From owner-freebsd-pf@FreeBSD.ORG Mon Jan 21 19:22:26 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 490CD16A418 for ; Mon, 21 Jan 2008 19:22:26 +0000 (UTC) (envelope-from doug@polands.org) Received: from hrndva-omtalb.mail.rr.com (hrndva-omtalb.mail.rr.com [71.74.56.123]) by mx1.freebsd.org (Postfix) with ESMTP id 0D03813C45B for ; Mon, 21 Jan 2008 19:22:25 +0000 (UTC) (envelope-from doug@polands.org) Received: from corinth.polands.org ([75.87.219.217]) by hrndva-omta04.mail.rr.com with ESMTP id <20080121192225.QKIQ17975.hrndva-omta04.mail.rr.com@corinth.polands.org> for ; Mon, 21 Jan 2008 19:22:25 +0000 Received: from omnihp.polands.org (ammon.polands.org [172.16.1.7]) by corinth.polands.org (8.13.8/8.13.8) with ESMTP id m0LJMOIp036479 for ; Mon, 21 Jan 2008 13:22:24 -0600 (CST) (envelope-from doug@polands.org) Message-ID: <4794F117.2000804@polands.org> Date: Mon, 21 Jan 2008 13:23:03 -0600 From: Doug Poland User-Agent: Thunderbird 2.0.0.9 (X11/20071117) MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: <4794C5A8.8040402@polands.org> <1200904649.33634.9.camel@z60m> <4794CF21.2090606@polands.org> <1200906215.33634.14.camel@z60m> <4794D38C.6020007@polands.org> <20080121175551.GB11928@verio.net> In-Reply-To: <20080121175551.GB11928@verio.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: ClamAV 0.88.4/5510/Mon Jan 21 11:33:44 2008 on corinth.polands.org X-Virus-Status: Clean Subject: Re: pf how-to: Single public IP --> many private NAT'd HTTPS servers X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Jan 2008 19:22:26 -0000 David DeSimone wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Doug Poland wrote: >> I have DNS resolution, the problem ( I think ) is in that pf simply >> sees the packet destined for my single public IP (because all my >> public host names must resolve to the same public IP address) and port >> 443. > > I am not sure how you expect this to work. The web browser will expect > the server to send a certificate with its identity as part of the > initial SSL negotiation. The client has not yet sent its request, so > the web server has no idea which of the three domains the browser wanted > to talk to, so it does not know which certificate should be sent. This > is the reason why every SSL site must have its own unique (public) IP > address. > > - -- > David DeSimone == Network Admin == fox@verio.net > I see what you are getting it. I told pf to simply route all https requests to a fixed private IP. When I pointed my browser at the FQDN, firefox told me I had a certificate problem... i.e., the certificate returned was not the one expected. So, is the bottom line, one *cannot* hide multiple (NAT'd) SSL hosts behind a single public IP? So my only solution, given apache and one public IP, is a single host listening on 443 and each "domain" would have to be served as a . e.g., https://secure.example.com/webmail/ https://secure.example.com/subversion/ instead of https://webmail.example.com https://subversion.example.com -- Regards, Doug