David DeSimone wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Doug Poland <[EMAIL PROTECTED]> wrote:
I have DNS resolution, the problem ( I think ) is in that pf simply
sees the packet destined for my single public IP (because all my
public host names must resolve to the same public IP address) and port
443.

I am not sure how you expect this to work.  The web browser will expect
the server to send a certificate with its identity as part of the
initial SSL negotiation.  The client has not yet sent its request, so
the web server has no idea which of the three domains the browser wanted
to talk to, so it does not know which certificate should be sent.  This
is the reason why every SSL site must have its own unique (public) IP
address.

- -- David DeSimone == Network Admin == [EMAIL PROTECTED]

I see what you are getting it. I told pf to simply route all https requests to a fixed private IP. When I pointed my browser at the FQDN, firefox told me I had a certificate problem... i.e., the certificate returned was not the one expected.

So, is the bottom line, one *cannot* hide multiple (NAT'd) SSL hosts behind a single public IP? So my only solution, given apache and one public IP, is a single host listening on 443 and each "domain" would have to be served as a <Directory></Directory>. e.g.,

  https://secure.example.com/webmail/
  https://secure.example.com/subversion/

instead of

  https://webmail.example.com
  https://subversion.example.com


--
Regards,
Doug
_______________________________________________
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to