Re: Idea for SSL with name-based Vhosts using two servers, mod_rewrite, and mod_proxy

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Wed, Jan 7, 2009 at 10:13 AM, Davide Bianchi <davide@xxxxxxxxxxxxxx> wrote:
> Brian Mearns wrote:
>> for secure http support. The frontend server can then use rewrite
>> conditions to check the http Host header, and rewrite rules with the
>
> And how can he check the host header if the request is encrypted? He has
> to decrypt it. And to do so, he needs a certificate.
>

The frontend server is setup as a regular ssl-supporting server, so I
don't think there's any reason he can't decrypt the message; a server
has to decrypt a request in order to process it, whether it's serving
up proxied requests to a backend server or just static text files.


On Wed, Jan 7, 2009 at 10:10 AM, Krist van Besien
<krist.vanbesien@xxxxxxxxx> wrote:
> On Wed, Jan 7, 2009 at 4:06 PM, Brian Mearns <bmearns@xxxxxxxx> wrote:
>
>> The only obvious drawbacks I can think of is possible lag introduced
>> by having to proxy, and that all the sites would have to use the same
>> certificate (as defined in the port 443 vhost on the "frontend"
>> server).
>
> And that is the problem. This means that for only one site the
> certificate will match the hostname...

Right, which I guess is a big problem for most use cases. For me, my
certificate is self-signed anyway, and I already use it for multiple
hostnames (myserver.net, www.myserver.net, web.myserver.net, which are
all aliased to the same vhost in apache).

I suspect you could use the altSubjectName field to add multiple host
names to the certificate. It'd still all be one certificate, so it
doesn't really help when it's different people running different
vhosts, but if it's all one person running different vhosts, it might
get the job done.


Thanks for the feedback.

-Brian

--

Feel free to contact me using PGP Encryption:
Key Id: 0x3AA70848
Available from: http://pgp.mit.edu/

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux