Hi all,
I've got a problem with my web server and ssl that I'm having a hard
time figuring out. This might take a while to explain so bail now or
bear with me ;-)
I'm on Qwest DSL with one static IP. The dsl modem is set to port
forward all ports (putting the web server in the modem's DMZ is a
guaranteed modem lockup within 24 hours, if there is anyone else out
there using a Qwest Actiontec modem.)
Here's an ascii diagram:
| External IP Address
|
________________
| |
| Qwest Modem |
| |
_________________
|
| 10.20.30.1--Qwest Internal IP
|
| 10.20.30.2--OpenBSD External IP (em0)
_________________
| |
| |
| OpenBSD |
fxp0 172.16.0.1 | | fxp1 10.30.50.1 - 10.30.50.19
| _________________ (as aliases)
|
Internal Lan
All of my normal non-ssl virtual hosts are on 10.20.30.2.
mail.openvistas.net is my webmail address, it automatically redirects
everything to mail.openvistas.net:443. This has a cert that I bought
from GoDaddy, and it is working fine.
My ssl hosts work.openvistas.net and cvs.work.openvistas.net resolve to
the same IP address as everything else from the internet, but to
different internal IP addresses beginning at 10.30.50.1 with a split
horizon DNS setup. These two use two different self-signed certs, each
with the correct server name in the cert.
So, if my understanding about how all this works was correct, I'd think
that everything should Just Work. I have one ssl host on the same IP
with all of the non-ssl hosts, and then the other two are each on their
own internal IP address.
And it does work just great--from my tibook inside the lan. There I get
re-directed just fine to the different 10.30.50.x IP address, and get
the warning from Camino about not being able to verify the self-signed
certs, while connecting to mail.openvistas.net over httpds also works
and uses the correct, verified cert.
Outside the lan is a different story. There any https url ends up at
the web mail page. It appears that as far as apache is concerned
everything is on 10.20.30.2, including the two work related pages, which
is the only way I can make any sense of this excerpt from the ssl-engine
log:
[07/Nov/2008 20:26:13 18274] [info] Init: Configuring server
cvs.work.openvistas.net:443 for SSL protocol
[07/Nov/2008 20:26:13 18274] [info] Init: Configuring server
mail.openvistas.net:443 for SSL protocol
[07/Nov/2008 20:26:13 18274] [warn] Init: SSL server IP/port conflict:
mail.openvistas.net:443 (/var/www/conf/httpd.conf:1731) vs.
cvs.work.openvistas.net:443 (/var/www/conf/httpd.conf:2242)
[07/Nov/2008 20:26:13 18274] [warn] Init: You should not use name-based
virtual hosts in conjunction with SSL!!
That is also what tcpdump shows when I try from outside the lan to go to
https://cvs.work.openvistas.net:
07:43:58.854640 samsara.wykids.org.53050 > 10.20.30.2.https: S
606206889:606206889(0) win 65535 <mss 1400,nop,nop,sackOK>
0000: 4500 0030 2136 0000 7106 288e 4590 925e E..0!6..q.(.E..^
0010: 0a14 1e02 cf3a 01bb 2421 fba9 0000 0000 ....?:.?$!??....
0020: 7002 ffff 9296 0000 0204 0578 0101 0402 p.??.......x....
07:43:58.854807 10.20.30.2.https > samsara.wykids.org.53050: S
3336382975:3336382975(0) ack 606206890 win 16384 <mss 1400,nop,nop,sackOK>
0000: 4500 0030 12f8 0000 4006 67cc 0a14 1e02 [EMAIL PROTECTED]
0010: 4590 925e 01bb cf3a c6dd 29ff 2421 fbaa E..^.??:??)?$!??
0020: 7012 4000 61a8 0000 0204 0578 0101 0402 [EMAIL PROTECTED]
From inside the lan it works just fine:
07:49:43.860277 172.16.0.15.56642 > 10.30.50.2.https: P
1204992021:1204992058(37) ack 1899480006 win 65535 <nop,nop,timestamp
4251713075 3416398380> (DF)
0000: 4500 0059 7079 4000 4006 e1e6 ac10 000f [EMAIL PROTECTED]@.??...
0010: 0a1e 3202 dd42 01bb 47d2 b815 7137 c3c6 ..2.?B.?GR8.q7??
0020: 8018 ffff 0a12 0000 0101 080a fd6b fe33 ..??........?k?3
0030: cba2 1a2c 1503 0100 2029 176f 03c7 f2c2 K".,.... ).o.???
0040: e160 ad02 1a23 0647 0103 1a52 6e17 3d15 ?`?..#.G...Rn.=.
0050: a815 4701 3a57 d208 da ?.G.:W?.?
07:49:43.860288 172.16.0.15.56642 > 10.30.50.2.https: F 37:37(0) ack 1
win 65535 <nop,nop,timestamp 4251713075 3416398380> (DF)
0000: 4500 0034 707a 4000 4006 e20a ac10 000f [EMAIL PROTECTED]@.?.?...
0010: 0a1e 3202 dd42 01bb 47d2 b83a 7137 c3c6 ..2.?B.?GR8:q7??
0020: 8011 ffff 9905 0000 0101 080a fd6b fe33 ..??........?k?3
0030: cba2 1a2c K".,
Even though the split horizon dns appears to be working, I have also
tried using IP based vhosts for work. and cvs.work. but that didn't make
a difference at all.
At this point I don't know what to try or look at. I see some
indication that all this is dns related, even though when I stop and
start httpd I see it query the internal dnscache and server so it must
be getting the correct internal addresses.
And then maybe I'm completely mis-understanding how to run multiple
internal ssl servers on one external IP address and that it can't be
done without more external IPs from Qwest.
Any cluesticks greatly appreciated!
Thanks in advance,
Jeff Ross
P.S. I've read up on relayd and wonder if that might do it under SSL
Acceleration mode but I haven't yet had a chance to put this to the
test. If I understand it correctly, relayd uses one cert and once the
ssl handshake is done passes the connection off over http to the proper
web server (or in my case) vhost on the same web server.
