Date: Tue, 9 Oct 2001 15:15:58 -0400 From: Louis LeBlanc <leblanc+freebsd@acadia.ne.mediaone.net> To: freebsd-questions@freebsd.org Subject: Re: jails and httpd/ssl virtual hosting Message-ID: <20011009151558.D64668@acadia.ne.mediaone.net> In-Reply-To: <a05100300b7e8b288d063@[192.168.123.20]> References: <a05100300b7e8b288d063@[192.168.123.20]>
next in thread | previous in thread | raw e-mail | index | archive | help
On 10/09/01 09:04 AM, Albert Everett sat at the `puter and typed: > Since jails are bound to a single IP address and SSL certs work on a > per-IP basis, it looks like I'd need a whole jail per SSL enabled web > site. Not entirely true. SSL certs typically work on a dns name basis. For Instance, if I get a cert for www.mystupidsite.com, and tie it to some IP, like 123.45.67.89, and have a backup system at 123.45.67.90, I can change my dns server to send requests for www.mystupidsite.com to either one, both of which may well have the same cert on them. So long as the client sees the cert CN matching the site the request was sent to, all is well. It doesn't matter if that site is an IP or a dns name. > Is this right? If so, is the usual strategy to jail non-SSL web sites > and to leave SSL sites in the non-jail environment? The whole problem with hosting multiple secure servers on a single machine has always been just that: You can't tell which server the client wants until they actually send the request. Of course you won't get the request until the handshake has been performed. The only way to keep these sites separate in Apache, of course, is to do it by VirtualHost based on IP. You might then want to play some tricks to ensure the client is asking for the correct www site. Not sure offhand what those directives would be. So long as your system is set up with multiple IPs and each one is served its own DNS name, theoretically it should work. I'm afraid I can't give much detail on setting up Jails, but if you keep the above in mind, it might help. Good luck Lou -- Louis LeBlanc leblanc@acadia.ne.mediaone.net Fully Funded Hobbyist, KeySlapper Extrordinaire :) http://acadia.ne.mediaone.net ԿԬ Information Processing: What you call data processing when people are so disgusted with it they won't let it be discussed in their presence. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011009151558.D64668>