From owner-freebsd-questions@FreeBSD.ORG  Tue Oct  5 05:33:33 2010
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id D4F22106566C
	for <freebsd-questions@freebsd.org>;
	Tue,  5 Oct 2010 05:33:33 +0000 (UTC)
	(envelope-from m.seaman@infracaninophile.co.uk)
Received: from smtp.infracaninophile.co.uk (smtp6.infracaninophile.co.uk
	[IPv6:2001:8b0:151:1:3fd3:cd67:fafa:3d78])
	by mx1.freebsd.org (Postfix) with ESMTP id 3EB948FC0C
	for <freebsd-questions@freebsd.org>;
	Tue,  5 Oct 2010 05:33:33 +0000 (UTC)
Received: from seedling.black-earth.co.uk (seedling.black-earth.co.uk
	[81.187.76.163]) (authenticated bits=0)
	by smtp.infracaninophile.co.uk (8.14.4/8.14.4) with ESMTP id
	o955XRuB077478
	(version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO);
	Tue, 5 Oct 2010 06:33:27 +0100 (BST)
	(envelope-from m.seaman@infracaninophile.co.uk)
X-DKIM: Sendmail DKIM Filter v2.8.3 smtp.infracaninophile.co.uk o955XRuB077478
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=infracaninophile.co.uk; s=201001-infracaninophile; t=1286256807;
	bh=5c2iOG9eceyUsoRF2odS95zK2fz10j3yg0O7TGBLVfg=;
	h=Message-ID:Date:From:MIME-Version:To:CC:Subject:References:
	In-Reply-To:Content-Type:Cc:Content-Type:Date:From:In-Reply-To:
	Message-ID:Mime-Version:References:To;
	z=Message-ID:=20<4CAAB89F.70907@infracaninophile.co.uk>|Date:=20Tue
	,=2005=20Oct=202010=2006:33:19=20+0100|From:=20Matthew=20Seaman=20
	<m.seaman@infracaninophile.co.uk>|Organization:=20Infracaninophile
	|User-Agent:=20Mozilla/5.0=20(Macintosh=3B=20U=3B=20Intel=20Mac=20
	OS=20X=2010.6=3B=20en-GB=3B=20rv:1.9.2.9)=20Gecko/20100915=20Thund
	erbird/3.1.4|MIME-Version:=201.0|To:=20Peter=20Boosten=20<peter@bo
	osten.org>|CC:=20freebsd-questions@freebsd.org|Subject:=20Re:=20OT
	:=20Apache=20as=20reverse=20SSL=20proxy|References:=20<20101004221
	506.GA8662@polands.org>=09<AANLkTinCfhmyb1XVXOk4PiSs-MMRPJ4bjvkb6b
	YiiODJ@mail.gmail.com>=09<20101005035354.GB8662@polands.org>=20<4C
	AAAC4A.5060106@boosten.org>|In-Reply-To:=20<4CAAAC4A.5060106@boost
	en.org>|X-Enigmail-Version:=201.1.1|OpenPGP:=20id=3D60AE908C|Conte
	nt-Type:=20multipart/signed=3B=20micalg=3Dpgp-sha1=3B=0D=0A=20prot
	ocol=3D"application/pgp-signature"=3B=0D=0A=20boundary=3D"--------
	----enigFB8185613FCE3668D969454B";
	b=d9lIszyNQnNpxExm9WtmhLBfgKTyJ8W6iDkRJEwbyrn4LjY7x/psml4yoZ3rswWcV
	A1exqyIALXmVJg30ZiHhkIFfzmTAuRY78f6S1ZrJuJKpbBOwz40O7vem6he/sZUX5U
	uJ1EM2UTgKmQ1G9QR3Ba0SYLm0C8YDN4j3lL1XdQ=
Message-ID: <4CAAB89F.70907@infracaninophile.co.uk>
Date: Tue, 05 Oct 2010 06:33:19 +0100
From: Matthew Seaman <m.seaman@infracaninophile.co.uk>
Organization: Infracaninophile
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-GB;
	rv:1.9.2.9) Gecko/20100915 Thunderbird/3.1.4
MIME-Version: 1.0
To: Peter Boosten <peter@boosten.org>
References: <20101004221506.GA8662@polands.org>	<AANLkTinCfhmyb1XVXOk4PiSs-MMRPJ4bjvkb6bYiiODJ@mail.gmail.com>	<20101005035354.GB8662@polands.org>
	<4CAAAC4A.5060106@boosten.org>
In-Reply-To: <4CAAAC4A.5060106@boosten.org>
X-Enigmail-Version: 1.1.1
OpenPGP: id=60AE908C
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature";
	boundary="------------enigFB8185613FCE3668D969454B"
X-Virus-Scanned: clamav-milter 0.96.3 at lucid-nonsense.infracaninophile.co.uk
X-Virus-Status: Clean
X-Spam-Status: No, score=0.7 required=5.0 tests=BAYES_50,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,SPF_FAIL autolearn=no version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	lucid-nonsense.infracaninophile.co.uk
Cc: freebsd-questions@freebsd.org
Subject: Re: OT: Apache as reverse SSL proxy
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Oct 2010 05:33:33 -0000

