httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tony Finch <...@dotat.at>
Subject RE: SSL mass-vhosting
Date Sat, 12 Jun 1999 00:41:25 GMT

"David Harris" <dharris@drh.net> wrote:
> Ralf Engelschall <rse@engelschall.com> wrote:
> >
> > But the point you miss for "SSL mass virtual hosting" is this:
> > EVERY DECISION you want to do at the HTTP level for the "mass virtual
> > hosting" WILL NOT WORK.  Why? Because you decide too late.

Not if you use my vhosting stuff in an IP-based configuration.

> I understand that the crt/key has to be picked _before_ any bytes of the
> HTTP request are passed, an therefore we don't have the "Host:" header to
> make the cert/key choice. That excludes making any virtual hosting choices
> based on the host header - so host header based mass SSL hosting is out just
> as SSL with host VirtualHosts is out. But we do have the ipaddr of the local
> socket which we can get when the SSLv3/TLSv1 layer is being initialized - so
> ipaddr SSL mass hosting is workable. (Just as ipaddr based SSL-VirtualHosts
> work just fine.)
> 
> It seems to me the way to do this is two new directives analogous to
> VirtualDocumentRootIP for mod_ssl: SSLCertificateFileIP and
> SSLCertificateKeyFileIP. They would choose a crt/key based on the local
> ipaddr of the incoming connection

Yup. Note also that VirtualDocumentRoot uses ap_get_server_name()
which may work out its result based only on the server IP address.
This happens if you do UseCanonicalName DNS, which may not be
efficient but it provides a simple switch from Host:-header vhosting
to IP-based vhosting.

The other way it can happen is in the following configuration:

	UseCanonicalName On
	VirtualDocumentRoot /www/hosts/%0/docs
	<VirtualHost 111.22.33.44>
		ServerName foo.com
		# nothing else!
	</VirtualHost>
	<VirtualHost 111.22.33.45>
		ServerName bar.com
	</VirtualHost>
	<VirtualHost 111.22.33.46>
		ServerName baz.com
	</VirtualHost>

I haven't mentioned this in my docs because I think it's dangerously
obscure.

Tony.
-- 
f.a.n.finch   dot@dotat.at   fanf@demon.net
Winner, International Obfuscated C Code Competition 1998

Mime
View raw message