Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 22 Jan 2008 01:12:21 +0100
From:      mouss <mouss@netoyen.net>
To:        freebsd-pf@freebsd.org
Subject:   Re: pf how-to: Single public IP --> many private NAT'd	HTTPS	servers
Message-ID:  <479534E5.9050103@netoyen.net>
In-Reply-To: <4794F117.2000804@polands.org>
References:  <4794C5A8.8040402@polands.org>	<1200904649.33634.9.camel@z60m>	<4794CF21.2090606@polands.org>	<1200906215.33634.14.camel@z60m>	<4794D38C.6020007@polands.org>	<20080121175551.GB11928@verio.net> <4794F117.2000804@polands.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
Doug Poland wrote:
> I see what you are getting it.  I told pf to simply route all https 
> requests to a fixed private IP.  When I pointed my browser at the 
> FQDN, firefox told me I had a certificate problem... i.e., the 
> certificate returned was not the one expected.
>
> So, is the bottom line, one *cannot* hide multiple (NAT'd) SSL hosts 
> behind a single public IP?  

In fact, it has nothing to do with NAT. When the browser sees 
"secure.example.com", it will resolve the host and contact the 
corresponding IP. at this point, with NAT or without it, you do not know 
what "virtual host" is being queried.

This is a known ssl shortcoming. May be future implementations (openssl, 
browsers, ...) will solve it.

> So my only solution, given apache and one public IP, is a single host 
> listening on 443 and each "domain" would have to be served as a 
> <Directory></Directory>.  e.g.,
>
>   https://secure.example.com/webmail/
>   https://secure.example.com/subversion/

This works indeed. it also costs less (for the certificates:).

In some cases, you can use one of the boxes as an SSL proxy, though care 
is required (remote apps don't necessarily know whether the query was 
"secure" or not, so you need to enforce SSL on few paths and adequately 
structure your sites).
>
> instead of
>
>   https://webmail.example.com
>   https://subversion.example.com 
These cannot work with a single IP (as viewed by the browser).

you can also use different ports. but this is not necessarily "user 
friendly".

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?479534E5.9050103>