Re: MOD SSL over NAT

Sun, 27 Jan 2002 15:29:49 -0800 

Jim Lee wrote:

> Response to Response:
> Yes, the Firewall is configured to allow port 443.
> 
> In fact we are able to reach our web server from outside(internet) by typing
> in the following url.
> 
> http://www.website.com:443
> 
> But the moment we try the following url, it fails
> 
> https://www.website.com
> 
> The same above steps works successfully from within out network(intranet)
> without any problems. Both http and https work fine.
> 
> Any clues would be higly appreciated.
> 
> Original Posting:
> On Sat, 2002-01-26 at 07:26, Jim Lee wrote:
> We have an apache server with mod_ssl.
> The SSL works fine within our network(intranet).
> But for internet users, who access the apache server over NAT, the SSL does
> not work.
> 
> Response to Posting:
> are you sure your nat setup is allowing traffic on port 443 (or whatever
> port your ssl is running on)? try telneting to port 443 on the external
> interface from someplace outside the firewall; if you can't you need to
> reconfigure your firewall..

I had the same problem, and it resolved when I added an appropriate
iptables rule with the flags:

        -p tcp  --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

I was told to add this rule by others who had the same problem too with
SSL connections.

I can't promise you that the problem is the same, nor that such a rule
will end your troubles (and I even don't know if your firewall is based
on iptables); I just tell from my experience.

By the way: If this is the cuase of the problem, then most of the
problems will be with SSL, but not only: a lack of such a rule, when
there are conflicting MTU's, may have other effects.

-- 
Eli Marmor
[EMAIL PROTECTED]
CTO, Founder
Netmask (El-Mar) Internet Technologies Ltd.
__________________________________________________________
Tel.:   +972-9-766-1020          8 Yad-Harutzim St.
Fax.:   +972-9-766-1314          P.O.B. 7004
Mobile: +972-50-23-7338          Kfar-Saba 44641, Israel
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      [EMAIL PROTECTED]
Automated List Manager                            [EMAIL PROTECTED]

Reply via email to