> -----Original Message----- > From: Nikolai Lusan [mailto:nikolai.lusan@xxxxxxxxxxx] > Sent: Thursday, June 14, 2007 8:01 AM > To: users@xxxxxxxxxxxxxxxx > Subject: Re: multiple https hosts behind nat > > On Wed, 2007-06-13 at 09:14 -0400, Joshua Slive wrote: > > On 6/13/07, Aaron <ml@xxxxxxxxxxxxxx> wrote: > > > > > No multiple IPs on the outside. I would just do a 1 to 1 > nat if that > > > were the case. > > > > You're screwed then. You can't do IP-based virtual hosting > with only a > > single public IP. > > Well actually you can e.g.: Well actually you should've read the whole thread... The OP[1] contains the line: "so that I can run multiple ssl sites with a diff certificate for each". So it is clear that the comment you repudiate is in the context of SSL virtual Hosting. Rgds, Owen Boyle Disclaimer: Any disclaimer attached to this message may be ignored. [1] http://marc.info/?l=apache-httpd-users&m=118171599530435&w=2 > > NameVirtualHost my.ip:80 > NameVirtualHost my.ip:443 > > <VirtualHost my.ip:80> > SiteName site1.dns > </VirtualHost> > <VirtualHost my.ip:80> > SiteName site2.dns > </VirtualHost> > <VirtualHost my.ip:443> > SiteName site1.dns > </VirtualHost> > > > This is quite valid with only 1 public IP. The issues with ssl is that > you can only do one site per public IP because of the chicken/egg > problem with the SSL encoding of the HTTP head requests (which contain > the headers required for processing virtual host requests). > For non SSL > requests IP based virtual hosting is fine because apache just inspects > the HEAD request and drops it into the correct place. For SSL requests > it ends up in the default (first configured for an IP based > host) vhost > for decryption of the SSL data with the key/cert configured in that > setting and then it's too late to move vhosts if the HEAD > request isn't > for that particular vhost. > > Lesson: > When it comes to SSL 1 site per [public] IP is the rule of thumb. > While it is possible to configure apache to have more than one virtual > host with separate certificates reality dictates that only > the first (or > default) virtual host will actually be used. > > -- > > Nikolai Lusan > Systems Administrator > > Hitwise Pty. Ltd. > Level 7 / 580 St Kilda Road > Melbourne, Victoria 3004 > Australia > Phone: +61 3 8530 2400 > Fax: +61 3 9529 8907 > www.hitwise.com.au > nikolai.lusan@xxxxxxxxxxx > > > Worldwide: * United States * United Kingdom * Australia * New > Zealand * Singapore * Hong Kong > > To subscribe to our complimentary monthly newsletter, visit: > http://www.hitwise.com.au/ > > The information transmitted may be confidential, is intended only for > the person to which it is addressed, and may not be reviewed, > retransmitted, disseminated or relied upon by any other > persons. If you > received this message in error, please contact the sender and destroy > any paper or electronic copies of this message. Any views expressed in > this email communication are those of the individual sender, except > where the sender specifically states otherwise. Hitwise does not > represent, warrant or guarantee that the communication is free of > errors, virus or interference. > > > --------------------------------------------------------------------- > The official User-To-User support forum of the Apache HTTP > Server Project. > See <URL:http://httpd.apache.org/userslist.html> for more info. > To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx > " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx > For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx > This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. The sender's company reserves the right to monitor all e-mail communications through their networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of the sender's company. --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|