7

I just spend ages moving all static content to a cookiless domain to help performance, it seems to work great! It got me thinking though, when I install SSL on my main site, am I also going to have to buy SSL on my cookieless domain to stop warning messages?

Tom Gullen
  • 2,390
  • 2
  • 18
  • 26

2 Answers2

4

Yes. There are two ways you can do this:

  1. Get two SSL certificates: one for the main domain and one for the cookieless domain. This is the cheaper way to do this but also requires maintaining two SSL certificates.

  2. Get a wildcard SSL certificate and use it for the main domain and cookieless subdomain. (Obviously your static content needs to be on a subdomain of the main website). This is more expensive but only requires maintaining one SSL certificate and allows for future subdomains to also be secure.

John Conde
  • 86,255
  • 27
  • 146
  • 241
  • 1
    2 SSL certificates will also require 2 IPs ... or one of the certificates would have to be bound to another IP (because only 1 certificate is allowed per IP:port pair -- as HTTP protocol kicks in after secure connection has been already established. TBH there are some technologies that will allow you to have multiple certificates on the same IP:port, but not every web server/browser supports them). I recommend going wildcard way. – LazyOne Jul 05 '11 at 19:41
  • 1
    Doh .. small correction: "or one of the certificates would have to be bound to another PORT". – LazyOne Jul 05 '11 at 20:15
  • @Tom If you want to secure only 2 domains: www and static (for example) then no problems with going 2 certificates -- static can easily be bound to 444 or any other port -- you would just need to add port number into URL https://static.example.com/logo.png. The only possible issue here -- some firewalls (especially in big or secure organisations) and even AntiViruses may simply block such non-standard port. – LazyOne Jul 05 '11 at 20:17
  • @Tom If you go for wildcard certificate, you can bypass the above mentioned situation + you can use your own secured CDN (if you have a lot of static resources, like product images for example, you can spread them across multiple subdomains to speed up page loading even more (one image is loaded from img1.example.com, another from img5.example.com etc)) – LazyOne Jul 05 '11 at 20:20
0

Well done for properly setting up your content so that cookies are not round-tripping for every small image, css and js file!

As for your httpd:// complication...

You can get around this by problem by serving all of the https:// traffic from the one IP address, including the static content. So long as that is login, customer account area, checkout or other areas where you really need https:// then that should not be too much stuff.

The tools you will need to effect this are in your httpd.conf files - all three of them...

If you are using .htaccess you can move all of that into your httpd.conf (which again improves performance, albeit not necessarily noticeably so). In that way you can have in effect two separate 'htaccess' ways to serve your content.

I take it that your /js /images and other static content is not on a different box? Without explaining what you changed to effect your setup, it is hard to suggest a complete solution but I think you should be able to get https:// to work off the one domain given what you have achieved already.

As for just bunging another SSL on there, the two SSLs on one IP is a bit of a myth:

http://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI

If you go for two certificates on one IP then your IE6 users might get a rough deal, it will work for all the other browsers though.

ʍǝɥʇɐɯ
  • 702
  • 4
  • 7
  • "Server Name Indication" -- IIS does not support it. As far as I remember from recent ticket, Tom most likely have IIS v7.5. – LazyOne Jul 05 '11 at 22:20
  • I forget about IIS! No experience of two SSL's on IIS but you can do it with a $90 cetrificate: http://www.sslshopper.com/unified-communications-uc-ssl-certificates.html – ʍǝɥʇɐɯ Jul 05 '11 at 22:27