html
Running multiple HTTPS websites on a single server using port 443 is not just possible—it's a common practice in modern web hosting. The key lies in Server Name Indication (SNI), a TLS extension that allows the server to present multiple SSL certificates on the same IP and port.
- Apache HTTP Server (2.2.12 or later with SNI support)
- Valid SSL certificates for each domain (e.g., from Let's Encrypt)
- Proper DNS configuration pointing both domains to your server IP
Here's how to configure two SSL sites (example.com and example.ca) on port 443:
# /etc/apache2/sites-available/example.com.conf
<VirtualHost *:443>
ServerName example.com
DocumentRoot /var/www/example.com
SSLEngine on
SSLCertificateFile /etc/ssl/certs/example.com.crt
SSLCertificateKeyFile /etc/ssl/private/example.com.key
SSLCertificateChainFile /etc/ssl/certs/example.com.ca-bundle
</VirtualHost>
# /etc/apache2/sites-available/example.ca.conf
<VirtualHost *:443>
ServerName example.ca
DocumentRoot /var/www/example.ca
SSLEngine on
SSLCertificateFile /etc/ssl/certs/example.ca.crt
SSLCertificateKeyFile /etc/ssl/private/example.ca.key
SSLCertificateChainFile /etc/ssl/certs/example.ca.ca-bundle
</VirtualHost>
After creating these files, enable the sites and reload Apache:
sudo a2ensite example.com.conf
sudo a2ensite example.ca.conf
sudo systemctl reload apache2Verify both sites are serving HTTPS correctly:
curl -v https://example.com
curl -v https://example.caBrowser Compatibility: While all modern browsers support SNI, some legacy clients (like Android 2.x) may have issues. Consider a fallback certificate if needed.
Certificate Warnings: Ensure each certificate covers either the exact domain or uses wildcards properly. Mixed content warnings often come from loading HTTP resources on HTTPS pages.
For high-traffic setups, consider:
- OCSP stapling to reduce SSL handshake time
- HTTP/2 for multiplexed connections
- Proper cipher suite configuration for security and performance
When configuring multiple HTTPS websites on a single Apache server, many administrators wonder if it's possible to use port 443 for all sites. The answer is yes - through Server Name Indication (SNI), a TLS extension that enables name-based virtual hosting for HTTPS.
Traditional HTTPS hosting required separate IP addresses for each SSL certificate. SNI solves this by including the hostname in the initial TLS handshake:
Client Hello -> Server (contains requested hostname)
Server -> Selects correct certificate based on SNI
TLS connection established
HTTP communication begins
Here's a complete virtual host configuration for two sites sharing port 443:
<VirtualHost *:443>
ServerName example.com
DocumentRoot /var/www/example.com
SSLEngine on
SSLCertificateFile /etc/ssl/certs/example.com.crt
SSLCertificateKeyFile /etc/ssl/private/example.com.key
SSLCertificateChainFile /etc/ssl/certs/example.com.ca-bundle
</VirtualHost>
<VirtualHost *:443>
ServerName example.ca
DocumentRoot /var/www/example.ca
SSLEngine on
SSLCertificateFile /etc/ssl/certs/example.ca.crt
SSLCertificateKeyFile /etc/ssl/private/example.ca.key
SSLCertificateChainFile /etc/ssl/certs/example.ca.ca-bundle
</VirtualHost>
For this setup to work:
- Apache 2.2.12+ with OpenSSL 0.9.8f+
- Modern browsers (IE7+ on Vista+, all current browsers)
- Each site must have its own SSL certificate
After making changes, always test:
apachectl configtest
systemctl restart apache2
openssl s_client -connect example.com:443 -servername example.com -tlsextdebug
For high-traffic sites or special cases:
- Consider HTTP/2 which works well with SNI
- Monitor for legacy clients (Android 2.x, IE on XP) that don't support SNI
- For wildcard certificates, ensure DNS is properly configured
SNI adds minimal overhead - primarily during the initial handshake. In benchmarks, the difference is typically less than 5ms per connection.