Thanks Alfonso, That is actually the way we have things configured right now and it is good enough to get by... but my curiosity was peaked when discussing the issue with a colleague about how this is done in the "real world".
I just sent a reply to David where I outlined the heart of my question - but basically I can't understand why this is so difficult. When I access a web address like https://secure.amazon.com or https://mail.google.com I come in through a single IP. When I look at the cert for mail.google.com, there is no IP information that identifies the site. If certs were tied to a single IP, how do farms of servers handle a site like https://mail.google.com? The only difference in the solution I'm trying to achieve is that on the back end I only have 1 server instead of 1000 like Google :). Andy On 10/9/08, Andy Ray <[EMAIL PROTECTED]> wrote: > Thank you for your quick reply David! > > So, talking theory here, and trying to better understand the options > available: > > Can the SSL cert be loaded on the router/firewall/gateway device > hosting Pound? I am assuming that would give Pound access to the host > header in a later request, then the traffic is redirected to the > appropriate internal host? Or am I way off base here? > > How is this typically handled in a web server farm? Though I am not > scaling this to anything near that size, I picture this as no > different than accessing https://secure.amazon.com (or other such > address) where the traffic is load balanced/proxied to multiple back > end servers? Except, for the proxy/load balance on my scale it only > has 1 host behind it. When I resolve secure.amazon.com I only get 1 > IP address - but I'm pretty sure that it doesn't go to 1 host publicly > exposed on the back end at Amazon HQ. > > Thanks for helping me sort it out.... > > Andy > > On 10/9/08, Dave Steinberg <[EMAIL PROTECTED]> wrote: >>> What they would like to do is direct mail.company.com:443 to the OWA >>> resources and vpn.company.com:443 to the SSL VPN appliance (two >>> separate internal IP addresses). >>> >>> I understand that the preferred/accepted way for doing this is to >>> obtain multiple IPs from the ISP and map those internally. >>> Unfortunately that is not an option with the provider available in the >>> area at this time. >> >> Its preferred because most people do not want their >> clients/customers/service users to see SSL validation errors when they >> try to access the service in question. >> >>> From the landing page for Pound, it looks like there is a problem with >>> multiple domain redirection to single internal host IP with virtual >>> servers on that same IP, unless a wildcard cert is used, which seems >>> to indicate that it may be possible if all 443 traffic is redirected >>> to a single host/ip. >> >> I've not tried it, but yes, a wildcard cert should work. They are >> unfortunately much more expensive than regular certs. >> >>> From my small understanding of what I've read, Pound (or any other >>> reverse proxy) is unable to decipher the host header because it comes >>> after the SSL tunnel is negotiated. It would seem that the only >>> solution left would be to use a product like Microsoft's ISA server >>> that does seem to be able to reverse proxy SSL connections. If this >>> is the case, I'm just a bit surprised that there isn't an option in >>> the *nix world to achieve this goal. >> >> This is not a software or OS limitation but rather a protocol >> limitation, for the reasons you describe. It is software agnostic, >> which is why the wildcard cert is the only option that will avoid >> warnings in your client software. >> >> Regards, >> -- >> Dave Steinberg >> http://www.geekisp.com/ >> http://www.steinbergcomputing.com/ >> >> -- >> To unsubscribe send an email with subject unsubscribe to [EMAIL PROTECTED] >> Please contact [EMAIL PROTECTED] for questions. >> > -- To unsubscribe send an email with subject unsubscribe to [EMAIL PROTECTED] Please contact [EMAIL PROTECTED] for questions.
