On Thu, 26 Jul 2001, Owen Boyle wrote:
> [EMAIL PROTECTED] wrote:
> >
> > Can I assign privet ip's to a virtual host and still server it on the web?
> > Or will I have to buy public ips?
>
> I assume you are trying to get round the problem of only-one-SSL-host
> per IP address (otherwise there is no point in doing this for ordinary
> HTTP).
>
> Think it through... suppose you:
>
> - set up a public IP on the outside interface of your firewall.
> - set up many private IPs on your webserver inside the firewall.
> - connect your webserver to the internal interface of the firewall.
>
> All your firewall will receive is an HTTPS request on its public IP
> address at port 443. How can it decide which internal address to send it
> to? Remember that it doesn't have a ServerName yet so it can't use that.
>
> I don't believe this is possible...
>
> I know this is a real nuisance but it is a consequence of how SSL works
> - all traffic (including the Servername) has to be encrypted so the SSL
> session has to be established before any HTTP traffic can take place. So
> only external TCP/IP attributes (IP and port no) can be used to route
> packets.
Actually, this is a problem with how *HTTPS* works - SSL (and TLS) are just
channel-level encryption and/or authentication protocols, what you tunnel
through them (and what semantic juggling you do with the peer-certificates, such
as URL <--> CN comparisons) is up to you. HTTPS is just one common application
of SSL/TLS, and in fact was specified retrospectively to try and qualify exactly
what existing (unspecified) browser implementations were doing.
There have been alternatives suggested by various people (including the person
who backfitted the first HTTPS spec to what he saw running), but the chance of
the browser-war participants getting involved is slim. Needless to say, I doubt
very much that the major ISPs and telcos they do business with are that
interested in such ideas either. They would stand to lose traction in the
balooning online commerce space (SSL/TLS with virtual hosting means less
high-price IP address space sales/leases). This is probably the same reason we
won't see IPv6 properly "on the net" until it is absolutely necessary - the
cramping IPv4 address space is a valuable problem for some interests to
maintain.
Cheers,
Geoff
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
