[TriLUG] ssl through reverse proxy

Cristóbal Palmer cristobalpalmer at gmail.com
Sat Aug 25 12:58:14 EDT 2012 

As I understand things, your options are:

1) Share IPs and offload at the load balancer, or
2) Have one Public IP per https vhost if all hosts stay on 443 (hmmm… wouldn't IPv6 be really handy here?), or
3) If you can start on http and redirect to https, have a different port per https vhost. This is madness and redirect hell unless you have a very well-defined problem space.

There's no getting around the fact that the negotiation of the session happens before you know what vhost you're looking for, but you can only negotiate the session if you know which vhost you're looking for, so if you put multiple https vhosts on the same IP/port combo, you've got a chicken/egg problem: http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#vhosts

Cheers!  

--  
Cristóbal Palmer
cmpalmer.org


On Saturday, August 25, 2012 at 12:32 PM, Paul G. Szabady wrote:

> Ok, partially answering myself, but still not quite where I want to be.
>  
> After a bit more head banging, I decided to split things up to make sure  
> I wasn't getting the wrong certificate, etc. I set up a second IP on my  
> reverse proxy server, changed the vhost IP, firewall, etc and have been  
> able to get the SSL to work for domain1, but... this solution requires  
> a 1:1 mapping from my firewall (port 443) to this 2nd IP (port 443). So  
> while it works for domain1, I still can't figure out how to make httpS  
> work for domain2.
>  
> Thoughts?
>  
> --
> Paul
> @ Thy Service
>  
> On 8/25/2012 11:09 AM, Paul G. Szabady wrote:
> > Greetings,
> >  
> > I am trying to enable ssl through the following scenario, running  
> > apache 2.2 on separate servers. Basically, I want the reverse proxy  
> > (RP) server to do just that, proxying. I have done this hundreds of  
> > times behind load balancers (e.g. Big IP F5), but here at $HOME, I  
> > don't have that luxury.
> >  
> > client (httpS) > firewall > Apache RP > (domain1 | domain2)
> <...snip...>
> --  
> This message was sent to: cmp at cmpalmer.org (mailto:cmp at cmpalmer.org) <cmp at cmpalmer.org (mailto:cmp at cmpalmer.org)>
> To unsubscribe, send a blank message to trilug-leave at trilug.org (mailto:trilug-leave at trilug.org) from that address.
> TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
> Unsubscribe or edit options on the web : http://www.trilug.org/mailman/options/trilug/cmp%40cmpalmer.org
> TriLUG FAQ : http://www.trilug.org/wiki/Frequently_Asked_Questions

More information about the TriLUG mailing list