If you are using the Ubuntu package and didn't change things too much, the running process name should be lighttpd and the default user and group names are both www-data. Check the server.username and server.groupname entries in your config file (/etc/lighttpd/lighttpd.conf) to be certain.
Running ps -fC lighttpd should tell you if it is running and the user id that is is running as. On my system the output looks like
rik@mary:/home/rik$ ps -fC lighttpdUID PID PPID C STIME TTY TIME CMDwww-data 667 1 0 03:50 ? 00:00:00 /usr/sbin/lighttpd -f /etc/lighttpd/lighttpd.conf
Everything you want displayed under your document-root should be readable by the www-data user and the directories need to be executable by www-data as well. To test this you may want to try using find as the user www-data. The sudo command can help with this. sudo -u www-data find /var/www/sites/mysite.com/http/media/css/ should succeed. If not try again one step up with sudo -u www-data find /var/www/sites/mysite.com/http/media/ and so on until find can return file and directory names. Once there the run the chown and chmod commands against that directory without the -R (recursive) flag. Then test again.
If you are comfortable with all of the files and directories under /var/www/sites/mysite.com/http/media being readable by anyone, you may want to chmod all the files as 644 and the dirs as 755. If you have files that need to have the execute bit set this can be a bit more of a problem unless the all have distinctive extensions. This is done using the -type, -exec, and -name flags like:
chown -R id:www-data /var/www/sites/mysite.com/http/media
find /var/www/sites/mysite.com/http/media -type d -exec chmod 755 {} \;
find /var/www/sites/mysite.com/http/media -type f -exec chmod 644 {} \;
find /var/www/sites/mysite.com/http/media -type f -name '*.php' -exec chmod 755 {} \;
If you don't want lighty to access other files an/or dirs in the tree, you will need to handle things differently. It is always easier if you keep files you want readable in a different directory from those you want kept out of the public eye.
For the most up-to-date information on Apache and SNI, including additional HTTP-Specific RFCs, please refer to the Apache Wiki
FYsI: "Multiple (different) SSL certificates on one IP" is brought to you by the magic of TLS Upgrading.
It works with newer Apache servers (2.2.x) and reasonably recent browsers (don't know versions off the top of my head).
RFC 2817 (upgrading to TLS within HTTP/1.1) has the gory details, but basically it works for a lot of people (if not the majority).
You can reproduce the old funky behavior with openssl's s_client command (or any "old enough" browser) though.
Edit to add: apparently curl can show you what's happening here better than openssl:
SSLv3
mikeg@flexo% curl -v -v -v -3 https://www.yummyskin.com
* About to connect() to www.yummyskin.com port 443 (#0)
* Trying 69.164.214.79... connected
* Connected to www.yummyskin.com (69.164.214.79) port 443 (#0)
* successfully set certificate verify locations:
* CAfile: /usr/local/share/certs/ca-root-nss.crt
CApath: none
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using DHE-RSA-AES256-SHA
* Server certificate:
* subject: serialNumber=wq8O9mhOSp9fY9JcmaJUrFNWWrANURzJ; C=CA;
O=staging.bossystem.org; OU=GT07932874;
OU=See www.rapidssl.com/resources/cps (c)10;
OU=Domain Control Validated - RapidSSL(R);
CN=staging.bossystem.org
* start date: 2010-02-03 18:53:53 GMT
* expire date: 2011-02-06 13:21:08 GMT
* SSL: certificate subject name 'staging.bossystem.org'
does not match target host name 'www.yummyskin.com'
* Closing connection #0
* SSLv3, TLS alert, Client hello (1):
curl: (51) SSL: certificate subject name 'staging.bossystem.org'
does not match target host name 'www.yummyskin.com'
TLSv1
mikeg@flexo% curl -v -v -v -1 https://www.yummyskin.com
* About to connect() to www.yummyskin.com port 443 (#0)
* Trying 69.164.214.79... connected
* Connected to www.yummyskin.com (69.164.214.79) port 443 (#0)
* successfully set certificate verify locations:
* CAfile: /usr/local/share/certs/ca-root-nss.crt
CApath: none
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using DHE-RSA-AES256-SHA
* Server certificate:
* subject: C=CA; O=www.yummyskin.com; OU=GT13670640;
OU=See www.rapidssl.com/resources/cps (c)09;
OU=Domain Control Validated - RapidSSL(R);
CN=www.yummyskin.com
* start date: 2009-04-24 15:48:15 GMT
* expire date: 2010-04-25 15:48:15 GMT
* common name: www.yummyskin.com (matched)
* issuer: C=US; O=Equifax Secure Inc.; CN=Equifax Secure Global eBusiness CA-1
* SSL certificate verify ok.
Best Answer
This is done regularly. We have dozens of websites all running on the one IP address, and it's not uncommon to run hundreds. Your web server will inspect the hosts header of the request and serve appropriately.
There are two methods to implement this, and they're both the same, but for different web servers. You did not specify which one you used, so here's the three most common:
IIS 5/6
Right-click on your website and go to Properties. Next to "IP Address" (on the Web Site tab), click Advanced. You will see an entry in there for Port 80, with no Host Header Name. Delete this entry.
Click Add, and under TCP Port leave it at 80 (or 443 for SSL), and under Host Header Name enter the name of the website (for example, mediaserver.mysite.com - although example.com is a reserved name exactly for this purpose but never mind). Click OK, and OK to the next screen And you're done. You can now access that website through mediaserver.mysite.com (and only through that, it won't listen on the IP alone any more).
IIS 7
Same as IIS 5/6 except instead of right-clicking the website, you just select it and on the right-hand side menu choose "Bindings"
Apache
I don't configure apache very often, so my memory is very fuzzy, but you use the name-based VirtualHost directive in your httpd.conf. From the apache example documentation:
(I recommend reading the rest of that documentation page if you are using Apache).