/ Zope / Apsis / Pound Mailing List / Archive / 2008 / 2008-10 / Pound usage for multi-domain solution.

[ << ] [ >> ]

[ Disabling SSLv2 / Albert <pound(at)alacra.com&g... ] [ AddHeader / "Anthony L" ... ]

Pound usage for multi-domain solution.
"Andy Ray" <l.andy.ray(at)gmail.com>
2008-10-09 22:07:18 [ FULL ]
Hello -

I have been searching for a solution to a problem with multiple
domains and services behind a single IP.  From my research I think
that a reverse proxy may be the solution, but judging from the landing
page I cannot tell if what I am attempting to do is impossible or just
very difficult. (grin)

I have the following setup:

Internet
|
IPCop on
Corporate Broadband connection
(Single IP)
|
Internal Network

The problem that they have is that we have several internal servers
that we would like to use products/services/servers that may compete
for port usage.

Example:
-Web Services are primarily on IIS (port 80), these are easily handled
with host headers, but if we need to also access a virtual server that
may be a linux box, we can't bridge to from IIS without a proxy (if I
understand correctly).
-SSL VPN connectivity solution on a VMWare appliance using HTTPS port.
-Exchange with OWA is published on the IIS Web server - they would like
to use HTTPS for OWA.


What they would like to do is direct mail.company.com:443 to the OWA
resources and vpn.company.com:443 to the SSL VPN appliance (two
separate internal IP addresses).

I understand that the preferred/accepted way for doing this is to
obtain multiple IPs from the ISP and map those internally.
Unfortunately that is not an option with the provider available in the
area at this time.

From the landing page for Pound, it looks like there is a problem with
multiple domain redirection to single internal host IP with virtual
servers on that same IP, unless a wildcard cert is used, which seems
to indicate that it may be possible if all 443 traffic is redirected
to a single host/ip.

From my small understanding of what I've read, Pound (or any other
reverse proxy) is unable to decipher the host header because it comes
after the SSL tunnel is negotiated.  It would seem that the only
solution left would be to use a product like Microsoft's ISA server
that does seem to be able to reverse proxy SSL connections.  If this
is the case, I'm just a bit surprised that there isn't an option in
the *nix world to achieve this goal.

I welcome any assistance or guidance.  I'm relatively new to the *nix
world, but I see great strength in the community and products.
Thanks!

Andy

Re: [Pound Mailing List] Pound usage for multi-domain solution.
Dave Steinberg <dave(at)redterror.net>
2008-10-09 22:41:23 [ FULL ]
> What they would like to do is direct mail.company.com:443 to the OWA[...]

Its preferred because most people do not want their 
clients/customers/service users to see SSL validation errors when they 
try to access the service in question.
[...]

I've not tried it, but yes, a wildcard cert should work.  They are 
unfortunately much more expensive than regular certs.
[...]

This is not a software or OS limitation but rather a protocol 
limitation, for the reasons you describe.  It is software agnostic, 
which is why the wildcard cert is the only option that will avoid 
warnings in your client software.

Regards,[...]

RE: [Pound Mailing List] Pound usage for multi-domain solution.
"Alfonso Espitia" <aespitia(at)castleworldwide.com>
2008-10-09 22:45:14 [ FULL ]
If you're looking for a cheap alternative, you can just setup different
ports on IPCop to redirect to 443 on the backend (no need for a load
balancer).

For example, you can go to
Https://mail.company.com:444/exchange

And redirect port 444 on Ipcop to 443 on the internal IP.



 

-----Original Message-----
From: Andy Ray [mailto:l.andy.ray(at)gmail.com] 
Sent: Thursday, October 09, 2008 4:07 PM
To: pound(at)apsis.ch
Subject: [Pound Mailing List] Pound usage for multi-domain solution.

Hello -

I have been searching for a solution to a problem with multiple domains
and services behind a single IP.  From my research I think that a
reverse proxy may be the solution, but judging from the landing page I
cannot tell if what I am attempting to do is impossible or just very
difficult. (grin)

I have the following setup:

Internet
|
IPCop on
Corporate Broadband connection
(Single IP)
|
Internal Network

The problem that they have is that we have several internal servers that
we would like to use products/services/servers that may compete for port
usage.

Example:
-Web Services are primarily on IIS (port 80), these are easily handled
with host headers, but if we need to also access a virtual server that
may be a linux box, we can't bridge to from IIS without a proxy (if I
understand correctly).
-SSL VPN connectivity solution on a VMWare appliance using HTTPS port.
-Exchange with OWA is published on the IIS Web server - they would like
to use HTTPS for OWA.


