I have a SaaS project that needs to support custom SSL domains. I've looked into SNI which looks perfect. If I decide to (or need to) support Windows XP. What other techniques can I use?
I know that I can create virtual IP addresses but don't think this will scale well with our current hosting provider (they'll charge us for each IP, and they have to do work for our firewall and load balancers).
Are there any other common techniques? I've looked into reverse proxies (or maybe something like CloudFlare), but haven't seen anything definitive.
I'm using nginx that proxies to Apache2 for PHP execution.
Options are:
The disadvantage to the SAN cert would be that you'd have to re-issue the certificate when you add new names, which is really not conducive to a service provider environment where you're potentially adding new names often.
You'll need to use both large blocks of IP addresses and SSL certificates that support SAN (Subject Alternative Name, a properly widely supported SSL techinique for setting a large number of domains on a single SSL certificate).
Many providers will allow up to 100 domains on each such certificate. So, Assuming you'll start with a 16 IP block, each ip with a single certificate with 100 domains on it, you'll be able to support 1600 domains on such a setup. Take or give a few 100's for the ip block not being usable for the full 16 ip addresses.
There is no browser widely supported method for installed more than one certificate on a single IP address.
This list allows filtering by multiple domains support: Certificate Comparison