[lug] IP aliasing, https and iptables
Zan Lynx
zlynx at acm.org
Thu Jun 19 11:24:24 MDT 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Sean Reifschneider wrote:
> karl horlen wrote:
>> Is this the way ssl is implemented on servers with multiple vhosts or is
>> there some other technique?
>
> This is the typical approach. You can run one SSL instance on the same IP
> you are using for non-SSL, since the SSL usually runs on port 443, so it
> can share the IP with the non-SSL sites running on port 80.
>
> you *COULD* run multiple SSL instances on the same IP, if you put them on
> different ports. However, that would lead to needing to use the URL
> "https://hostname:444/" and so on, where you explicitly specify the port.
> If the site is only referenced from internal URLs that might be fine, but
> if you ever expect users to directly access it, using a different IP is
> what you want to do.
[cut]
One thing you can do with multiple ports is to use HTTP on port 80 to
redirect requests to the appropriate hostname and port. Disable
standard port 443 altogether (or run standard HTTP on it) or the users
will get scary Bad SSL! messages when they forget the port.
I believe that if the browser is using TLS and gets standard HTTP on a
port 443 connect, it will shift to HTTP, so that could possibly be
linked to the same redirector that is running on port 80.
_______________________________________________
Web Page: http://lug.boulder.co.us
Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
Join us on IRC: lug.boulder.co.us port=6667 channel=#colug
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkhalkgACgkQolqWs/Y4NLxezQCfZC/bcaFzVdohdkCLfVjUbRzF
KccAoIvaZPq30waXDNzBMqQXFQJPVL0a
=Qvnu
-----END PGP SIGNATURE-----
More information about the LUG
mailing list