Michael,
Here is how I've done this.
external dns
SITE IP
-----------------------
www.site1.org external IP.A to NAT for 192.168.0.1
www.site2.com external IP.B to NAT for 192.168.0.2
my Firewall/NAT device translates
external IP.A ---> 192.168.0.1
external IP.B ---> 192.168.0.2
on the Multihomed RH Linux server (I'm not using internal dns)
/etc/hosts
www.site1.org 192.168.0.1
www.site2.com 192.168.0.2
Apache Httpd.conf
NameVirtualHost 192.168.0.1:80
NameVirtualHost 192.168.0.1:443
NameVirtualHost 192.168.0.2:80
NameVirtualHost 192.168.0.2:443
<VirtualHost 192.168.0.1:80>
ServerName www.site1.org
...
</VirtualHost>
<VirtualHost 192.168.0.1:443>
ServerName www.site1.org
...
SSLCertificateFile ... <for www.site1.com>
SSLCertificateKeyFile ... <for www.site1.com>
</VirtualHost>
<VirtualHost 192.168.0.2:80>
ServerName www.site2.com
...
</VirtualHost>
<VirtualHost 192.168.0.2:443>
ServerName www.site2.com
...
SSLCertificateFile ... <for www.site2.com>
SSLCertificateKeyFile ... <for www.site2.com>
</VirtualHost>
I think that your answer depends on the abilities of your firewall/NAT
device.
As I understand things, Apache must use the inbound IP address to determine
which certificate is needed to decrypt the request. If your Firewall can
only perform https inbound port mapping to 1 IP address, then I don't see
how you would solve this problem. Even with a proxy, you would not know
which certificate to use for decrypting the message, thus you could not
determine if the traffic was for www.site1.com or www.site2.com.
You should look at your firewall documentation. There may be some
combination of port mapping and "direct-1-to-1" mapping that would let you
do this. Perhaps your firewall support "direct-1-to-1" mapping all traffic
on IP.A to 192.168.0.1. Then you could use the port mapping feature to
direct ports 80 and 443 on IP.B to 192.168.0.2.
Alternatively, perhaps your firewall has a DMZ feature. Maybe you could
connect IP.A/192.168.0.1 to the Firewall port mapping feature and the DMZ
feature to direct IP.B to 192.168.1.2 on the DMZ network. I've used
192.168.1.2 instead of 192.168.0.2, because usually a DMZ feature is a
different Interface on the Firewall device.
Hope this helps,
David Marshall
-----Original Message-----
From: Michael R. Tuzi [mailto:[EMAIL PROTECTED]]
Sent: Sunday, June 09, 2002 8:04 PM
To: [EMAIL PROTECTED]
Subject: Multiple sites using different IP's
I have read many posts about the inability to use virtual host names with
ssl. My firewall uses NAT, and only allows one LAN IP to receive requests
for httpd on ports 80 and 443. Given that I can have multiple IP's on one
NIC (i'm running Redhat Linux 7.2) and that I can setup my internal DNS
(which the firewall uses) such that:
SITE IP
-----------------------
www.site1.org 192.168.0.1
www.site2.com 192.168.0.2
www.site3.net 192.168.0.3
...
And putting the following in my httpd.conf:
NameVirtualHost 192.168.0.1:80
NameVirtualHost 192.168.0.1:443
NameVirtualHost 192.168.0.2:80
NameVirtualHost 192.168.0.2:443
<VirtualHost 192.168.0.1:80>
ServerName www.site1.org
...
</VirtualHost>
<VirtualHost 192.168.0.1:443>
ServerName www.site1.org
...
SSLCertificateFile ...
SSLCertificateKeyFile ...
</VirtualHost>
<VirtualHost 192.168.0.2:80>
ServerName www.site2.com
...
</VirtualHost>
<VirtualHost 192.168.0.2:443>
ServerName www.site2.com
...
SSLCertificateFile ...
SSLCertificateKeyFile ...
</VirtualHost>
Assuming that the firewall sends httpd requests to 192.168.0.1, is it
possible for apache to be configured to handle requests made to
www.site2.com/192.168.0.2? Or can I accomplish what I desire by using some
sort of proxy that receives all httpd requests from the firewall and then
connects to my apache server.
I guess my bottom line question is - can I use internal IP addresses to use
multiple ssl-enabled virtual hosts, and if so, how?
Regards,
Michael
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
