AFAIK, host headers do not work with SSL as they are encrypted and in turn the webserver will never know what you are calling.
If you run SSL you need to have a dedicated IP for them (and then a host header will work, kind of). Running multiple sites off the same IP wont work with SSL I think to some degree you can with IIS6 though... I haven't tried it yet. "This e-mail is from Reed Exhibitions (Gateway House, 28 The Quadrant, Richmond, Surrey, TW9 1DN, United Kingdom), a division of Reed Business, Registered in England, Number 678540. It contains information which is confidential and may also be privileged. It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s) please note that any form of distribution, copying or use of this communication or the information in it is strictly prohibited and may be unlawful. If you have received this communication in error please return it to the sender or call our switchboard on +44 (0) 20 89107910. The opinions expressed within this communication are not necessarily those expressed by Reed Exhibitions." Visit our website at http://www.reedexpo.com -----Original Message----- From: Matthew Williams To: CF-Talk Sent: Sun Feb 25 22:21:29 2007 Subject: Re: Secure CFIDE Why not? What doesn't work with host headers and SSL? We run multiple SSL host headers per box with our intranet applications (on IIS). It's truly a pain the sane world shouldn't be subjected to, but it can happen. Matthew Williams Geodesic GraFX www.geodesicgrafx.com/blog Rick Root wrote: > On 2/25/07, Dave Watts <[EMAIL PROTECTED]> wrote: > >> I wouldn't recommend relying on Host headers, since they can easily be >> sent >> from the browser. >> > > > True, in fact that's how they always get sent :) However, I was referring > to the previous post about actually using a domain that doesn't actually > exist and just putting it in your local machine's hostfile. Then the only > way to access it would be if you knew the IP address *AND* the domain name > that is being used for the specific web site you're trying to hack into. > > If someone is sniffing your packets, of course, it doesn't help at all. > > The real disadvantage of course with using hostheaders is that you can't use > SSL to secure your coldfusion administrator. > > Rick > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| ColdFusion MX7 by AdobeĀ® Dyncamically transform webcontent into Adobe PDF with new ColdFusion MX7. Free Trial. http://www.adobe.com/products/coldfusion Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:270644 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
