I know everyone always asks about having name-based-virtual hosts with
a secure connection, and I understand why it's not currently possible.
So I was thinking of ways around this, and I came up with a little
something. I haven't tested it yet, but I'm curious what people think.
The idea is to have two httpd servers running on the machine: The
"backend" has all your actual content and multiple virtual hosts, each
one listening on a different non-standard port. The other server, the
"frontend", then listens on standard ports 80 and 443 and uses mod_ssl
for secure http support. The frontend server can then use rewrite
conditions to check the http Host header, and rewrite rules with the
proxy flag to proxy the request to the correct vhost on the backend.
For instace, say our goal is to have two virtual hosts which both
support HTTPS. One wants to live at sample.org, the other at test.net.
So we would set up our "backend server" to have two virtual hosts: One
for sample.org listening on port 8081, for instance, and one for
test.net listening on 8082. These vhosts would serve up the actual
content for their respective sites, and wouldn't try to support SSL on
their own.
The front end server would be set up to not offer any content of it's
own, it would just listen on port 80 and setup a standard port based
vhost on 443 to support secure connections. Both the port 80 and port
443 vhosts on this machine would have the following directives:
RewriteCond %{HTTP_HOST} sample.org
RewriteRule ^(.*)$ http://localhost:8081/$1 [P]
RewriteCond %{HTTP_HOST} test.net
RewriteRule ^(.*)$ http://localhost:8082/$1 [P]
And actually, to support older browsers that don't send the Host
header, you'd probably want to choose one to be your "default" host,
and put that last, without any RewriteCond applied to it.
The only obvious drawbacks I can think of is possible lag introduced
by having to proxy, and that all the sites would have to use the same
certificate (as defined in the port 443 vhost on the "frontend"
server).
Anyone have any thoughts on whether this is a good or bad idea, or
whether it will even work?
Thanks
-Brian
--
Feel free to contact me using PGP Encryption:
Key Id: 0x3AA70848
Available from: http://pgp.mit.edu/
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
" from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|