Doug Poland wrote:
I see what you are getting it. I told pf to simply route all https
requests to a fixed private IP. When I pointed my browser at the
FQDN, firefox told me I had a certificate problem... i.e., the
certificate returned was not the one expected.
So, is the bottom line, one *cannot* hide multiple (NAT'd) SSL hosts
behind a single public IP?
In fact, it has nothing to do with NAT. When the browser sees
"secure.example.com", it will resolve the host and contact the
corresponding IP. at this point, with NAT or without it, you do not know
what "virtual host" is being queried.
This is a known ssl shortcoming. May be future implementations (openssl,
browsers, ...) will solve it.
So my only solution, given apache and one public IP, is a single host
listening on 443 and each "domain" would have to be served as a
<Directory></Directory>. e.g.,
https://secure.example.com/webmail/
https://secure.example.com/subversion/
This works indeed. it also costs less (for the certificates:).
In some cases, you can use one of the boxes as an SSL proxy, though care
is required (remote apps don't necessarily know whether the query was
"secure" or not, so you need to enforce SSL on few paths and adequately
structure your sites).
instead of
https://webmail.example.com
https://subversion.example.com
These cannot work with a single IP (as viewed by the browser).
you can also use different ports. but this is not necessarily "user
friendly".
_______________________________________________
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[EMAIL PROTECTED]"