What they would like to do is direct mail.company.com:443 to the OWA
resources and vpn.company.com:443 to the SSL VPN appliance (two separate
internal IP addresses).

I understand that the preferred/accepted way for doing this is to obtain
multiple IPs from the ISP and map those internally.
Unfortunately that is not an option with the provider available in the
area at this time.

From the landing page for Pound, it looks like there is a problem with
multiple domain redirection to single internal host IP with virtual
servers on that same IP, unless a wildcard cert is used, which seems to
indicate that it may be possible if all 443 traffic is redirected to a
single host/ip.

From my small understanding of what I've read, Pound (or any other
reverse proxy) is unable to decipher the host header because it comes
after the SSL tunnel is negotiated.  It would seem that the only
solution left would be to use a product like Microsoft's ISA server that
does seem to be able to reverse proxy SSL connections.  If this is the
case, I'm just a bit surprised that there isn't an option in the *nix
world to achieve this goal.

I welcome any assistance or guidance.  I'm relatively new to the *nix
world, but I see great strength in the community and products.
Thanks!

Andy

--
To unsubscribe send an email with subject unsubscribe to pound(at)apsis.ch.
Please contact roseg(at)apsis.ch for questions.

--
This message has been scanned for viruses and dangerous content by
SecureMail, and is believed to be clean.

Re: [Pound Mailing List] Pound usage for multi-domain solution.
"Andy Ray" <l.andy.ray(at)gmail.com>
2008-10-09 23:01:01 [ FULL ]
Thank you for your quick reply David!

So, talking theory here, and trying to better understand the options available:

Can the SSL cert be loaded on the router/firewall/gateway device
hosting Pound?  I am assuming that would give Pound access to the host
header in a later request, then the traffic is redirected to the
appropriate internal host?  Or am I way off base here?

How is this typically handled in a web server farm?  Though I am not
scaling this to anything near that size, I picture this as no
different than accessing https://secure.amazon.com (or other such
address) where the traffic is load balanced/proxied to multiple back
end servers?  Except, for the proxy/load balance on my scale it only
has 1 host behind it.  When I resolve secure.amazon.com I only get 1
IP address - but I'm pretty sure that it doesn't go to 1 host publicly
exposed on the back end at Amazon HQ.

Thanks for helping me sort it out....

Andy

On 10/9/08, Dave Steinberg <dave(at)redterror.net>
wrote:[...][...][...][...][...][...]

RE: [Pound Mailing List] Pound usage for multi-domain solution.
"Alfonso Espitia" <aespitia(at)castleworldwide.com>
2008-10-09 23:08:27 [ FULL ]
Yes, wildcard certs do work on Pound, I've used them before, but not any
more because of the expense.  

You should be aware that there is still an instance in which you can get
a cert error.

Wild card certs only work on *.company.com (like vpn.company.com,
www.company.com, mail.company.com), however, they DON'T work on
"company.com"
 

-----Original Message-----
From: Dave Steinberg [mailto:dave(at)redterror.net] 
Sent: Thursday, October 09, 2008 4:41 PM
To: pound(at)apsis.ch
Subject: Re: [Pound Mailing List] Pound usage for multi-domain solution.
[...]
[...]

Its preferred because most people do not want their
clients/customers/service users to see SSL validation errors when they
try to access the service in question.
[...]
[...]

I've not tried it, but yes, a wildcard cert should work.  They are
unfortunately much more expensive than regular certs.
[...]

This is not a software or OS limitation but rather a protocol
limitation, for the reasons you describe.  It is software agnostic,
which is why the wildcard cert is the only option that will avoid
warnings in your client software.

Regards,
--
Dave Steinberg
http://www.geekisp.com/
http://www.steinbergcomputing.com/

--
To unsubscribe send an email with subject unsubscribe to pound(at)apsis.ch.
Please contact roseg(at)apsis.ch for questions.

--
This message has been scanned for viruses and dangerous content by
SecureMail, and is believed to be clean.

Re: [Pound Mailing List] Pound usage for multi-domain solution.
"Andy Ray" <l.andy.ray(at)gmail.com>
2008-10-09 23:08:38 [ FULL ]
Thanks Alfonso,

That is actually the way we have things configured right now and it is
good enough to get by... but my curiosity was peaked when discussing
the issue with a colleague about how this is done in the "real world".

I just sent a reply to David where I outlined the heart of my question
- but basically I can't understand why this is so difficult.  When I
access a web address like https://secure.amazon.com or
https://mail.google.com I come in through
a single IP.  When I look at
the cert for mail.google.com, there is no IP information that
identifies the site.  If certs were tied to a single IP, how do farms
of servers handle a site like https://mail.google.com?