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enigFB8185613FCE3668D969454B
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

On 05/10/2010 05:40:42, Peter Boosten wrote:
> On 5-10-2010 5:53, Doug Poland wrote:
>> On Mon, Oct 04, 2010 at 09:19:52PM -0500, Adam Vande More wrote:
>> The documentation for www/pound
>> indicated "HTTPS does not allow virtual hosting".  I seem to recall
>> bumping into this issue in the past that one cannot do named-based
>> vhosts on HTTPS.

Yes.  There's a catch-22 with HTTPS.  The ServerName of the encrypted
website is part of the keying material used to decrypt the traffic.
That's given in the Host: header line in HTTP packets -- which is part
of the encrypted content.  So to find the name of the virtual host you
need to decrypt the packet, but to decrypt the packet, you first need
the virtual host name.  The only way it can work is by making a 1:1
association of web sites with IP numbers, as you can then work out the
server name from the IP connection.

Nowadays there is also the possibility of RFC2817 -- in essence you
start an ordinary HTTP session, then issue a STARTTLS command and
upgrade the connection to encrypted.  This will allow name-based virtual
hosting with TLS to work as intended.  Unfortunately, last I checked,
while apache supports this, most web browsers do not.

>> Look like it's back to the drawing board...
>>
>>
>=20
> You could circumvent that issue by terminating your HTTPS sessions on
> the reverse proxy itself (and talk HTTP to the application server). Som=
e
> applications won't work that way, but modern ones (and even Outlook Web=

> Access) can use a HTTPS-front-end. The problem exists within
> applications with hard-coded links.

In fact, you pretty much have to do that.  Unless your proxy is going to
work at layer 2 only, which most people would recognise as a NAT'ing
gateway, and not something you'ld use apache to implement at all.

If your proxying software needs to work at layer 3  -- that is, the
proxy needs to be able to access the HTTP content wrapped inside the TLS
session, then the proxy has to be an endpoint of the TLS session.
Whether the proxy encrypts its own connections to the original source is
then just a matter of preference.  [Well, that, and software capability:
squid used in reverse proxy mode will speak HTTPS to the end users, but
requires plaintext access to the origin servers.]

	Cheers,

	Matthew

--=20
Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
                                                  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey     Ramsgate
JID: matthew@infracaninophile.co.uk               Kent, CT11 9PW


--------------enigFB8185613FCE3668D969454B
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.14 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkyquKcACgkQ8Mjk52CukIwAzwCbBDwERUg6/eeH9EP00U4UrY0Y
9KoAn0f4Duem9hyG+ZCPTQKjowWe3XjU
=chQF
-----END PGP SIGNATURE-----

--------------enigFB8185613FCE3668D969454B--