So, you can do it but you need multiple IP addresses.   Is that correct
or am I missing something?

TIA,

John A. Jones
Americas Security Officer
Jones Lang LaSalle, Inc.
V: +1-630-455-2787 F: +1-312-601-1782
John.Jones@xxxxxxxxxxxxxxxxxxxxxxx

-----Original Message-----
From: Brad Stone [mailto:brad@xxxxxxxxxxxx] 
Sent: Sunday, August 08, 2004 4:32 PM
To: Web Enabling the AS400 / iSeries
Subject: Re: [WEB400] Apache for SSL Proxy?

After some research on this, I found that it isn't possible.

Because SSL wraps the entire HTTP request (including the host headers)
you currently need to have one IP for each SSL site you are running.  If
it's behind a firewall, that means one external, and one internal per
SSL site that is using a seperate certificate.

Even a firewall that can route by host name won't work with
2 domains using different certs.  Subdomain sites and the use of a
wildcard certificate shouldn't be an issue.  But that isn't the case for
my query.

Because SSL wraps the HTTP request, the web server must decrypt the
request before applying any host matching, such as with Virtual Hosts.
So, as Apache puts it, it's a "chicken and egg" problem.  Which comes
first.  So, Apache always will use the first certificate specified in
the config to do any decrypting.

There is an RFC in the works to solve this issue, but I wouldn't expect
it to be implemented anytime soon juding from the talk about it.

Anyhow, it does make sense.  I wasn't completley aware that SSL wrapped
everying... I assumed the headers were available... guess not.  :)  

Hope this helps for anyone else that ever ventures down this road.


This email is for the use of the intended recipient(s) only.  If you have 
received this email in error, please notify the sender immediately and then 
delete it.  If you are not the intended recipient, you must not keep, use, 
disclose, copy or distribute this email without the author's prior permission.  
We have taken precautions to minimize the risk of transmitting software 
viruses, but we advise you to carry out your own virus checks on any attachment 
to this message.  We cannot accept liability for any loss or damage caused by 
software viruses.  The information contained in this communication may be 
confidential and may be subject to the attorney-client privilege. If you are 
the intended recipient and you do not wish to receive similar electronic 
messages from us in future then please respond to the sender to this effect.


As an Amazon Associate we earn from qualifying purchases.

This thread ...

Follow-Ups:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.