Return-Path: 
 <users-return-76841-apmail-httpd-users-archive=httpd.apache.org@httpd.apache.org>
Delivered-To: apmail-httpd-users-archive@www.apache.org
Received: (qmail 59895 invoked from network); 1 Nov 2007 10:12:03 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2)
  by minotaur.apache.org with SMTP; 1 Nov 2007 10:12:03 -0000
Received: (qmail 79736 invoked by uid 500); 1 Nov 2007 10:11:37 -0000
Delivered-To: apmail-httpd-users-archive@httpd.apache.org
Received: (qmail 79716 invoked by uid 500); 1 Nov 2007 10:11:36 -0000
Mailing-List: contact users-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: users@httpd.apache.org
list-help: <mailto:users-help@httpd.apache.org>
list-unsubscribe: <mailto:users-unsubscribe@httpd.apache.org>
List-Post: <mailto:users@httpd.apache.org>
List-Id: <users.httpd.apache.org>
Delivered-To: mailing list users@httpd.apache.org
Received: (qmail 79705 invoked by uid 99); 1 Nov 2007 10:11:36 -0000
Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 01 Nov 2007 03:11:36 -0700
X-ASF-Spam-Status: No, hits=-0.0 required=10.0
	tests=SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (athena.apache.org: domain of hans@ezpear.com designates
 203.190.4.19 as permitted sender)
Received: from [203.190.4.19] (HELO postman.formosahost.com) (203.190.4.19)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 01 Nov 2007 10:11:39 +0000
Received: from localhost (localhost [127.0.0.1])
	by postman.formosahost.com (Postfix) with ESMTP id E89D88A123
	for <users@httpd.apache.org>; Thu,  1 Nov 2007 18:08:08 +0800 (CST)
X-Virus-Scanned: amavisd-new at formosahost.com
Received: from postman.formosahost.com ([127.0.0.1])
	by localhost (postman.formosahost.com [127.0.0.1]) (amavisd-new, port 10024)
	with LMTP id yEqRtDfT8MTN for <users@httpd.apache.org>;
	Thu,  1 Nov 2007 18:07:57 +0800 (CST)
Received: from [192.168.0.98] (obox.formosahost.com [203.190.4.13])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by postman.formosahost.com (Postfix) with ESMTP id 616598A190
	for <users@httpd.apache.org>; Thu,  1 Nov 2007 18:07:57 +0800 (CST)
Message-ID: <4729A713.2090207@ezpear.com>
Date: Thu, 01 Nov 2007 18:14:43 +0800
From: Hans <hans@ezpear.com>
User-Agent: Thunderbird 2.0.0.6 (X11/20070728)
MIME-Version: 1.0
To: users@httpd.apache.org
References: <4722F7C8.8070509@ezpear.com>
	 <6ed6382b0710291511q42883eb4t2fc8843a62c1c512@mail.gmail.com>
	 <20071031103126.GA31495@fantomas.sk>
 <4729825E.7030205@ezpear.com>	 <6ed6382b0711010236i1b17c465sd4002da3e740af27@mail.gmail.com>
 <6ed6382b0711010241l7d29df20h8ee90bc716aa73bb@mail.gmail.com>
In-Reply-To: <6ed6382b0711010241l7d29df20h8ee90bc716aa73bb@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Virus-Checked: Checked by ClamAV on apache.org
Subject: Re: [users@httpd] problem with NAT, Public IP's and SSL cert

Krist van Besien wrote:
> On Nov 1, 2007 10:36 AM, Krist van Besien <krist.vanbesien@gmail.com> wrote:
>   
>> On Nov 1, 2007 8:38 AM, Hans <hans@ezpear.com> wrote:
>>
>>     
>>> So in your config you have only <Public_IP:80 (443)> or
>>> <Private_IP:80(443) Public_ip:80(443)>.
>>>       
>> No. In your config you have:
>> Several of either
>> <VirtualHost *:80>
>> or
>> <VirtualHost private_ip:80>
>> (After "VirtualHost" you need to put exactly the same thing you've put
>> after your  NameVirtualHost statement.)
>>
>> And you can have one
>> <VirtualHost *:443> blockt
>> or one
>> <VirtualHost IP:443> block for each IP _your server has_
>>
>> But what you want, based on your description in your first post, is
>> not possible.
>> It is not possible to have multiple SSL based hosts each with their
>> own certificate on one IP address. This is not a limitation of Apache,
>> this is a limitation of the SSL protocol. If you want to know why,
>> read this: http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#vhosts
>>     
>
> Just another question, (I just reread your original post) what do you
> mean that you got another VIP for your customer? Does that mean that
> your firewall has a separate IP for your customer?
>
> In that case you can solve your problem by telling Apache to bind to
> an extra port (eg 444) and configuring your customer's SSL server on
> that port.
> You than configure your NAT firewall to forward traffic to your
> customer's IP to port 80 and 444, in stead of port 80 and 443.
>
> Krist
>
>   
I have one main VIP 65.65.65.65 for vhosts which share that IP, and if 
customer needs(like in the case of ssl) he will get another IP e.g. 
65.65.65.66. I always thought that for ssl is important public IP not 
private on host. I think that it is some limitation of Apache that it 
cannot listen on virtual public IP, but only on IP's which host directly 
uses.
I wonder how other hosting companies with load balance solved that 
problem. I cannot believe that somebody with 200 domains and lets say 
150IP plays with port numbers.

Regards,
Hans


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org