[lug] IP aliasing, https and iptables

Ben bluey at iguanaworks.net
Tue Jun 17 16:05:18 MDT 2008 

I'm pretty sure ssl supprts vhosts just like regular http.

<VirtualHost *:443>
ServerName blah.com
SSLEngine on
SSL....

</VirtualHost>

By the way, Firefox 3 now puts up a lot of warnings signs when 
connecting to a https site with a self-signed certificate. It takes a 
few clicks to tell it to ignore the self-signed certificate, and will 
probably freak-out the non-techies.  If you are like me and didn't want 
to pay for a ssl certificate, you made a self-signed certificate a long 
time ago and forgot about it. Now Startssl (www.startssl.com) offers 
free Class 1 digital signing of your certificate I found it easy to 
setup and worth it to avoid the warning messages.

Ben


karl horlen wrote:
> I'm getting ready to add some ssl support to a website that lives on my apache server which runs multiple vhosted sites.  It's likely I might want to add ssl capability to more vhosts in the future.
>
> My understanding is that ssl requires ip versus name based vhosts.  Since I only have one public nic on my server,  my thought was to use ip aliasing to bind multiple physical ip addresses to the single nic.
>
> Is this the way ssl is implemented on servers with multiple vhosts or is there some other technique?
>
> My current iptables rules are based on the single ip address presently bound to the nic.  If I bind more ip addresses to the same nic, is iptables granular enough to allow for different rulesets on the ip aliases?  Can I specify "global" rules that apply to the entire interface and work backward applying more specific rules to each of the aliases?  This looks like it could get quite complicated the more ssl vhosts you have that require ip aliases.  
>
> Does anybody have an idea of how much overhead if any multiple ips on a single nic create, especially if iptables is running against all those ips assuming it's even possible.  I know the best answer is it all depends but just trying to get some general advice here from someone that has been down this road.
>
>
>       
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: lug.boulder.co.us port=6667 channel=#colug
>

More information about the LUG mailing list