From owner-freebsd-stable Fri Nov 22 5:12:57 2002 Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5E54237B401 for ; Fri, 22 Nov 2002 05:12:56 -0800 (PST) Received: from smtp.infracaninophile.co.uk (ns0.infracaninophile.co.uk [81.2.69.218]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5C75843E6E for ; Fri, 22 Nov 2002 05:12:55 -0800 (PST) (envelope-from m.seaman@infracaninophile.co.uk) Received: from happy-idiot-talk.infracaninophile.co.uk (localhost.infracaninophile.co.uk [IPv6:::1]) by smtp.infracaninophile.co.uk (8.12.6/8.12.6) with ESMTP id gAMDCqx2039739 for ; Fri, 22 Nov 2002 13:12:52 GMT (envelope-from matthew@happy-idiot-talk.infracaninophile.co.uk) Received: (from matthew@localhost) by happy-idiot-talk.infracaninophile.co.uk (8.12.6/8.12.6/Submit) id gAMDClLh039734 for freebsd-stable@FreeBSD.ORG; Fri, 22 Nov 2002 13:12:47 GMT Date: Fri, 22 Nov 2002 13:12:47 +0000 From: Matthew Seaman To: FreeBSD-Stable Mailing List Subject: Re: jailed virtual https, anyone? Message-ID: <20021122131247.GB30135@happy-idiot-talk.infracaninophi> Mail-Followup-To: FreeBSD-Stable Mailing List References: <0F232CC93A58D6119C1600B0D0799B817CE703@hamsrvmx03.logica.co.uk> <20021122145947.406b4d31.tarkhil@webmail.sub.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20021122145947.406b4d31.tarkhil@webmail.sub.ru> User-Agent: Mutt/1.5.1i X-Spam-Status: No, hits=-2.2 required=5.0 tests=IN_REP_TO,REFERENCES,SPAM_PHRASE_02_03,USER_AGENT, USER_AGENT_MUTT version=2.43 Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Fri, Nov 22, 2002 at 02:59:47PM +0300, Alex Povolotsky wrote: > On Fri, 22 Nov 2002 11:04:09 -0000 > "Oelkers, Dennis" wrote: > > OD> I don't want to give you a step-by-step tutorial how to set up a jailed > OD> apache, but > OD> a good start is the jail(8) manpage ... > > You're quite right, but I have EVERYTHING works ok for now, EXCEPT virtual hosts with https. Google shows nothing relevant on "jail https virtual". That's a tricky one. HTTPS virtual hosts have to be IP virtual hosts rather than Name virtual hosts due to the nature of the HTTPS protocol. (The HTTP header that tells the webserver which virtual host to direct the request to is part of the encrypted payload, and can only be decrypted using the keys from the correct virtual host. Catch 22, unless you can distinguish between the virtual hosts by some other means, ie. IP number.) Since a jail(8) by default only allows one IP number, that means only one HTTPS server per jail. However patches to support a range of IP numbers per jail have been posted to freebsd-hackers@ http://docs.freebsd.org/cgi/getmsg.cgi?fetch=219925+0+/usr/local/www/db/text/2002/freebsd-hackers/20020623.freebsd-hackers Use at your own risk. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message