You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Hans <ha...@ezpear.com> on 2007/11/01 08:38:06 UTC
Re: [users@httpd] problem with NAT, Public IP's and SSL cert
Matus UHLAR - fantomas wrote:
>> On 10/27/07, Hans <ha...@ezpear.com> wrote:
>>
>>> In last week our customer requested to put new ssl cert for him with his
>>> own IP. I created VIP and forwarded to ports:80 and 443.
>>> But I have problem with configuration.
>>>
>>> Before few words about my future conf, during next few weeks I will
>>> install Load Balancing enviroment with 2 identical active/active
>>> webservers which conf created is automatically from mysql database. Both
>>> machine will be behind NAT and need to use only public IP's is
>>> configuration for virtual hosts. I cannot use for virtualhost eg.
>>> 192.168.2.10,192.168.2.11(because for vhost generated will be only
>>> public IP 65.65.65.65).
>>>
>
> There's no problem with load-balancing if you configure it properly. We are
> running many vhosts (some SSL'ed, but wildcarded on the same IP/port with
> the same cert) behind loadbalancer.
>
> Our balancer does DNAT, so the servers don't know that it's there, they see
> connections coming to them.
>
> The problem is, that if you want to have multiple SSL vhosts (with multiple
> certs), you have to configure each of them on servers and balancer
> (but you can do e.g. multiple ports with different certs on hosts, and the
> same port on multiple IPs on balancer).
>
>
>>> So back to my question. I wanted change confiuguration from *:80 (*:443)
>>> to public 65.65.65.65:80 (65.65.65.65:443). But when I tried access
>>> websites it always directed me to default website. I tried <127.0.0.1:80
>>> 65.65.65.65:80> the same effect.
>>> On the end I tried <192.168.2.10:80 65.65.65.65.80> (the same for 443)
>>> and it works correctly (I mean I can access to each vhost) except that
>>> my customer doesn't get his own ssl cert but shared between rest from
>>> default domain (I guess it takes cert from first virtual domain).
>>> How can I force Apache to use only public IP's (without LAN IP) behind
>>> NAT and it correctly find virtual hosts ?
>>>
>
> This highly depends on balancer behaviour. If it uses DNAT, behave like
> there was no balancer there.
>
> On 29.10.07 23:11, Krist van Besien wrote:
>
>> - You can't do name virtual hosts with SSL.
>>
>
> only with wildcard certificates (which works only if there are multiple
> vhosts in the same domain).
>
>
>> - You can't configure a virtual host with an IP that the machine doesn't own.
>>
>> So if your public IP is 65.65.65.65, and this is ip is allocatied to a
>> loadbalancer (or any other device that does NAT) than this is of no
>> concern to your webserver.
>>
>> So if 65.65.65.65 gets loadbalanced between 192.168.2.10 and
>> 192.168.2.11 than on both hosts you will need something like:
>>
>> NameVirtualHost *:80
>> <VirtualHost *:80>
>> ServerName Myfirstcustomer.com
>> #rest of config here
>> ....
>> </VirtualHost>
>> <VirtualHost *:80>
>> ServerName Mysecondcustomer.com
>> # rest of config here
>> ....
>> </VirtualHost>
>>
>> But you can't do this with SSL servers. There you will need a separate
>> public IP for each SSL site.
>>
>
> Actually, he can balance the same SSL virtual host on two machined. But if
> he wants two SSL virtual hosts, he needs 2 IPs or two ports (each of them
> must be balanced separately)
>
>
Thanks.
So in your config you have only <Public_IP:80 (443)> or
<Private_IP:80(443) Public_ip:80(443)>.
Regards,
Hans
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] problem with NAT, Public IP's and SSL cert
Posted by Krist van Besien <kr...@gmail.com>.
On Nov 2, 2007 11:33 AM, Matus UHLAR - fantomas <uh...@fantomas.sk> wrote:
> > > I think that it is some limitation of Apache that it
> > > cannot listen on virtual public IP, but only on IP's which host directly
> > > uses.
>
> On 01.11.07 13:10, Krist van Besien wrote:
> > This is not a limitation of apache, but a limitation of the IP protocol.
>
> pardon, it's more the limitation of HTTP/SSL protocol. Some browsers and
> servers may even support SSL renegotiation, but I currently don't know about
> any.
Pardon, but reread what the OP wrote and what I answered.
Krist
--
krist.vanbesien@gmail.com
krist@vanbesien.org
Bremgarten b. Bern, Switzerland
--
A: It reverses the normal flow of conversation.
Q: What's wrong with top-posting?
A: Top-posting.
Q: What's the biggest scourge on plain text email discussions?
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] problem with NAT, Public IP's and SSL cert
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
> On Nov 1, 2007 11:14 AM, Hans <ha...@ezpear.com> wrote:
> > I have one main VIP 65.65.65.65 for vhosts which share that IP, and if
> > customer needs(like in the case of ssl) he will get another IP e.g.
