httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ben Laurie <...@algroup.co.uk>
Subject Re: in progress: vhosts yet again
Date Sun, 05 Oct 1997 20:29:11 GMT
Dean Gaudet wrote:
> 
> On Sun, 5 Oct 1997, Ben Laurie wrote:
> 
> > Mark J Cox wrote:
> > >
> > > > Wildcard ports utterly suck.  But I'm guessing that you SSL weenies need
> > > > me to not screw them up.  Given that port-vhosting hasn't ever worked
> > > > correctly with name-vhosting I'm not at all concerned about making it
> > > > work now.  So here's what I'm asserting:
> > >
> > > Host: based virtual hosts don't work well with SSL anyway (the server
> > > doesn't get the Host: header until after all the negotiation and
> > > certificate stuff has been done by which time it's a bit late).  I've not
> > > seen people do wildcard ports with SSL; Stronghold just sticks in a
> > > Listen *:443 and then <VirtualHost *:443> section.
> >
> > Ditto for Apache-SSL (ish).
> 
> Cool then I think I'm not going to support wildcard ports on namevhosts
> because I'd really like my name_chain lists to have the same ipaddr:port
> the whole way down the list.  I could support wildcard ports but require
> all namevhosts on that ipaddr to also have wildcard ports.
> 
> What's the <VirtualHost *:443> supposed to do?  How about someone send me
> a typical SSL config with vhosts so I don't mess it up.
> 
> Do you have other information in the SSL exchange which gives you the same
> info as a Host: header would?  I can make it really obvious where you'd
> glue in that support.

Interestingly tricky question. My immediate reaction was "no, you have
to do it all on IP+port", but that ain't strictly true. Snag is that the
real answer is far too complicated. I'd assume my immediate reaction and
leave us to fend for ourselves :-)

We'd get information that tells you something totally different from the
Host header, but could still (potentially) be used to distinguish
between virtual hosts. It might be nice to know where the logic for that
goes.

> > > The only thing to watch is that if someone connects to https://somewhere/
> > > my copy of Netscape sends "Host: somewhere" and not "Host: somewhere:443"
> >
> > Which is correct, of course.
> 
> This is easy to handle if I use Roy's suggestion of trusting the network
> port number and not the Host: port number.

That was mine :-) Roy said you shouldn't croak if they're different.

BTW, chaps, I've started using STL recently. You really don't know what
you are missing. Did I ever mention that C++ is a really nice language?

Cheers,

Ben.

-- 
Ben Laurie            |Phone: +44 (181) 994 6435|Apache Group member
Freelance Consultant  |Fax:   +44 (181) 994 6472|http://www.apache.org
and Technical Director|Email: ben@algroup.co.uk |Apache-SSL author
A.L. Digital Ltd,     |http://www.algroup.co.uk/Apache-SSL
London, England.      |"Apache: TDG" http://www.ora.com/catalog/apache

Mime
View raw message