The only difference in the solution I'm trying to achieve is that on
the back end I only have 1 server instead of 1000 like Google :).

Andy

On 10/9/08, Andy Ray <l.andy.ray(at)gmail.com> wrote:[...]
>>> What they would like to do is direct mail.company.com:443 to the
OWA
>>> resources and vpn.company.com:443 to the SSL VPN appliance (two
>>> separate internal IP addresses).
>>>
>>> I understand that the preferred/accepted way for doing this is to
>>> obtain multiple IPs from the ISP and map those internally.
>>> Unfortunately that is not an option with the provider available in
the
>>> area at this time.[...]
>>> multiple domain redirection to single internal host IP with
virtual
>>> servers on that same IP, unless a wildcard cert is used, which
seems
>>> to indicate that it may be possible if all 443 traffic is
redirected
>>> to a single host/ip.[...]
>>> reverse proxy) is unable to decipher the host header because it
comes
>>> after the SSL tunnel is negotiated.  It would seem that the only
>>> solution left would be to use a product like Microsoft's ISA
server
>>> that does seem to be able to reverse proxy SSL connections.  If
this
>>> is the case, I'm just a bit surprised that there isn't an option
in
>>> the *nix world to achieve this goal.[...]

RE: [Pound Mailing List] Pound usage for multi-domain solution.
"Jacob Anderson" <jwa(at)beyond-ordinary.com>
2008-10-09 23:39:07 [ FULL ]
Hello Andy,

The SSL is bound on an IP address. There's no way around that. We typically
terminate the SSL on pound, but you can use another SSL terminator to handle
the encryption.

There is no way for pound to ever multiplex a host header in the SSL
protocol until after SSL is negotiated (it's a layer that pre-empts the
application layer).

You could do:

(internet) ==> [Pound SSL] ==> [Pound For Domain Multiplexing] ---|
Servers 
            ||                              /\
            ================================|| (for port 80 traffic)

That doesn't really buy you anything. You can't have all of your domains
bind on the same IP address and attempt to share the same SSL, unless they
are all subdomains (wildcard SSL). Why not? Because the cert validation will
always fail on the cert domain name. You'll still get SSL crypt but you will
always get the "This certificate is not valid" error on the client.

The above configuration would be a nifty way to handle load balancing a
"farm" of subdomains. The wildcard would terminate on the SSL side, then
your multiplexer pound would handle the subdomains via the host header. That
might be what you're looking for?? That means you can handle *.mydomain.com.

Wildcards are not that expensive if you want a cheapie cert. Try
www.rapidssl.com for that.

We use wildcards for our service and it works just great.
[...]

Re: [Pound Mailing List] Pound usage for multi-domain solution.
cmorrow(at)verrus.com
2008-10-09 23:53:23 [ FULL ]
Alfonso,

Digicert.com sells a wildcard certificate which can do both. It's around $400.

- Chris

Sent from my BlackBerry device on the Rogers Wireless Network

-----Original Message-----
From: "Alfonso Espitia" <aespitia(at)castleworldwide.com>

Date: Thu, 9 Oct 2008 17:08:27 
To: <pound(at)apsis.ch>
Subject: RE: [Pound Mailing List] Pound usage for multi-domain solution.


Yes, wildcard certs do work on Pound, I've used them before, but not any
more because of the expense.

You should be aware that there is still an instance in which you can get
a cert error.

Wild card certs only work on *.company.com (like vpn.company.com,
www.company.com, mail.company.com), however, they DON'T work on
"company.com"


-----Original Message-----
From: Dave Steinberg [mailto:dave(at)redterror.net]
Sent: Thursday, October 09, 2008 4:41 PM
To: pound(at)apsis.ch
Subject: Re: [Pound Mailing List] Pound usage for multi-domain solution.
[...]
[...]

Its preferred because most people do not want their
clients/customers/service users to see SSL validation errors when they
try to access the service in question.
[...]
[...]

I've not tried it, but yes, a wildcard cert should work.  They are
unfortunately much more expensive than regular certs.
[...]

This is not a software or OS limitation but rather a protocol
limitation, for the reasons you describe.  It is software agnostic,
which is why the wildcard cert is the only option that will avoid
warnings in your client software.

Regards,
--
Dave Steinberg
http://www.geekisp.com/
http://www.steinbergcomputing.com/

--
To unsubscribe send an email with subject unsubscribe to pound(at)apsis.ch.
Please contact roseg(at)apsis.ch for questions.

--
This message has been scanned for viruses and dangerous content by
SecureMail, and is believed to be clean.



