See below, Rgds,
Owen Boyle >From: Jay States [mailto:[EMAIL PROTECTED]] > >I would like to clear up port-based hosting for mod-ssl: > >1. https looks for port 443, but you can change that to any port with >modification to the apache configure file and also as long as you >specify the port in the url (https;//sample.com:445). Exactly correct. You need to say "Listen 445" in the config and define a VH like "<VirtualHost 192.168.1.1:445>". Then you have to use the port in the URL, as you show (to a browser, "https" means "establish an SSL session with the following server; unless the port is specified, use port 443"). > >2. Mod-ssl does not work for name based hosting... Kind of the other way around: NBVHing doesn't work with SSL. The reason is that SSL encrypts all the contents of the TCP/IP packet so the traffic has to be routed using only TCP/IP attributes, i.e. IP address and Port number. The "Host" header (which is needed for NBVHing) is an HTTP attribute, i.e. it is inside the packet and so is encrypted so you can't use it to route packets. > We must use ports in order for it to work. Yes-ish.. You must distinguish SSL VHs by TCP/IP attributes, i.e. each VH must have a unique IP address:Port pair. >3. Can you specify more than one port to bind https? What if your only >have 1 ip address and 10 different domain names. What do you >do then? >Place the domain names behind you firewall and use a class a,b or c ip >addresses? You'd have to use 10 different ports. But you would have to specify the ports in the public URLs. I'm not sure what you're getting at with the FW idea... You can't get away with address translation in the FW adding on the port numbers since the packets are already encrypted when they arrive at the FW. Having said that, I was astonished some months ago when someone reported a hardware gadget which could route SSL traffic by hostname. It is a kind of SSL router which you put between your server and the internet. I don't know how it works - maybe you have to give it your private server keys so it can decrypt the incoming traffic. I've also forgotten what it was called! Search the archives on this list for SSL routers, hardware etc.. Maybe someone else can remember the link to this gadget? >4. If mod-ssl can be placed on more any one port what does the config >file look like, I keep getting errors. All the docs I've read >said that name-based virtual do not work. Because they don't. >They do not say that multiple >ports can not be specified. Because they can: Listen 192.168.1.1:445 <VirtualHost 192.168.1.1:445> SSLEngine on SSLCertificateFile ... SSLCertificateKeyFile ... DocumentRoot ... etc.. </VirtualHost> Listen 192.168.1.1:446 <VirtualHost 192.168.1.1:446> SSLEngine on SSLCertificateFile ... SSLCertificateKeyFile ... DocumentRoot ... etc.. </VirtualHost> Note: no need for "NameVirtualHost", no need for "ServerName". ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
