockets Layer (TLS/SSL) protocol. The SNI support is new for the Internet Information Services version eight (IIS 8) included with Windows Server 2012; we do not expect this support to be back ported to IIS 7.5 of the Windows 2008 R2 operating system.
The good news is that Apache web server software version 2.2.12 and newer support SNI. In our book Configuring Windows 2008 R2 Web Server we demonstrate how to run IIS and Apache side-by-side. The only limitation is that IIS and Apache should listen on different internet protocol (IP) addresses or on different port numbers.
As such, if you need to run multiple TLS/SSL secured web sites on your Windows 2008 R2 Web Server, the easiest way may be to go ahead and to host these sites on Apache web server software, or have your Apache web server acting as a proxy for web sites hosted on IIS.
Are you ready for SNI?
Supporting SNI on your web server is only half of the picture. The other half is browser support. And while modern web browsers on modern operating systems are generally not a problem, Internet Explorer (IE) on Windows XP, for example, at the time of this writing does not support SNI. As such, your SNI-extended web sites will not be reachable by many users still on Windows XP.
With the pool of available never-assigned IP version four (IPv4) addresses now exhausted, it becomes more and more difficult to obtain IPv4 addresses for your needs. And while we would like to see faster adoption of the new IP version six (IPv6) addressing scheme, which gives plenty of IP addresses for everybody, so far IPv4 is still where we are.
In respect to the IP address deficit and until IPv6 becomes prevalent, name based virtual hosting has become extremely popular for sharing single IP addresses among many web sites. The traditional TLS/SSL secured web site hosting, though, required an IP address for each secured web site running on the standard TLS/SSL port (port number 443). SNI enables name based virtual hosting for secured web sites; this is why we think SNI is important.
Configuring SNI on Apache
In this exercise we decided that we will be using Apache web server software installed on Windows 2008 R2 Web Server to host TLS/SSL secured web sites using SNI. For information on how to install and run Apache we recommend our book, Configuring Windows 2008 R2 Web Server. Not only this book contains information on how to run IIS and Apache side-by-site, it explains how to setup a testing environment to fully try out your configurations before deployment with easy switching to live connections.
As we already mentioned, we need Apache version 2.2.12 or newer. Also in the method described in this article we will be using OpenSSL version 0.9.8f or newer with TLS Extensions enabled.
First, open the httpd.conf file in the Apache conf folder, and check that the following line is uncommented.
LoadModule ssl_module modules/mod_ssl.so
In “Apache Virtual Hosting” section of our book we created a virtual-hosts.conf file to host two Apache web sites on the same IP address. For speedy explanation, we will modify this file to convert our two web sites into SNI secured web sites. The configuration options that we do not touch are detailed in the book.
Our two web sites are: www.my-first-apache-site.com and www.my-second-apache-site.com both are hosted on the 172.31.133.11 IP address. The web site names we use here are only for demonstration purposes, any matching with real web sites is unintentional; please substitute your actual domain names and IP address.
In the httpd.conf file change the Listen directive from
Listen 172.31.133.11:80
to
Listen 172.31.133.11:443
If you want Apache to continue listening on port 80 in addition to the port 443, you can keep the first line, and add the second line below. To keep this example short we are simply switching everything over to port 443, but you can certainly serve both secured and regular sites.
In the virtual-hosts.conf file replace all the instances of
172.31.133.11:80
to
172.31.133.11:443
We just did Edit-Replace in the Notepad to change everything over to port 443.
Last, but not the least, we should add the following lines to each of the VirtualHost sections to tell Apache that these are secured web sites, and where to find certificates and keys.
SSLEngine On
SSLCertificateFile <certificate location>
SSLCertificateKeyFile <certificate key location>
Get the certificates from a certificate authority or create self-signed certificates and put them in a location your server can access.
Following is the final version of our modified virtual-hosts.conf file.
NameVirtualHost 172.31.133.11:443
<VirtualHost 172.31.133.11:443>
ServerName www.my-first-apache-site.com
ServerAlias my-first-apache-site.com *.my-first-apache-site.com
RewriteEngine on
RewriteCond %{HTTP_HOST} !^www\.my-first-apache-site\.com$ [NC]
RewriteCond %{SERVER_PORT}s ^(443(s)|[0-9]+s)$
RewriteRule ^(.*)$ http%2://www.my-first-apache-site.com%{REQUEST_URI} [R=301,L]
DocumentRoot "C:/inetpub/my-first-apache-site"
CustomLog "| bin/rotatelogs.exe logs/www.my-first-apache-site.com.access.%Y_%m_%d.log 86400 -480" combined
ErrorLog "| bin/rotatelogs.exe logs/www.my-first-apache-site.com.error.%Y_%m_%d.log 86400 -480"
<Directory "C:/inetpub/my-first-apache-site">
Options -Indexes FollowSymLinks
AllowOverride AuthConfig FileInfo Limit
Order allow,deny
Allow from all
</Directory>
SSLEngine On
SSLCertificateFile "C:/cert/fa_server.cer"
SSLCertificateKeyFile "C:/cert/fa_server.key"
</VirtualHost>
<VirtualHost 172.31.133.11:443>
ServerName www.my-second-apache-site.com
ServerAlias my-second-apache-site.com *.my-second-apache-site.com
RewriteEngine on
RewriteCond %{HTTP_HOST} !^www\.my-second-apache-site\.com$ [NC]
RewriteCond %{SERVER_PORT}s ^(443(s)|[0-9]+s)$
RewriteRule ^(.*)$ http%2://www.my-second-apache-site.com%{REQUEST_URI} [R=301,L]
DocumentRoot "C:/inetpub/my-second-apache-site"
CustomLog "| bin/rotatelogs.exe logs/www.my-second-apache-site.com.access.%Y_%m_%d.log 86400 -480" combined
ErrorLog "| bin/rotatelogs.exe logs/www.my-second-apache-site.com.error.%Y_%m_%d.log 86400 -480"
<Directory "C:/inetpub/my-second-apache-site">
Options -Indexes FollowSymLinks
AllowOverride AuthConfig FileInfo
Order allow,deny
Allow from all
</Directory>
SSLEngine On
SSLCertificateFile "C:/cert/sa_server.cer"
SSLCertificateKeyFile "C:/cert/sa_server.key"
</VirtualHost>
Now, restart Apache, and try accessing your secured web sites by host names:
https://www.my-first-apache-site.com/
https://www.my-second-apache-site.com/
If you configured everything correctly you now serve the two TLS/SSL secured web sites on the same IP address.
Do not forget to modify your Windows Firewall with Advanced Security to allow access on port 443 to the Apache on your server, if needed.
Consider purchasing our book, Configuring Windows 2008 R2 Web Server, loaded with tips it is a concise manual to getting your web server up and running with Windows.