> > 65.65.65.66. I always thought that for ssl is important public IP not
> > private on host. I think that it is some limitation of Apache that it
> > cannot listen on virtual public IP, but only on IP's which host directly
> > uses.
On 01.11.07 13:10, Krist van Besien wrote:
> This is not a limitation of apache, but a limitation of the IP protocol.
pardon, it's more the limitation of HTTP/SSL protocol. Some browsers and
servers may even support SSL renegotiation, but I currently don't know about
any.
> > I wonder how other hosting companies with load balance solved that
> > problem. I cannot believe that somebody with 200 domains and lets say
> > 150IP plays with port numbers.
> They either do that, work with ports, or what is more common,
> terminate SSL on the loadbalancer. In this scenario the cert gets
> installed on the loadbalancer, which does the SSL handshake and
> decoding, and then forward it to port 80 on one or several backend
> http server. There name based virtualhosts will work just fine.
and if this is not possile, the ISP has to configure more IPS or ports on
balancer AND webservers both. It's one of reasons my employer doesn't
support that yet (it's much work to do it manually and hard work to do that
automatically)
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Remember half the people you know are below average.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] problem with NAT, Public IP's and SSL cert
Posted by Krist van Besien <kr...@gmail.com>.
On Nov 1, 2007 11:14 AM, Hans <ha...@ezpear.com> wrote:
> I have one main VIP 65.65.65.65 for vhosts which share that IP, and if
> customer needs(like in the case of ssl) he will get another IP e.g.
> 65.65.65.66. I always thought that for ssl is important public IP not
> private on host. I think that it is some limitation of Apache that it
> cannot listen on virtual public IP, but only on IP's which host directly
> uses.
This is not a limitation of apache, but a limitation of the IP protocol.
You must realise how NAT works. IP packets with a destination address
of 65.65.65.65 get (based on how you configure your NAT device) their
destination address rewritten to eg. 192.168.2.1. There is no way for
the apache server to know that the original destination IP was, so
there is no way for the apache server to act on this info.
There isusually also no _need_ for this.
> I wonder how other hosting companies with load balance solved that
> problem. I cannot believe that somebody with 200 domains and lets say
> 150IP plays with port numbers.
They either do that, work with ports, or what is more common,
terminate SSL on the loadbalancer. In this scenario the cert gets
installed on the loadbalancer, which does the SSL handshake and
decoding, and then forward it to port 80 on one or several backend
http server. There name based virtualhosts will work just fine.
Krist
--
krist.vanbesien@gmail.com
krist@vanbesien.org
Bremgarten b. Bern, Switzerland
--
A: It reverses the normal flow of conversation.
Q: What's wrong with top-posting?
A: Top-posting.
Q: What's the biggest scourge on plain text email discussions?
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] problem with NAT, Public IP's and SSL cert
Posted by Hans <ha...@ezpear.com>.
Krist van Besien wrote:
> On Nov 1, 2007 10:36 AM, Krist van Besien <kr...@gmail.com> wrote:
>
>> On Nov 1, 2007 8:38 AM, Hans <ha...@ezpear.com> wrote:
>>
>>
>>> So in your config you have only <Public_IP:80 (443)> or
>>> <Private_IP:80(443) Public_ip:80(443)>.
>>>
>> No. In your config you have:
>> Several of either
>> <VirtualHost *:80>
>> or
>> <VirtualHost private_ip:80>
>> (After "VirtualHost" you need to put exactly the same thing you've put
>> after your NameVirtualHost statement.)
>>
>> And you can have one
>> <VirtualHost *:443> blockt
>> or one
>> <VirtualHost IP:443> block for each IP _your server has_
>>
>> But what you want, based on your description in your first post, is
>> not possible.
>> It is not possible to have multiple SSL based hosts each with their
>> own certificate on one IP address. This is not a limitation of Apache,
>> this is a limitation of the SSL protocol. If you want to know why,
>> read this: http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#vhosts
>>
>
> Just another question, (I just reread your original post) what do you
> mean that you got another VIP for your customer? Does that mean that
> your firewall has a separate IP for your customer?
>
> In that case you can solve your problem by telling Apache to bind to
> an extra port (eg 444) and configuring your customer's SSL server on
> that port.
> You than configure your NAT firewall to forward traffic to your
> customer's IP to port 80 and 444, in stead of port 80 and 443.
>
> Krist
>
>
I have one main VIP 65.65.65.65 for vhosts which share that IP, and if
customer needs(like in the case of ssl) he will get another IP e.g.
65.65.65.66. I always thought that for ssl is important public IP not
private on host. I think that it is some limitation of Apache that it
cannot listen on virtual public IP, but only on IP's which host directly
uses.
I wonder how other hosting companies with load balance solved that
problem. I cannot believe that somebody with 200 domains and lets say
150IP plays with port numbers.
