Doug Poland wrote:
I see what you are getting it. I told pf to simply route all https requests to a fixed private IP. When I pointed my browser at the FQDN, firefox told me I had a certificate problem... i.e., the certificate returned was not the one expected.

So, is the bottom line, one *cannot* hide multiple (NAT'd) SSL hosts behind a single public IP?

In fact, it has nothing to do with NAT. When the browser sees "secure.example.com", it will resolve the host and contact the corresponding IP. at this point, with NAT or without it, you do not know what "virtual host" is being queried.

This is a known ssl shortcoming. May be future implementations (openssl, browsers, ...) will solve it.

So my only solution, given apache and one public IP, is a single host listening on 443 and each "domain" would have to be served as a <Directory></Directory>. e.g.,

  https://secure.example.com/webmail/
  https://secure.example.com/subversion/

This works indeed. it also costs less (for the certificates:).

In some cases, you can use one of the boxes as an SSL proxy, though care is required (remote apps don't necessarily know whether the query was "secure" or not, so you need to enforce SSL on few paths and adequately structure your sites).

instead of

  https://webmail.example.com
https://subversion.example.com
These cannot work with a single IP (as viewed by the browser).

you can also use different ports. but this is not necessarily "user friendly".

_______________________________________________
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to