You cannot do this as SSL by default will connect, negotiate a certificate and the DISCONNECT AND RECONNECT using the encryption.. which by then it's too late to know the virtual site it's for.. on the first connection it's fine but second connection is impossible to determine which virtual host it's for.. My only solution was to use different ports for SSL ie. 443 is not used, 444-500 for each site.. or setup a common domain for all sites to use.. ie. www.paysafe.com/domain1 www.paysafe.com/domain2 etc.etc... Thanks, ____________________________________________ George Vieira Systems Manager georgev@xxxxxxxxxxxxxxxxxxxxxx Citadel Computer Systems Pty Ltd http://www.citadelcomputer.com.au Phone : +61 2 9955 2644 HelpDesk: +61 2 9955 2698 -----Original Message----- From: jen@xxxxxxxxxxx [mailto:jen@xxxxxxxxxxx] Sent: None To: netfilter@xxxxxxxxxxxxxxxxxxx Subject: ssl forward / proxy question hi, i have a NAT set up via an iptables firewall on RHAS. i have various webservers behind it (and other stuff), but now i'm required by marketing (sigh) to set up loads of SSL certificates. since apache/apache2 still requires one ip address per SSL certificate, and they mean to do lots of these, i'm wondering how to set it up in such a way that all DNS points to one external IP address such as 234.56.78.90. when the packet hits the firewall, something proxies it so that it will see the *name* address, and forward it on to a virtual IP. for example: there are 3 domains all belonging to the same "real" IP address. 234.56.78.90 -> www.guinness.com 234.56.78.90 -> www.kicks.com 234.56.78.90 -> www.butt.com so a user wants to go to www.guinness.com, the IP takes the packet to the fire wall/proxy/whatever, notices that it's "www.guinness.com" and and will forward t he packet on to the internal address of 10.31.1.44 user goes to www.kicks.com, and the packet goes to 10.31.1.45 www.butt.com will get forwarded to 10.31.1.46 is there something like this that is possible? thanks!! -\jen
