httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nikolai Lusan <nikolai.lu...@hitwise.com>
Subject Re: [users@httpd] multiple https hosts behind nat
Date Thu, 14 Jun 2007 06:00:37 GMT
On Wed, 2007-06-13 at 09:14 -0400, Joshua Slive wrote:
> On 6/13/07, Aaron <ml@proficuous.com> wrote:
> 
> > No multiple IPs on the outside.  I would just do a 1 to 1 nat if that
> > were the case.
> 
> You're screwed then. You can't do IP-based virtual hosting with only a
> single public IP.

Well actually you can e.g.:

NameVirtualHost my.ip:80
NameVirtualHost my.ip:443

<VirtualHost my.ip:80>
   SiteName site1.dns
</VirtualHost>
<VirtualHost my.ip:80>
   SiteName site2.dns
</VirtualHost>
<VirtualHost my.ip:443>
   SiteName site1.dns
</VirtualHost>


This is quite valid with only 1 public IP. The issues with ssl is that
you can only do one site per public IP because of the chicken/egg
problem with the SSL encoding of the HTTP head requests (which contain
the headers required for processing virtual host requests). For non SSL
requests IP based virtual hosting is fine because apache just inspects
the HEAD request and drops it into the correct place. For SSL requests
it ends up in the default (first configured for an IP based host) vhost
for decryption of the SSL data with the key/cert configured in that
setting and then it's too late to move vhosts if the HEAD request isn't
for that particular vhost.

Lesson:
   When it comes to SSL 1 site per [public] IP is the rule of thumb.
While it is possible to configure apache to have more than one virtual
host with separate certificates reality dictates that only the first (or
default) virtual host will actually be used.

-- 

Nikolai Lusan
Systems Administrator

Hitwise Pty. Ltd.
Level 7 / 580 St Kilda Road
Melbourne, Victoria 3004
Australia
Phone: +61 3 8530 2400
Fax:  +61 3 9529 8907
www.hitwise.com.au
nikolai.lusan@hitwise.com


Worldwide:  •  United States  •  United Kingdom  •  Australia  •  New
Zealand  •  Singapore  •  Hong Kong 

To subscribe to our complimentary monthly newsletter, visit:
http://www.hitwise.com.au/

The information transmitted may be confidential, is intended only for
the person to which it is addressed, and may not be reviewed,
retransmitted, disseminated or relied upon by any other persons. If you
received this message in error, please contact the sender and destroy
any paper or electronic copies of this message. Any views expressed in
this email communication are those of the individual sender, except
where the sender specifically states otherwise. Hitwise does not
represent, warrant or guarantee that the communication is free of
errors, virus or interference.


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message