pf how-to: Single public IP --> many private NAT'd HTTPS servers
Doug Poland
doug at polands.org
Mon Jan 21 11:22:26 PST 2008
David DeSimone wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Doug Poland <doug at polands.org> wrote:
>> I have DNS resolution, the problem ( I think ) is in that pf simply
>> sees the packet destined for my single public IP (because all my
>> public host names must resolve to the same public IP address) and port
>> 443.
>
> I am not sure how you expect this to work. The web browser will expect
> the server to send a certificate with its identity as part of the
> initial SSL negotiation. The client has not yet sent its request, so
> the web server has no idea which of the three domains the browser wanted
> to talk to, so it does not know which certificate should be sent. This
> is the reason why every SSL site must have its own unique (public) IP
> address.
>
> - --
> David DeSimone == Network Admin == fox at verio.net
>
I see what you are getting it. I told pf to simply route all https
requests to a fixed private IP. When I pointed my browser at the FQDN,
firefox told me I had a certificate problem... i.e., the certificate
returned was not the one expected.
So, is the bottom line, one *cannot* hide multiple (NAT'd) SSL hosts
behind a single public IP? So my only solution, given apache and one
public IP, is a single host listening on 443 and each "domain" would
have to be served as a <Directory></Directory>. e.g.,
https://secure.example.com/webmail/
https://secure.example.com/subversion/
instead of
https://webmail.example.com
https://subversion.example.com
--
Regards,
Doug
More information about the freebsd-pf
mailing list