Regards,
Hans
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] problem with NAT, Public IP's and SSL cert
Posted by Krist van Besien <kr...@gmail.com>.
On Nov 1, 2007 10:36 AM, Krist van Besien <kr...@gmail.com> wrote:
> On Nov 1, 2007 8:38 AM, Hans <ha...@ezpear.com> wrote:
>
> > So in your config you have only <Public_IP:80 (443)> or
> > <Private_IP:80(443) Public_ip:80(443)>.
>
> No. In your config you have:
> Several of either
> <VirtualHost *:80>
> or
> <VirtualHost private_ip:80>
> (After "VirtualHost" you need to put exactly the same thing you've put
> after your NameVirtualHost statement.)
>
> And you can have one
> <VirtualHost *:443> blockt
> or one
> <VirtualHost IP:443> block for each IP _your server has_
>
> But what you want, based on your description in your first post, is
> not possible.
> It is not possible to have multiple SSL based hosts each with their
> own certificate on one IP address. This is not a limitation of Apache,
> this is a limitation of the SSL protocol. If you want to know why,
> read this: http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#vhosts
Just another question, (I just reread your original post) what do you
mean that you got another VIP for your customer? Does that mean that
your firewall has a separate IP for your customer?
In that case you can solve your problem by telling Apache to bind to
an extra port (eg 444) and configuring your customer's SSL server on
that port.
You than configure your NAT firewall to forward traffic to your
customer's IP to port 80 and 444, in stead of port 80 and 443.
Krist
--
krist.vanbesien@gmail.com
krist@vanbesien.org
Bremgarten b. Bern, Switzerland
--
A: It reverses the normal flow of conversation.
Q: What's wrong with top-posting?
A: Top-posting.
Q: What's the biggest scourge on plain text email discussions?
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] problem with NAT, Public IP's and SSL cert
Posted by Krist van Besien <kr...@gmail.com>.
On Nov 1, 2007 8:38 AM, Hans <ha...@ezpear.com> wrote:
> So in your config you have only <Public_IP:80 (443)> or
> <Private_IP:80(443) Public_ip:80(443)>.
No. In your config you have:
Several of either
<VirtualHost *:80>
or
<VirtualHost private_ip:80>
(After "VirtualHost" you need to put exactly the same thing you've put
after your NameVirtualHost statement.)
And you can have one
<VirtualHost *:443> blockt
or one
<VirtualHost IP:443> block for each IP _your server has_
But what you want, based on your description in your first post, is
not possible.
It is not possible to have multiple SSL based hosts each with their
own certificate on one IP address. This is not a limitation of Apache,
this is a limitation of the SSL protocol. If you want to know why,
read this: http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#vhosts
Krist
--
krist.vanbesien@gmail.com
krist@vanbesien.org
Bremgarten b. Bern, Switzerland
--
A: It reverses the normal flow of conversation.
Q: What's wrong with top-posting?
A: Top-posting.
Q: What's the biggest scourge on plain text email discussions?
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
[users@httpd] Authenticating via a secure LDAP server
Posted by Malka Cymbalista <Ma...@weizmann.ac.il>.
Hello All,
We are running Apache/2.2.6 with mod_ssl/2.2.6, OpenSSL/0.9.7a, PHP/5.2.4, mod_perl/2.0.3 and
Perl/v5.8.5 on Red Hat Enterprise Linux AS release 4 machine.
We compiled Apache with the follwing options to configure:
--prefix=/WWW/httpd --with-ldap --enable-ldap --enable-authnz-ldap --enable-rewrite --enable-speling --enable-auth-digest --enable-ssl --with-ssl=/usr/share/ssl --with-mpm=prefork --enable-so --enable-proxy
We want to use ldap authentication via a remote ldap server that is running in secure mode.
My question is whether we have to install an LDAP SDK and APR. The apache 2.0 documentation for mod_ldap states very clearly:
SSL support requires that mod_ldap be linked with one of the following LDAP SDKs....
However, the apache 2.2 documentation for mod_ldap is not as clear. It says:
To enable this module, LDAP support must be compiled into apr-util. This is achieved by adding the --with-ldap flag to the configure script....
SSL/TLS support is dependant on which LDAP toolkit has been linked to APR
We configured apache with --with-ldap. Is this enough or do we need other options for configure? Do we have download and install APR in addition? Do we then have to install an LDAP SDK? If we install APR and LDAP SDK, will the documentation explain how to link them together?
I am a bit confused and would appreciate any clarification.
Thanks in advance for any help.
--
Malka Cymbalista
Webmaster, Weizmann Institute of Science
malki.cymbalista@weizmann.ac.il
08-934-3036
--
Malka Cymbalista
Webmaster, Weizmann Institute of Science
malki.cymbalista@weizmann.ac.il
08-934-3036
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org