On Tue, Mar 26, 2013 at 8:25 PM, Tim Traver <[email protected]> wrote: > Hi all, > > ok, I just wanted to start here, because this seems like the place. > > I know this is going to meet a lot of resistance, but here is my crazy idea. > > I'd like to figure out a way to dynamically retrieve the SSL keys for > particular IP connections from the filesystem without having to have a > configuration directive for each one. > > So, something like this kind of flow : > > 1) Request comes in to open an SSL connection on a particular IP > 2) mod_ssl first looks in its memory table to see if it already has the > public and private key configs > 3) If not, it uses the IP as a location on disk to retrieve the keys into > memory (like /private/keys/205.34.56.78/host.key and host.crt) > 4) mod_ssl then uses that and goes along its merry way encrypting > > I know there are some issues to solve > > 1) Security of the keys. Normally they are owned by a more privileged user > than the web server is running as and get read in before apache changes its > ownership. I may be able to get around this by having a wrapper to retrieve > the key as the privileged owner, or have them located in a database on > another machine... > 2) It would have to be smart enough of a chunk of code to determine if there > is a CA cert as well. > > The benefits : > > 1) No need for config files to specify certs for each of the IP's ! > 2) Very fast startup > 3) Scales very easily > > The downsides : > > 1) Delay going to disk the first time to get the keys when request comes in. > 2) Security issues on safety of key locations and or retrieval. > > I think the benefits outweigh the downsides in this case, which is why I am > pursuing it. > > Any comments? Concerns? Ideas on perhaps a way to write a module separate > from changing mod_ssl that had hooks in the right places? > > Does anyone know if there are hooks to get in front of the SSL connection? > > I'd rather write a fresh module than be changing the mod_ssl stuff... > > Thanks, > > Tim >
Have a look at mod_vhost_alias, which does things like this, except not in combination with SSL. Eg: VirtualDocumentRootIP /var/www/%0/htdocs You could potentially extend this to also set up mod_ssl as well. Cheers Tom