--
To unsubscribe send an email with subject unsubscribe to pound(at)apsis.ch.
Please contact roseg(at)apsis.ch for questions.

Re: [Pound Mailing List] Pound usage for multi-domain solution.
Miles Raymond <miles.raymond(at)itinternet.net>
2008-10-10 00:27:41 [ FULL ]
Andy,

The key difference between what you are trying to do, and what Amazon and
Google are doing is that you are trying to have multiple SSL certs on 1 IP
address.  Amazon and Google have 1 SSL cert on multiple IP addresses.

If you read the pound documentation ( http://www.apsis.ch/pound/ ), you will
read that:
"The vital point to notice here is that connection authentication takes place
BEFORE any request was issued."
This means that when a connection is made, there is no URL information sent
until the SSL cert has been verified.  Your server cannot pick and choose
between different certs to give to the client because all it sees is
'connection from x.x.x.x'.  Only AFTER the SSL cert has been sent by your
server, does the client request 'ok, give me mail.company.com' to the server.

In our datacenter, we have an external IP for mail.company.com which is
different from the external IP for vpn.company.com.  The firewall redirects the
requests to different ports on our pound server.  Our pound server has a
listener on 443 for mail.company.com and a listener on 444 for vpn.company.com.
 Out pound server then balances the request to a multitude of back-end servers
to actually process the unencrypted request.  The key difference between this
solution and Jacob Anderson's is that our solution has combined the SSL
encryption/decryption and balancing in one single instance of pound.

-Miles Raymond
ITI Internet Services

Andy Ray wrote:[...][...]
>>>> What they would like to do is direct mail.company.com:443 to
the OWA
>>>> resources and vpn.company.com:443 to the SSL VPN appliance
(two
>>>> separate internal IP addresses).
>>>>
>>>> I understand that the preferred/accepted way for doing this is
to
>>>> obtain multiple IPs from the ISP and map those internally.
>>>> Unfortunately that is not an option with the provider
available in the
>>>> area at this time.
>>> Its preferred because most people do not want their
>>> clients/customers/service users to see SSL validation errors when
they
>>> try to access the service in question.
>>>
>>>> From the landing page for Pound, it looks like there is a
problem with
>>>> multiple domain redirection to single internal host IP with
virtual
>>>> servers on that same IP, unless a wildcard cert is used, which
seems
>>>> to indicate that it may be possible if all 443 traffic is
redirected
>>>> to a single host/ip.
>>> I've not tried it, but yes, a wildcard cert should work.  They are
>>> unfortunately much more expensive than regular certs.
>>>
>>>> From my small understanding of what I've read, Pound (or any
other
>>>> reverse proxy) is unable to decipher the host header because
it comes
>>>> after the SSL tunnel is negotiated.  It would seem that the
only
>>>> solution left would be to use a product like Microsoft's ISA
server
>>>> that does seem to be able to reverse proxy SSL connections. 
If this
>>>> is the case, I'm just a bit surprised that there isn't an
option in
>>>> the *nix world to achieve this goal.
>>> This is not a software or OS limitation but rather a protocol
>>> limitation, for the reasons you describe.  It is software
agnostic,
>>> which is why the wildcard cert is the only option that will avoid
>>> warnings in your client software.
>>>
>>> Regards,
>>> --
>>> Dave Steinberg
>>> http://www.geekisp.com/
>>> http://www.steinbergcomputing.com/

Re: [Pound Mailing List] Pound usage for multi-domain solution.
Michael Best <mbest(at)pendragon.org>
2008-10-10 00:41:53 [ FULL ]
Jacob Anderson wrote:[...]

As I pointed out the last time this was brought up, that's not strictly 
true.  It might be practically true, and also a limitation of Pound.

SNI allows for multiple SSL on a single IP.  It uses TLS.  It's quite 
new I hadn't heard of it until recently.    Support in IE7 (on vista 
only maybe), Opera 7.6+, Firefox since 2.x, Konqueror 3.5+

http://en.wikipedia.org/wiki/Server_Name_Indication

Apache 2.2.8+ with mod_ssl v0.9.9+
http://daniel-lange.com/archives/2-Multiple-Apache-VHosts-on-the-same-IP-and-port.html

-Mike

Re: [Pound Mailing List] Pound usage for multi-domain solution.
"Andy Ray" <l.andy.ray(at)gmail.com>
2008-10-10 00:52:21 [ FULL ]
Ah!  I understand now! (and need to smack my self in the head)

Jacob's explanation brought me closer to understanding, and your
answer drove it home.  The SSL server/"listener" can only proffer 1
cert per IP.  As ridiculously easy as the explanation sounds, I'm
beginning to wonder why I was being so obtuse about it :)

Yes, my example was not a fair example, because what I was trying to
do did not match the google example I gave.  For the google example,
everything is mail.google.com that it redirects to on the back end.  1
request in brokered out to many on the back end.  I was still missing
the fact that there is no way to have 2 requests in brokered to
different servers on the back end because the receiving host cannot
overlap SSL responders/services on 443 with different certs on a
single web server/IP.

