httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tony Finch <>
Subject RE: SSL mass-vhosting
Date Sat, 12 Jun 1999 00:41:25 GMT

"David Harris" <> wrote:
> Ralf Engelschall <> wrote:
> >
> > But the point you miss for "SSL mass virtual hosting" is this:
> > EVERY DECISION you want to do at the HTTP level for the "mass virtual
> > hosting" WILL NOT WORK.  Why? Because you decide too late.

Not if you use my vhosting stuff in an IP-based configuration.

> I understand that the crt/key has to be picked _before_ any bytes of the
> HTTP request are passed, an therefore we don't have the "Host:" header to
> make the cert/key choice. That excludes making any virtual hosting choices
> based on the host header - so host header based mass SSL hosting is out just
> as SSL with host VirtualHosts is out. But we do have the ipaddr of the local
> socket which we can get when the SSLv3/TLSv1 layer is being initialized - so
> ipaddr SSL mass hosting is workable. (Just as ipaddr based SSL-VirtualHosts
> work just fine.)
> It seems to me the way to do this is two new directives analogous to
> VirtualDocumentRootIP for mod_ssl: SSLCertificateFileIP and
> SSLCertificateKeyFileIP. They would choose a crt/key based on the local
> ipaddr of the incoming connection

Yup. Note also that VirtualDocumentRoot uses ap_get_server_name()
which may work out its result based only on the server IP address.
This happens if you do UseCanonicalName DNS, which may not be
efficient but it provides a simple switch from Host:-header vhosting
to IP-based vhosting.

The other way it can happen is in the following configuration:

	UseCanonicalName On
	VirtualDocumentRoot /www/hosts/%0/docs
		# nothing else!

I haven't mentioned this in my docs because I think it's dangerously

Winner, International Obfuscated C Code Competition 1998

View raw message