On Sat, Nov 08, 2008 at 08:56:02AM -0700, Jeff Ross wrote: > Hi all, > I [have] one static IP.
> Here's an ascii diagram: > > | External IP Address > | > ________________ > | | > | Qwest Modem | > | | > _________________ > | > | 10.20.30.1--Qwest Internal IP > | > | 10.20.30.2--OpenBSD External IP (em0) > _________________ > | | > | | > | OpenBSD | > fxp0 172.16.0.1 | | fxp1 10.30.50.1 - 10.30.50.19 > | _________________ (as aliases) > | > Internal Lan > > All of my normal non-ssl virtual hosts are on 10.20.30.2. > mail.openvistas.net is my webmail address, it automatically redirects > everything to mail.openvistas.net:443. This has a cert that I bought > from GoDaddy, and it is working fine. > > My ssl hosts work.openvistas.net and cvs.work.openvistas.net resolve to > the same IP address as everything else from the internet, but to > different internal IP addresses beginning at 10.30.50.1 with a split > horizon DNS setup. These two use two different self-signed certs, each > with the correct server name in the cert. > > So, if my understanding about how all this works was correct, I'd think > that everything should Just Work. I have one ssl host on the same IP > with all of the non-ssl hosts, and then the other two are each on their > own internal IP address. > And then maybe I'm completely mis-understanding how to run multiple > internal ssl servers on one external IP address and that it can't be > done without more external IPs from Qwest. > > Any cluesticks greatly appreciated! This isn't going to work, or at least not as you try to make it work. If an SSL client connects to a host, it receives a certificate from the host containing a hostname. The client may send the hostname (e.g. in a HTTP request) after the SSL handshake has taken place, but by then it's far too late to present another certificate. All this is per-IP, so there is no way you are going to make this work with only one IP address. There are some tricks, though: - get a *.openvistas.net certificate. Every host you want clients to connect to is covered by that certificate; I'm not sure if Apache can be configured to use name-based virtual hosts behind a SSL virtual host, but I do believe so - and you could always use e.g. relayd to decrypt the stream first. - use different ports. You could even set up a plain HTTP server that redirects http://work.openvistas.net to https://work.openvistas.net:8880 or somesuch. - get more IP adresses. - *If* you are the only one using the *work.openvistas.net stuff, you may consider setting up a VPN instead (OpenBSD's IPsec implementation is nice and pretty user-friendly; if you also want to use other OSes, OpenVPN may be easier to set up than IPsec.) Anyway, good luck! Joachim
