See below,
Rgds,
Owen Boyle
From: Jay States [mailto:[EMAIL PROTECTED]]
I would like to clear up port-based hosting for mod-ssl:
1. https looks for port 443, but you can change that to any port with
modification to the apache configure file and also as long as you
specify the port in the url (https;//sample.com:445).
Exactly correct. You need to say Listen 445 in the config and define a VH like
VirtualHost 192.168.1.1:445. Then you have to use the port in the URL, as you show
(to a browser, https means establish an SSL session with the following server;
unless the port is specified, use port 443).
2. Mod-ssl does not work for name based hosting...
Kind of the other way around: NBVHing doesn't work with SSL. The reason is that SSL
encrypts all the contents of the TCP/IP packet so the traffic has to be routed using
only TCP/IP attributes, i.e. IP address and Port number. The Host header (which is
needed for NBVHing) is an HTTP attribute, i.e. it is inside the packet and so is
encrypted so you can't use it to route packets.
We must use ports in order for it to work.
Yes-ish.. You must distinguish SSL VHs by TCP/IP attributes, i.e. each VH must have a
unique IP address:Port pair.
3. Can you specify more than one port to bind https? What if your only
have 1 ip address and 10 different domain names. What do you
do then?
Place the domain names behind you firewall and use a class a,b or c ip
addresses?
You'd have to use 10 different ports. But you would have to specify the ports in the
public URLs. I'm not sure what you're getting at with the FW idea... You can't get
away with address translation in the FW adding on the port numbers since the packets
are already encrypted when they arrive at the FW.
Having said that, I was astonished some months ago when someone reported a hardware
gadget which could route SSL traffic by hostname. It is a kind of SSL router which you
put between your server and the internet. I don't know how it works - maybe you have
to give it your private server keys so it can decrypt the incoming traffic. I've also
forgotten what it was called! Search the archives on this list for SSL routers,
hardware etc..
Maybe someone else can remember the link to this gadget?
4. If mod-ssl can be placed on more any one port what does the config
file look like, I keep getting errors. All the docs I've read
said that name-based virtual do not work.
Because they don't.
They do not say that multiple
ports can not be specified.
Because they can:
Listen 192.168.1.1:445
VirtualHost 192.168.1.1:445
SSLEngine on
SSLCertificateFile ...
SSLCertificateKeyFile ...
DocumentRoot ...
etc..
/VirtualHost
Listen 192.168.1.1:446
VirtualHost 192.168.1.1:446
SSLEngine on
SSLCertificateFile ...
SSLCertificateKeyFile ...
DocumentRoot ...
etc..
/VirtualHost
Note: no need for NameVirtualHost, no need for ServerName.
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
