pf how-to: Single public IP --> many private NAT'd HTTPS servers
mouss
mouss at netoyen.net
Mon Jan 21 16:30:15 PST 2008
Doug Poland wrote:
> I see what you are getting it. I told pf to simply route all https
> requests to a fixed private IP. When I pointed my browser at the
> FQDN, firefox told me I had a certificate problem... i.e., the
> certificate returned was not the one expected.
>
> So, is the bottom line, one *cannot* hide multiple (NAT'd) SSL hosts
> behind a single public IP?
In fact, it has nothing to do with NAT. When the browser sees
"secure.example.com", it will resolve the host and contact the
corresponding IP. at this point, with NAT or without it, you do not know
what "virtual host" is being queried.
This is a known ssl shortcoming. May be future implementations (openssl,
browsers, ...) will solve it.
> So my only solution, given apache and one public IP, is a single host
> listening on 443 and each "domain" would have to be served as a
> <Directory></Directory>. e.g.,
>
> https://secure.example.com/webmail/
> https://secure.example.com/subversion/
This works indeed. it also costs less (for the certificates:).
In some cases, you can use one of the boxes as an SSL proxy, though care
is required (remote apps don't necessarily know whether the query was
"secure" or not, so you need to enforce SSL on few paths and adequately
structure your sites).
>
> instead of
>
> https://webmail.example.com
> https://subversion.example.com
These cannot work with a single IP (as viewed by the browser).
you can also use different ports. but this is not necessarily "user
friendly".
More information about the freebsd-pf
mailing list