From owner-freebsd-security Fri Nov 22 8:39:19 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7F0B737B401 for ; Fri, 22 Nov 2002 08:39:16 -0800 (PST) Received: from mail.ubergeeks.com (lorax.ubergeeks.com [209.145.65.55]) by mx1.FreeBSD.org (Postfix) with ESMTP id 967DD43E9C for ; Fri, 22 Nov 2002 08:39:15 -0800 (PST) (envelope-from adrian+freebsd-security@ubergeeks.com) Received: from mail.ubergeeks.com (localhost [127.0.0.1]) by mail.ubergeeks.com (8.12.5/8.12.5) with ESMTP id gAMGd2IP048522; Fri, 22 Nov 2002 11:39:05 -0500 (EST) (envelope-from adrian+freebsd-security@ubergeeks.com) Received: from localhost (adrian@localhost) by mail.ubergeeks.com (8.12.5/8.12.5/Submit) with ESMTP id gAMGcp9i048519; Fri, 22 Nov 2002 11:38:52 -0500 (EST) (envelope-from adrian+freebsd-security@ubergeeks.com) X-Authentication-Warning: lorax.ubergeeks.com: adrian owned process doing -bs Date: Fri, 22 Nov 2002 11:38:51 -0500 (EST) From: Adrian Filipi-Martin To: Alex Povolotsky Cc: Allan Jude <937863@primus.ca>, , , Subject: Re: jailed virtual https, anyone? In-Reply-To: <20021122155027.7f694357.tarkhil@webmail.sub.ru> Message-ID: <20021122113328.M48082-100000@lorax.ubergeeks.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, 22 Nov 2002, Alex Povolotsky wrote: > On Fri, 22 Nov 2002 07:07:41 -0500 > "Allan Jude" <937863@primus.ca> wrote: > > AJ> What seems to be the problem with the virtual hosts? > AJ> You're quite right, but I have EVERYTHING works ok for now, EXCEPT > AJ> virtual hosts with https. Google shows nothing relevant on "jail https > AJ> virtual". > > Oh, quite simple. > > https cannot be configured with name-based virtual hosts, by design. > jail cannot be configured for more than one IP address, by design. > (don't ask me to wait until jail-ng will be ready) > Jail sits on internal IP, on lo0. fxp0 holds real IP addresses to be accessed from outside. > I'm forwarding incoming connection to jail, currently with ipnat. I need to pass information about real (outside) IP to mod_ssl. That is my problem. > > plain http works perfectly (name-based virthosts). You still have to do IP-based hosting for https. It doesn't matter that they have their IP's in the jails. The problem is that the SSL channel has already been negotiated and established before apache gets to consider the "Host:" header which is mostly what the virtual hosting is based upon. This means that it's too late to select a different virtual host without generating an SSL hostname mistmatch warning. Adrian -- [ adrian@ubergeeks.com ] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message