Re: [WEB400] Apache for SSL Proxy?

["Brad Stone" <brad@xxxxxxxxxxxx>]

Yes, you can do it and you need one external IP per domain.

If you're using subdomains you can use one cert for all
subdomains if you get a wildcard certificate (ie
*.mydomain.com).

Brad

On Mon, 9 Aug 2004 07:50:20 -0500
 "Jones, John (US)" <John.Jones@xxxxxxxxxxxxxxxxxxxxxxx>
wrote:
> So, you can do it but you need multiple IP addresses.
>   Is that correct
> or am I missing something?
> 
> TIA,
> 
> John A. Jones
> Americas Security Officer
> Jones Lang LaSalle, Inc.
> V: +1-630-455-2787 F: +1-312-601-1782
> John.Jones@xxxxxxxxxxxxxxxxxxxxxxx
> 
> -----Original Message-----
> From: Brad Stone [mailto:brad@xxxxxxxxxxxx] 
> Sent: Sunday, August 08, 2004 4:32 PM
> To: Web Enabling the AS400 / iSeries
> Subject: Re: [WEB400] Apache for SSL Proxy?
> 
> After some research on this, I found that it isn't
> possible.
> 
> Because SSL wraps the entire HTTP request (including the
> host headers)
> you currently need to have one IP for each SSL site you
> are running.  If
> it's behind a firewall, that means one external, and one
> internal per
> SSL site that is using a seperate certificate.
> 
> Even a firewall that can route by host name won't work
> with
> 2 domains using different certs.  Subdomain sites and the
> use of a
> wildcard certificate shouldn't be an issue.  But that
> isn't the case for
> my query.
> 
> Because SSL wraps the HTTP request, the web server must
> decrypt the
> request before applying any host matching, such as with
> Virtual Hosts.
> So, as Apache puts it, it's a "chicken and egg" problem.
>  Which comes
> first.  So, Apache always will use the first certificate
> specified in
> the config to do any decrypting.
> 
> There is an RFC in the works to solve this issue, but I
> wouldn't expect
> it to be implemented anytime soon juding from the talk
> about it.
> 
> Anyhow, it does make sense.  I wasn't completley aware
> that SSL wrapped
> everying... I assumed the headers were available... guess
> not.  :)  
> 
> Hope this helps for anyone else that ever ventures down
> this road.
> 
> 
> This email is for the use of the intended recipient(s)
> only.  If you have received this email in error, please
> notify the sender immediately and then delete it.  If you
> are not the intended recipient, you must not keep, use,
> disclose, copy or distribute this email without the
> author's prior permission.  We have taken precautions to
> minimize the risk of transmitting software viruses, but
> we advise you to carry out your own virus checks on any
> attachment to this message.  We cannot accept liability
> for any loss or damage caused by software viruses.  The
> information contained in this communication may be
> confidential and may be subject to the attorney-client
> privilege. If you are the intended recipient and you do
> not wish to receive similar electronic messages from us
> in future then please respond to the sender to this
> effect.
> 
> _______________________________________________
> This is the Web Enabling the AS400 / iSeries (WEB400)
> mailing list
> To post a message email: WEB400@xxxxxxxxxxxx
> To subscribe, unsubscribe, or change list options,
> visit: http://lists.midrange.com/mailman/listinfo/web400
> or email: WEB400-request@xxxxxxxxxxxx
> Before posting, please take a moment to review the
> archives
> at http://archive.midrange.com/web400.
> 

Bradley V. Stone
BVS.Tools
www.bvstools.com