Date: Mon, 21 Jan 2008 13:23:03 -0600 From: Doug Poland <doug@polands.org> To: freebsd-pf@freebsd.org Subject: Re: pf how-to: Single public IP --> many private NAT'd HTTPS servers Message-ID: <4794F117.2000804@polands.org> In-Reply-To: <20080121175551.GB11928@verio.net> References: <4794C5A8.8040402@polands.org> <1200904649.33634.9.camel@z60m> <4794CF21.2090606@polands.org> <1200906215.33634.14.camel@z60m> <4794D38C.6020007@polands.org> <20080121175551.GB11928@verio.net>
next in thread | previous in thread | raw e-mail | index | archive | help
David DeSimone wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Doug Poland <doug@polands.org> wrote: >> I have DNS resolution, the problem ( I think ) is in that pf simply >> sees the packet destined for my single public IP (because all my >> public host names must resolve to the same public IP address) and port >> 443. > > I am not sure how you expect this to work. The web browser will expect > the server to send a certificate with its identity as part of the > initial SSL negotiation. The client has not yet sent its request, so > the web server has no idea which of the three domains the browser wanted > to talk to, so it does not know which certificate should be sent. This > is the reason why every SSL site must have its own unique (public) IP > address. > > - -- > David DeSimone == Network Admin == fox@verio.net > I see what you are getting it. I told pf to simply route all https requests to a fixed private IP. When I pointed my browser at the FQDN, firefox told me I had a certificate problem... i.e., the certificate returned was not the one expected. So, is the bottom line, one *cannot* hide multiple (NAT'd) SSL hosts behind a single public IP? So my only solution, given apache and one public IP, is a single host listening on 443 and each "domain" would have to be served as a <Directory></Directory>. e.g., https://secure.example.com/webmail/ https://secure.example.com/subversion/ instead of https://webmail.example.com https://subversion.example.com -- Regards, Doug
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4794F117.2000804>