I need to secure 2 different domains that are both on the same EC2 instance.
Reason: 1 is a sales website. the other is the webapp. Both need to access the same MySQL database.
EDIT
Sales website means the website where users look at my pricing plans, etc and sign up. The webapp is a SaaS web application they have access to AFTER they signed up.
END of EDIT
Problem: the webapp domain needs to be using a wildcard SSL certificate that is already purchased.
the sales website needs to use a standard SSL certificate that is also already purchased.
Someone told me that an EC2 instance can only have 1 Elastic IP address.
And I cannot have more than 1 SSL cert on the 1 IP address.
I found this article http://www.invokemedia.com/setting-up-multiple-ssl-domains-on-amazon-ec2-one-ipport/ on usinbg a UCC certificate to workaround this issue.
But I am not sure if
- a) that will work and I do not wish to unnecessarily spend money and waste it in the end.
- b) it will work with a wildcard cert and standard cert at the same time.
- c) using UCC will accidentally defeat the purposes of SSL access for users.
- d) how to install and use it.
- e) how to go about getting a UCC since I got both SSL certs from GoDaddy.
Another possible solution I can foresee is that I get the webapp hosted on 1 EC2 instance and the sales website hosted on another EC2 instance which of course will double my monthly hosting costs.
then the problem emerges where my programming assumes that both applications need to be on the same server accessing the same MySQL database.
What is the best way out for me - security-wise, reliability-wise, efforts-wise, costs-wise, in descending order of importance?
Things I have learned
- 1 SSL cert to 1 IP:Port not 1 SSL cert to 1 IP
- there is such a thing called UCC SSL cert, not too sure what that means other than it allows you to have SSL for multiple domains at the same time using just 1 IP:PORT
- there is something called ELB Elastic Load Balancer that allows you to overcome having IP on 1 EC2 instance
End of things I have learned
You can have more than 1 SSL cert per IP, but you can't have more than 1 SSL cert for each IP:port combination. If you're willing to try to run one of the SSL certificates on a non-standard port (anything but 443) then you can use a single IP address.
You can easily serve up a different SSL certificate on different ports.
It turns out that this can be easily implemented with Elastic Load Balancer. You can redirect port 443 on several elastic load balancer IPs to different ports on your instance.
Someone was kind enough to write a good tutorial, complete with diagrams: http://elwoodicious.com/2009/12/23/using-elb-to-serve-multiple-domains-over-ssl-on-ec2-for-giggles/
The "UCC" cert that you're referring to is a certificate with many names in the SubjectAltName field. Since you already have a wildcard certificate, you may find it to be limiting - how many different domain names are you covering with the wildcard? One advantage of a SAN-based certificate is it can cover multiple domains, but you'll need to enumerate every domain name individually when requesting the certificate rather than allowing a browser to match the wildcard cert.