Date: Fri, 22 Nov 2002 11:38:51 -0500 (EST) From: Adrian Filipi-Martin <adrian+freebsd-security@ubergeeks.com> To: Alex Povolotsky <tarkhil@webmail.sub.ru> Cc: Allan Jude <937863@primus.ca>, <freebsd-security@FreeBSD.ORG>, <quak@mydiax.ch>, <Danny.Carroll@mail.ing.nl> Subject: Re: jailed virtual https, anyone? Message-ID: <20021122113328.M48082-100000@lorax.ubergeeks.com> In-Reply-To: <20021122155027.7f694357.tarkhil@webmail.sub.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 22 Nov 2002, Alex Povolotsky wrote: > On Fri, 22 Nov 2002 07:07:41 -0500 > "Allan Jude" <937863@primus.ca> wrote: > > AJ> What seems to be the problem with the virtual hosts? > AJ> You're quite right, but I have EVERYTHING works ok for now, EXCEPT > AJ> virtual hosts with https. Google shows nothing relevant on "jail https > AJ> virtual". > > Oh, quite simple. > > https cannot be configured with name-based virtual hosts, by design. > jail cannot be configured for more than one IP address, by design. > (don't ask me to wait until jail-ng will be ready) > Jail sits on internal IP, on lo0. fxp0 holds real IP addresses to be accessed from outside. > I'm forwarding incoming connection to jail, currently with ipnat. I need to pass information about real (outside) IP to mod_ssl. That is my problem. > > plain http works perfectly (name-based virthosts). You still have to do IP-based hosting for https. It doesn't matter that they have their IP's in the jails. The problem is that the SSL channel has already been negotiated and established before apache gets to consider the "Host:" header which is mostly what the virtual hosting is based upon. This means that it's too late to select a different virtual host without generating an SSL hostname mistmatch warning. Adrian -- [ adrian@ubergeeks.com ] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20021122113328.M48082-100000>