Everyone, thanks for helping me straighten this architecture out
mentally.  I hope it didn't take too much of your time!

On 10/9/08, Miles Raymond <miles.raymond(at)itinternet.net>
wrote:[...][...]
>>> Thank you for your quick reply David!
>>>
>>> So, talking theory here, and trying to better understand the
options
>>> available:
>>>
>>> Can the SSL cert be loaded on the router/firewall/gateway device
>>> hosting Pound?  I am assuming that would give Pound access to the
host
>>> header in a later request, then the traffic is redirected to the
>>> appropriate internal host?  Or am I way off base here?
>>>
>>> How is this typically handled in a web server farm?  Though I am
not
>>> scaling this to anything near that size, I picture this as no
>>> different than accessing https://secure.amazon.com (or other such
>>> address) where the traffic is load balanced/proxied to multiple
back
>>> end servers?  Except, for the proxy/load balance on my scale it
only
>>> has 1 host behind it.  When I resolve secure.amazon.com I only get
1
>>> IP address - but I'm pretty sure that it doesn't go to 1 host
publicly
>>> exposed on the back end at Amazon HQ.
>>>
>>> Thanks for helping me sort it out....
>>>
>>> Andy
>>>
>>> On 10/9/08, Dave Steinberg <dave(at)redterror.net> wrote:
>>>>> What they would like to do is direct mail.company.com:443
to the OWA
>>>>> resources and vpn.company.com:443 to the SSL VPN appliance
(two
>>>>> separate internal IP addresses).
>>>>>
>>>>> I understand that the preferred/accepted way for doing
this is to
>>>>> obtain multiple IPs from the ISP and map those internally.
>>>>> Unfortunately that is not an option with the provider
available in the
>>>>> area at this time.
>>>> Its preferred because most people do not want their
>>>> clients/customers/service users to see SSL validation errors
when they
>>>> try to access the service in question.
>>>>
>>>>> From the landing page for Pound, it looks like there is a
problem with
>>>>> multiple domain redirection to single internal host IP
with virtual
>>>>> servers on that same IP, unless a wildcard cert is used,
which seems
>>>>> to indicate that it may be possible if all 443 traffic is
redirected
>>>>> to a single host/ip.
>>>> I've not tried it, but yes, a wildcard cert should work.  They
are
>>>> unfortunately much more expensive than regular certs.
>>>>
>>>>> From my small understanding of what I've read, Pound (or
any other
>>>>> reverse proxy) is unable to decipher the host header
because it comes
>>>>> after the SSL tunnel is negotiated.  It would seem that
the only
>>>>> solution left would be to use a product like Microsoft's
ISA server
>>>>> that does seem to be able to reverse proxy SSL
connections.  If this
>>>>> is the case, I'm just a bit surprised that there isn't an
option in
>>>>> the *nix world to achieve this goal.
>>>> This is not a software or OS limitation but rather a protocol
>>>> limitation, for the reasons you describe.  It is software
agnostic,
>>>> which is why the wildcard cert is the only option that will
avoid
>>>> warnings in your client software.
>>>>
>>>> Regards,
>>>> --
>>>> Dave Steinberg
>>>> http://www.geekisp.com/
>>>> http://www.steinbergcomputing.com/[...]

Re: [Pound Mailing List] Pound usage for multi-domain solution.
Dave Steinberg <dave(at)redterror.net>
2008-10-10 04:49:12 [ FULL ]
> As I pointed out the last time this was brought up, that's not strictly
[...]

That's pretty interesting, I must have missed it last time this came up. 
  Too bad coverage isn't quite widespread enough yet (for me at least). 
Perhaps some day this will be a real option!

Regards,[...]

Re: [Pound Mailing List] Pound usage for multi-domain solution.
justin.kinney(at)academy.com
2008-10-13 16:21:45 [ FULL ]
Return Receipt
                                                                           
   Your       Re: [Pound Mailing List] Pound usage for multi-domain        
   document:  solution.                                                    
                                                                           
   was        justin.kinney(at)academy.com                                    
   received                                                                
   by:                                                                     
                                                                           
   at:        10/13/2008 09:21:45 AM

MailBoxer