Re: jailed virtual https, anyone?

From: Adrian Filipi-Martin (adrian+freebsd-security@ubergeeks.com)
Date: 11/22/02

• Next message: Alex Povolotsky: "Re: jailed virtual https, anyone?"
• Previous message: Alexandr Kovalenko: "OpenSSH's sftp and chroot"
• In reply to: Alex Povolotsky: "Re: jailed virtual https, anyone?"
• Next in thread: Alex Povolotsky: "Re: jailed virtual https, anyone?"
• Reply: Alex Povolotsky: "Re: jailed virtual https, anyone?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 22 Nov 2002 11:38:51 -0500 (EST)
From: Adrian Filipi-Martin <adrian+freebsd-security@ubergeeks.com>
To: Alex Povolotsky <tarkhil@webmail.sub.ru>

On Fri, 22 Nov 2002, Alex Povolotsky wrote:

> On Fri, 22 Nov 2002 07:07:41 -0500
> "Allan Jude" <937863@primus.ca> wrote:
>
> AJ> What seems to be the problem with the virtual hosts?
> AJ> You're quite right, but I have EVERYTHING works ok for now, EXCEPT
> AJ> virtual hosts with https. Google shows nothing relevant on "jail https
> AJ> virtual".
>
> Oh, quite simple.
>
> https cannot be configured with name-based virtual hosts, by design.
> jail cannot be configured for more than one IP address, by design.
> (don't ask me to wait until jail-ng will be ready)
> Jail sits on internal IP, on lo0. fxp0 holds real IP addresses to be accessed from outside.
> I'm forwarding incoming connection to jail, currently with ipnat. I need to pass information about real (outside) IP to mod_ssl. That is my problem.
>
> plain http works perfectly (name-based virthosts).

        You still have to do IP-based hosting for https. It doesn't matter
that they have their IP's in the jails.

        The problem is that the SSL channel has already been negotiated and
established before apache gets to consider the "Host:" header which is
mostly what the virtual hosting is based upon. This means that it's too
late to select a different virtual host without generating an SSL hostname
mistmatch warning.

        Adrian

--
[ adrian@ubergeeks.com ]
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

• Next message: Alex Povolotsky: "Re: jailed virtual https, anyone?"
• Previous message: Alexandr Kovalenko: "OpenSSH's sftp and chroot"
• In reply to: Alex Povolotsky: "Re: jailed virtual https, anyone?"
• Next in thread: Alex Povolotsky: "Re: jailed virtual https, anyone?"
• Reply: Alex Povolotsky: "Re: jailed virtual https, anyone?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: jailed virtual https, anyone? ... AP> https cannot be configured with name-based virtual hosts, ... AP> by design. ... AP> Jail sits on internal IP, ... You can do virtual hosting with https with only one IP. ... (FreeBSD-Security) Re: jailed virtual https, anyone? ... AJ> What seems to be the problem with the virtual hosts? ... AJ> virtual hosts with https. ... https cannot be configured with name-based virtual hosts, by design. ... jail cannot be configured for more than one IP address, ... (FreeBSD-Security) Re: Configuration differences for jails ... > As known to all, jail can be used for two purposes, i.e. jailing a single ... > of configuration necessary for setting up a jail? ... it was quite heavy to boot two virtual hosts as described in the jail ... < jeremie at le-hen dot org>< ttz at chchile dot org> ... (freebsd-hackers) Re: ModSSL - Knoppix 3.3 ... > I create some server key & crt. ... I think you're mixing the virtual hosts too. ... > from REMOTE: ssh ok, http ok, https NOK. ... (Focus-Linux) Re: Mailman + squirrelmail ONLY through https:// ... i am assuming that you have https up and working. ... I realize the mailman.conf file does not include subsequent ... > AllowOverride None ... > - The http.conf uses virtual hosts for links to specific directories ... (Fedora)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint