[TriLUG] serving multiple HTTPS sites on same server with redirection

David Brain dbrain at gmail.com
Wed May 8 22:06:53 EDT 2013


Digressing slightly, Server Name Indication (SNI) supported by most
modern browsers/OS, allows multiple SSL sites with differing host
names to be served from the same IP.

http://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI

I'd not run across this until recently when looking at packet captures
of SSL transactions.

David.

On Wed, May 8, 2013 at 5:06 PM, Blackburn, Marvin
<mblackburn at glenraven.com> wrote:
> typo : .  We can run these to 443/8443 or we can run them on 80/8443
> should be
> 443/8443 and 80/8080
>
> -----Original Message-----
> From: trilug-bounces at trilug.org [mailto:trilug-bounces at trilug.org] On Behalf Of Blackburn, Marvin
> Sent: Wednesday, May 08, 2013 4:53 PM
> To: Trilug Mailing List (trilug at trilug.org)
> Subject: [TriLUG] serving multiple HTTPS sites on same server with redirection
>
> redhat 5.7
>
> We have a system with one nic with two ip addresses: eth0 is x.x.x.5 and eth0:0 is x.x.x.6
> we also run apache and have multiple sites -- some http(s) going to each ip.  We can run these to 443/8443 or we can run them on 80/8443 whichever we configure apache to  listen on without a problem
>
> However, if we try to redirect 80 to 8080 and 443 to 8443 everything seems to go to eth0.
>
> We've used this redirection on systems with only one ip and have never had a problem.
>
> A sample iptables config is:
>
> *filter
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> :RH-Firewall-1-INPUT - [0:0]
> -A INPUT -j RH-Firewall-1-INPUT
> -A FORWARD -j RH-Firewall-1-INPUT
> -A RH-Firewall-1-INPUT -i lo -j ACCEPT
> -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 8080 -j ACCEPT
> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 8443 -j ACCEPT
> -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
> COMMIT
> #### NAT for redirection
> *nat
> :PREROUTING ACCEPT [0:0]
> :POSTROUTING ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 8443
> -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080
> COMMIT
>
>
> Any help would be appreciated.
>
> _____________________________________
> "He's no failure. He's not dead yet."
> William Lloyd George
>
>
>
> --
> This message was sent to: Marvin Blackburn <mblackburn at glenraven.com>
> To unsubscribe, send a blank message to trilug-leave at trilug.org from that address.
> TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
> Unsubscribe or edit options on the web  : http://www.trilug.org/mailman/options/trilug/mblackburn%40glenraven.com
> TriLUG FAQ          : http://www.trilug.org/wiki/Frequently_Asked_Questions
>
>
> --
> This message was sent to: dbrain at gmail.com <dbrain at gmail.com>
> To unsubscribe, send a blank message to trilug-leave at trilug.org from that address.
> TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
> Unsubscribe or edit options on the web  : http://www.trilug.org/mailman/options/trilug/dbrain%40gmail.com
> TriLUG FAQ          : http://www.trilug.org/wiki/Frequently_Asked_Questions



More information about the TriLUG mailing list