[ale] apache, ssl, DMZ, brain calcification

Allan Neal allanneal at comcast.net
Fri Aug 26 23:36:45 EDT 2005


Unfortunatly the user tool would not work.  SSL will not allow you to do
hostname based hosting.  Each site has to have it's own IP address.  The
reason for this is that the url is encoded in the SSL portion of the packet.
The only part that IPTables can see it the IP address.  So in order to get
IPTables to do what you are talking about here, you would have to decrypt the
packet at the firewall to see (name1|name2).  

You could do one base site with different contexts i.e. https://sitename/name1
and https://sitename/name2.  Then you only have to have one Cert.  I suspect
this is not what you are looking for though.

Sorry I can't be of more help.  This is how it has worked for me in my job
though.  I run several SSL sites for my company.   We haven't found a way
around this and it even caused us to recently purchase ARIN space to get
enough IP addresses to handle our growth.

Allan

On Wed, Aug 24, 2005 at 06:15:53PM -0400, James P. Kinney III wrote:
> I am looking at setting up an ssl-enabled web server in the dmz. As I
> only have a few real IP addresses, I am looking at using internal IP
> (10.0.*) addresses to handle the ssl-cert requirements of unique IP for
> each namespace.
> 
> What I'm stumped on is how to get https://name1 AND https://name2 to
> both get through the firewall and point to the correct virtual interface
> IP address on the DMX server. Do I need to write a userspace tool that
> interfaces with iptables to read the server name from the IP stack?
> 
> Can this be done with an apache proxy on the firewall?
> -- 
> James P. Kinney III          \Changing the mobile computing world/
> CEO & Director of Engineering \          one Linux user         /
> Local Net Solutions,LLC        \           at a time.          /
> 770-493-8244                    \.___________________________./
> http://www.localnetsolutions.com
> 
> GPG ID: 829C6CA7 James P. Kinney III (M.S. Physics)
> <jkinney at localnetsolutions.com>
> Fingerprint = 3C9E 6366 54FC A3FE BA4D 0659 6190 ADC3 829C 6CA7



> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale


-- 
 __^__                                          __^__
( ___ )----------------------------------------( ___ )
 | / | "Engineers aren't boring people,         | \ |
 | / | we just get excited about boring things" | \ |
 |___|                 --Anon                   |___|
(_____)----------------------------------------(_____)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available




More information about the Ale mailing list