On Wed, Jan 7, 2009 at 10:13 AM, Davide Bianchi <davide@xxxxxxxxxxxxxx> wrote: > Brian Mearns wrote: >> for secure http support. The frontend server can then use rewrite >> conditions to check the http Host header, and rewrite rules with the > > And how can he check the host header if the request is encrypted? He has > to decrypt it. And to do so, he needs a certificate. > The frontend server is setup as a regular ssl-supporting server, so I don't think there's any reason he can't decrypt the message; a server has to decrypt a request in order to process it, whether it's serving up proxied requests to a backend server or just static text files. On Wed, Jan 7, 2009 at 10:10 AM, Krist van Besien <krist.vanbesien@xxxxxxxxx> wrote: > On Wed, Jan 7, 2009 at 4:06 PM, Brian Mearns <bmearns@xxxxxxxx> wrote: > >> The only obvious drawbacks I can think of is possible lag introduced >> by having to proxy, and that all the sites would have to use the same >> certificate (as defined in the port 443 vhost on the "frontend" >> server). > > And that is the problem. This means that for only one site the > certificate will match the hostname... Right, which I guess is a big problem for most use cases. For me, my certificate is self-signed anyway, and I already use it for multiple hostnames (myserver.net, www.myserver.net, web.myserver.net, which are all aliased to the same vhost in apache). I suspect you could use the altSubjectName field to add multiple host names to the certificate. It'd still all be one certificate, so it doesn't really help when it's different people running different vhosts, but if it's all one person running different vhosts, it might get the job done. Thanks for the feedback. -Brian -- Feel free to contact me using PGP Encryption: Key Id: 0x3AA70848 Available from: http://pgp.mit.edu/ --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx