From owner-freebsd-pf@FreeBSD.ORG Tue Jan 22 00:30:15 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2A2D016A420 for ; Tue, 22 Jan 2008 00:30:15 +0000 (UTC) (envelope-from mouss@netoyen.net) Received: from balou.adapsec.com (balou.adapsec.com [91.121.103.130]) by mx1.freebsd.org (Postfix) with ESMTP id DC02A13C461 for ; Tue, 22 Jan 2008 00:30:14 +0000 (UTC) (envelope-from mouss@netoyen.net) X-Virus-Scanned: amavisd-new at netoyen.net Received: from [192.168.1.65] (ouzoud.netoyen.net [82.239.111.75]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: mouss@netoyen.net) by balou.adapsec.com (Postfix) with ESMTPSA id 6D2974BFC486 for ; Tue, 22 Jan 2008 01:12:49 +0100 (CET) Message-ID: <479534E5.9050103@netoyen.net> Date: Tue, 22 Jan 2008 01:12:21 +0100 From: mouss User-Agent: Thunderbird 2.0.0.6 (Windows/20070728) MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: <4794C5A8.8040402@polands.org> <1200904649.33634.9.camel@z60m> <4794CF21.2090606@polands.org> <1200906215.33634.14.camel@z60m> <4794D38C.6020007@polands.org> <20080121175551.GB11928@verio.net> <4794F117.2000804@polands.org> In-Reply-To: <4794F117.2000804@polands.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: pf how-to: Single public IP --> many private NAT'd HTTPS servers X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Jan 2008 00:30:15 -0000 Doug Poland wrote: > I see what you are getting it. I told pf to simply route all https > requests to a fixed private IP. When I pointed my browser at the > FQDN, firefox told me I had a certificate problem... i.e., the > certificate returned was not the one expected. > > So, is the bottom line, one *cannot* hide multiple (NAT'd) SSL hosts > behind a single public IP? In fact, it has nothing to do with NAT. When the browser sees "secure.example.com", it will resolve the host and contact the corresponding IP. at this point, with NAT or without it, you do not know what "virtual host" is being queried. This is a known ssl shortcoming. May be future implementations (openssl, browsers, ...) will solve it. > So my only solution, given apache and one public IP, is a single host > listening on 443 and each "domain" would have to be served as a > . e.g., > > https://secure.example.com/webmail/ > https://secure.example.com/subversion/ This works indeed. it also costs less (for the certificates:). In some cases, you can use one of the boxes as an SSL proxy, though care is required (remote apps don't necessarily know whether the query was "secure" or not, so you need to enforce SSL on few paths and adequately structure your sites). > > instead of > > https://webmail.example.com > https://subversion.example.com These cannot work with a single IP (as viewed by the browser). you can also use different ports. but this is not necessarily "user friendly".