From owner-freebsd-questions Fri Nov 22 10:50:58 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9606B37B401 for ; Fri, 22 Nov 2002 10:50:57 -0800 (PST) Received: from webmail.sub.ru (webmail.sub.ru [213.247.139.22]) by mx1.FreeBSD.org (Postfix) with SMTP id 5FED543E91 for ; Fri, 22 Nov 2002 10:50:56 -0800 (PST) (envelope-from tarkhil@webmail.sub.ru) Received: (qmail 73007 invoked by uid 0); 22 Nov 2002 18:51:28 -0000 Received: from unknown (HELO shuttle.svib.ru) (195.54.219.242) by webmail.sub.ru with SMTP; 22 Nov 2002 18:51:28 -0000 Date: Fri, 22 Nov 2002 21:49:06 +0300 From: Alex Povolotsky To: Marc Perisa Cc: freebsd-questions@FreeBSD.ORG Subject: Re: jailed virtual https, anyone? Message-Id: <20021122214906.410af0a0.tarkhil@webmail.sub.ru> In-Reply-To: <3DDE4B66.1040102@porsche.de> References: <20021122145947.406b4d31.tarkhil@webmail.sub.ru> <20021122155027.7f694357.tarkhil@webmail.sub.ru> <3DDE4B66.1040102@porsche.de> Organization: sub.ru X-Mailer: Sylpheed version 0.8.2claws (GTK+ 1.2.10; i386-portbld-freebsd4.4) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Fri, 22 Nov 2002 16:21:10 +0100 Marc Perisa wrote: MP> > I'm forwarding incoming connection to jail, currently with ipnat. I need to pass information MP> > about real (outside) IP to mod_ssl. That is my problem. MP> MP> ? (I understand what you do - but not why ...) On one hand, I'm going to isolate users from outside world. On the other hand, I cannot afford right now to provide each ot these users by their own jail with. Hmm, maybe I could run lots of jails on the same filesystem, but this will create immeasurable lots of apaches mostly staying idle. MP> Ok. Why don't you put every single jail with it's outside IP up and let MP> it run there (binded to fxp0). What do you want to reach with that setup MP> ? More security? I'm running several scores of virtualhosts right now, ant number of the is going to increase. At least 5 apaches, one sshd... hmm, even if I'll make annother jail for sshd/cron, I'm going to have LOTS and LOTS of idle apaches. MP> MP> Next possibility is to setup a https->http gateway on the external IP MP> (binded to fxp0) and forward the un-encrypted requests over to the MP> apache (name-based or whatever). Yes, I'm starting to look towards that direction. Most likely, I'll install/patch some https->http proxy on weekend. But in this case, I need to pass https variables some more or less efficient and elegant way... Well, I'll do it ;-) -- Alex. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message