On Fri, 22 Nov 2002, Alex Povolotsky wrote:

> On Fri, 22 Nov 2002 07:07:41 -0500
> "Allan Jude" <937863primus.ca> wrote:
>
> AJ> What seems to be the problem with the virtual hosts?
> AJ> You're quite right, but I have EVERYTHING works ok for now, EXCEPT
> AJ> virtual hosts with https. Google shows nothing relevant on "jail https
> AJ> virtual".
>
> Oh, quite simple.
>
> https cannot be configured with name-based virtual hosts, by design.
> jail cannot be configured for more than one IP address, by design.
> (don't ask me to wait until jail-ng will be ready)
> Jail sits on internal IP, on lo0. fxp0 holds real IP addresses to be accessed from outside.
> I'm forwarding incoming connection to jail, currently with ipnat. I need to pass information about real (outside) IP to mod_ssl. That is my problem.
>
> plain http works perfectly (name-based virthosts).

        You still have to do IP-based hosting for https. It doesn't matter
that they have their IP's in the jails.

        The problem is that the SSL channel has already been negotiated and
established before apache gets to consider the "Host:" header which is
mostly what the virtual hosting is based upon. This means that it's too
late to select a different virtual host without generating an SSL hostname
mistmatch warning.

        Adrian

--
[ adrianubergeeks.com ]
To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]