On Tue, 2005-02-22 at 19:37 -0500, Kevin S. Davis wrote: > And another question: > > How do you handle virtual hosts via nsopenssl?
[snip] The short answer is that you don't.* =) > So I > define another server in the config files, say foobar.com-ssl which > doesn't actually load nssock, has it's own pageroot, and I set the > server to foobar.com:443 in the nsopenssl config section. In my > browser, https://foobar.com works, https://www.foobar.com returns > https://foobar.com which is basically the same thing, but > https://yada.com and https://www.yada.com also return https://foobar.com > which is not desirable. The somewhat longer answer is that the HTTPS protocol doesn't understand name-based virtualhosts; it's a protocol limitation caused by the fact that SSL negotiation takes place before the Host headers are parsed out of the incoming datastream. If you want to have multiple SSL sites on the same box, you have two simple options and one more complex one. Simple #1: Get a second IP address and run an SSL instance on each IP address Simple #2: Run the SSL sites on different ports (443 and 444, for instance). Of course, this means that you'll have to explicitly pass a port in your URL (https://www.yada.com:444/) and, of course, https://www.foobar.com:444 would return the same content. Complex answer: Once the data stream has been decrypted, your webserver (and by extension, any application running on that server) will have access to the clear-text version of the request. You could write pagecode which performed the proper Voodoo(tm) to drop the person into the proper area of the site. Answer #1 is far and away the easiest solution here, and the least error-prone. -- Noah Robin * As always, there are exceptions to everything. In theory (and I've not tried this) one can have multiple vhosts on the same port/IP. HOWEVER, assuming one of those vhosts has a valid SSL certificate, any attempts to access the other site will result in that pop-up we all know and love; the one which states that the site you're requesting doesn't match the certificate being presented by the server. I can't speak for AOLServer's config in this regard, but see http://www.onlamp.com/pub/a/apache/2005/02/17/apacheckbk.html for how to do this in apache, and some additional details on SSL/virtualhosting. -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank.
