[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[no subject]
- <!--x-content-type: text/plain -->
- <!--x-date: Sat, 27 Aug 2005 08:38:40 -0400 -->
- <!--x-from-r13: wxvaarl ng ybpnyargfbyhgvbaf.pbz (Xnzrf B. Yvaarl WWW) -->
- <!--x-message-id: [email protected] -->
- <!--x-reference: [email protected] -->
- <!--x-reference: [email protected] --> "http://www.w3.org/TR/html4/loose.dtd">
- <!--x-subject: [ale] apache, ssl, DMZ, brain calcification -->
- <li><em>date</em>: Sat, 27 Aug 2005 08:38:40 -0400</li>
- <li><em>from</em>: jkinney at localnetsolutions.com (James P. Kinney III)</li>
- <li><em>in-reply-to</em>: <<a href="msg00474.html">[email protected]</a>></li>
- <li><em>references</em>: <<a href="msg00404.html">[email protected]</a>> <<a href="msg00474.html">[email protected]</a>></li>
- <li><em>subject</em>: [ale] apache, ssl, DMZ, brain calcification</li>
I don't see this as breaking the SSL security since the original packet
is unchanged except for the DNAT. However, the big headache is the
apache mod that needs to be able to send the needed info to the router.
That is a chunk of code that is, by necessity, hardened to prevent
security leaks in apache.
Hmm. The initial https request is NOT encrypted. Maybe a way to do the
tracking through SNAT/DNAT with the connection tables...
research ensues....
On Fri, 2005-08-26 at 23:36 -0400, Allan Neal wrote:
> Unfortunatly the user tool would not work. SSL will not allow you to do
> hostname based hosting. Each site has to have it's own IP address. The
> reason for this is that the url is encoded in the SSL portion of the packet.
> The only part that IPTables can see it the IP address. So in order to get
> IPTables to do what you are talking about here, you would have to decrypt the
> packet at the firewall to see (name1|name2).
>
> You could do one base site with different contexts i.e. <a rel="nofollow" href="https://sitename/name1";>https://sitename/name1</a>
> and <a rel="nofollow" href="https://sitename/name2";>https://sitename/name2</a>. Then you only have to have one Cert. I suspect
> this is not what you are looking for though.
>
> Sorry I can't be of more help. This is how it has worked for me in my job
> though. I run several SSL sites for my company. We haven't found a way
> around this and it even caused us to recently purchase ARIN space to get
> enough IP addresses to handle our growth.
>
> Allan
>
> On Wed, Aug 24, 2005 at 06:15:53PM -0400, James P. Kinney III wrote:
> > I am looking at setting up an ssl-enabled web server in the dmz. As I
> > only have a few real IP addresses, I am looking at using internal IP
> > (10.0.*) addresses to handle the ssl-cert requirements of unique IP for
> > each namespace.
> >
> > What I'm stumped on is how to get <a rel="nofollow" href="https://name1";>https://name1</a> AND <a rel="nofollow" href="https://name2";>https://name2</a> to
> > both get through the firewall and point to the correct virtual interface
> > IP address on the DMX server. Do I need to write a userspace tool that
> > interfaces with iptables to read the server name from the IP stack?
> >
> > Can this be done with an apache proxy on the firewall?
> > --
> > James P. Kinney III \Changing the mobile computing world/
> > CEO & Director of Engineering \ one Linux user /
> > Local Net Solutions,LLC \ at a time. /
> > 770-493-8244 \.___________________________./
> > <a rel="nofollow" href="http://www.localnetsolutions.com";>http://www.localnetsolutions.com</a>
> >
> > GPG ID: 829C6CA7 James P. Kinney III (M.S. Physics)
> > <jkinney at localnetsolutions.com>
> > Fingerprint = 3C9E 6366 54FC A3FE BA4D 0659 6190 ADC3 829C 6CA7
>
>
>
> > _______________________________________________
> > Ale mailing list
> > Ale at ale.org
> > <a rel="nofollow" href="http://www.ale.org/mailman/listinfo/ale";>http://www.ale.org/mailman/listinfo/ale</a>
>
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> <a rel="nofollow" href="http://www.ale.org/mailman/listinfo/ale";>http://www.ale.org/mailman/listinfo/ale</a>
--
James P. Kinney III \Changing the mobile computing world/
CEO & Director of Engineering \ one Linux user /
Local Net Solutions,LLC \ at a time. /
770-493-8244 \.___________________________./
<a rel="nofollow" href="http://www.localnetsolutions.com";>http://www.localnetsolutions.com</a>
GPG ID: 829C6CA7 James P. Kinney III (M.S. Physics)
<jkinney at localnetsolutions.com>
Fingerprint = 3C9E 6366 54FC A3FE BA4D 0659 6190 ADC3 829C 6CA7
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
</pre>
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<hr>
<!--X-Follow-Ups-End-->
<!--X-References-->
<ul><li><strong>References</strong>:
<ul>
<li><strong><a name="00404" href="msg00404.html">[ale] apache, ssl, DMZ, brain calcification</a></strong>
<ul><li><em>From:</em> jkinney at localnetsolutions.com (James P. Kinney III)</li></ul></li>
<li><strong><a name="00474" href="msg00474.html">[ale] apache, ssl, DMZ, brain calcification</a></strong>
<ul><li><em>From:</em> allanneal at comcast.net (Allan Neal)</li></ul></li>
</ul></li></ul>
<!--X-References-End-->
<!--X-BotPNI-->
<ul>
<li>Prev by Date:
<strong><a href="msg00475.html">[ale] Gizmo for Linux</a></strong>
</li>
<li>Next by Date:
<strong><a href="msg00477.html">[ale] Syntax problem</a></strong>
</li>
<li>Previous by thread:
<strong><a href="msg00474.html">[ale] apache, ssl, DMZ, brain calcification</a></strong>
</li>
<li>Next by thread:
<strong><a href="msg00408.html">[ale] OT: Seeking consultant with cross-compiling experience</a></strong>
</li>
<li>Index(es):
<ul>
<li><a href="maillist.html#00476"><strong>Date</strong></a></li>
<li><a href="threads.html#00476"><strong>Thread</strong></a></li>
</ul>
</li>
</ul>
<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->
</body>
</html>