|
/
Zope
/
Apsis
/
Pound Mailing List
/
Archive
/
2006
/
2006-06
/
SSL proxy - one public ip
[
Slower Performance with a small load... / ... ]
[
HA script for ColdFusion MX servers / Ed R ... ]
SSL proxy - one public ip
Fred Fiat <fred.fiat(at)inbox.com> |
2006-06-22 16:52:31 |
[ FULL ]
|
Hello,
I need to workaround a problem of having very few public
ip addresses, but lots of websites that require SSL.
I'm hoping that pound can help.
Can pound pass back the correct SSL certificate based on
the host name the client requests?
If not, are there any other workarounds?
Thanks a lot.
[...]
|
|
|
Re: [Pound Mailing List] SSL proxy - one public ip
Ondra Kudlik <kepi(at)orthank.net> |
2006-06-22 17:16:37 |
[ FULL ]
|
Hi,
I think that nothing can help you with this problem. SSL is from its
nature based on IP addresses, target host is not transfered until
secure connection is estabilished.
So, I think that there are no available workarounds.
Kepi
Čt, čen 22, 2006 ve 06:52:31 -0800, Fred Fiat napsal:[...]
|
|
|
Re: [Pound Mailing List] SSL proxy - one public ip
"Richard Hamilton" <ricky.hamilton(at)btopenworld.com> |
2006-06-22 22:20:33 |
[ FULL ]
|
I don't believe that you can do that, however coincidentally your
requirement is very similar to my own which is the subject of the adjacent
post.
The way that I achieve this on my own setup is by running a web application
server instance (Aolserver) for each website. Each webserver application
instance is configured with an http listener on one port and an https
listener on another port. Each service has its own certificate.
I reverse proxy the http connections behind a reverse proxy like this:
Reverse Proxy listens on address 1.2.3.4 and on the default http port 80.
It redirects to the backends' http listeners as follows (assume that all
domain names resolve to 1.2.3.4):
http://www.server1.com:8000
http://www.server2.com:8001
http://www.server3.com:8002
http://www.server4.com:8003
The https listeners are set up as follows:
https://www.server1.com:8443
https://www.server2.com:8444
https://www.server3.com:8445
https://www.server4.com:8446
Now whenever the server issues a 30x redirect (or the user clicks an
absolute link) to an https location the session switches to the secure port
and the remainder of that session is conducted direct with the secure port.
The reverse proxy has nothing more to do with the session.
This is ideal for databse backed sites and content management systems where
the login and admin functions are then handled by the https listener on a
secure port whilst all public, non secure traffic is passed through the
reverse proxy on port 80.
This is also ideal for any system that takes payments since users are quite
happy to see a redirect to a dedication secure port with a matching
certificate for supporting security sensitive activities.
My other post asks whether it might be possible to incorporate a
modification to Pound to facilitate this scheme. At present I believe that
it is not possible with Pound.
Regards
Richard
|
|
|
|
