pf how-to: Single public IP --> many private NAT'd HTTPS servers
Chris H.
chris# at 1command.com
Wed Jan 23 09:59:44 PST 2008
Quoting Doug Poland <doug at polands.org>:
> David DeSimone wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Doug Poland <doug at polands.org> wrote:
>>> I have DNS resolution, the problem ( I think ) is in that pf simply
>>> sees the packet destined for my single public IP (because all my
>>> public host names must resolve to the same public IP address) and port
>>> 443.
>>
>> I am not sure how you expect this to work. The web browser will expect
>> the server to send a certificate with its identity as part of the
>> initial SSL negotiation. The client has not yet sent its request, so
>> the web server has no idea which of the three domains the browser wanted
>> to talk to, so it does not know which certificate should be sent. This
>> is the reason why every SSL site must have its own unique (public) IP
>> address.
>>
>> - -- David DeSimone == Network Admin == fox at verio.net
>>
> I see what you are getting it. I told pf to simply route all https
> requests to a fixed private IP. When I pointed my browser at the
> FQDN, firefox told me I had a certificate problem... i.e., the
> certificate returned was not the one expected.
>
> So, is the bottom line, one *cannot* hide multiple (NAT'd) SSL hosts
> behind a single public IP? So my only solution, given apache and one
> public IP, is a single host listening on 443 and each "domain" would
> have to be served as a <Directory></Directory>. e.g.,
>
> https://secure.example.com/webmail/
> https://secure.example.com/subversion/
>
> instead of
>
> https://webmail.example.com
> https://subversion.example.com
>
This is actually more a DNS solution than anything else.
For example there is nothing to stop you from using the following
in example.com's zone file:
$ORIGIN example.com
@ IN SOA ns.example.com. rootexample.com. (
...
)
IN A pu.bl.ic.IP
IN NS ns.example.com.
IN NS another-ns.some-domain.tld.
webmail IN A pu.bl.ic.IP
subversion IN A pu.bl.ic.IP
another-host IN A pu.bl.ic.IP
where pu.bl.ic.IP = your internet routeable IP.
then simply setup another zone to route your private
IP block. This requires a "multi-view" named configuration.
But will give you all the routing you require to get this
done. Given the above, you'll be able to self-sign all of
your hosts certs - or better still, have them signed "officially".
But if you self-sign, you can have example.com sign all the
hosts certs that are within example.com.
Anyway, point being; you can resolve alot of what you are trying
to accomplish with a little DNS trickery.
Best wishes.
--Chris
>
> --
> Regards,
> Doug
> _______________________________________________
> freebsd-pf at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"
>
--
panic: kernel trap (ignored)
More information about the freebsd-pf
mailing list