Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

IBM HTTP Server as Reverse Proxy with SSL question

15 views
Skip to first unread message

arnell...@hotmail.com

unread,
Oct 2, 2009, 5:29:17 PM10/2/09
to
I'm aware of the whole issue regarding Name Based virtual hosting and SSL (IHS can't read the hostname from the HTTP header to direct it to the proper host because the header is encrypted).

I basically want to know if what I'm trying to do is possible, because I thought the above scenario was an issue with only multiple VHosts.

We've got three applications:

App A:80 (Non-SSL)
App B:80 (Non-SSL)
App S:443 (SSL)

Is it possible to use name based virtual hosting in this scenario? We want to be able to use port 80 for App A & App B, but we want proxy to hit App S when something comes in on Port 443. It seems that as soon as Name Based vhosting comes on, it ignores ports completely, looks for a host, gets confused and drops it off at the highest priority vhost.

Is it possible to terminate SSL *on this server* before it makes any decisions about which vhost will serve the request?

Thanks.

Eric Covener

unread,
Oct 2, 2009, 9:15:35 PM10/2/09
to
arnell...@hotmail.com wrote:
> I'm aware of the whole issue regarding Name Based virtual hosting and SSL (IHS can't read the hostname from the HTTP header to direct it to the proper host because the header is encrypted).
>

The opposite is the case. IHS has to decide which encryption settings
to negotiate before the client uses those settings to encrypt the Host:
header.

> I basically want to know if what I'm trying to do is possible, because I thought the above scenario was an issue with only multiple VHosts.
>
> We've got three applications:
>
> App A:80 (Non-SSL)
> App B:80 (Non-SSL)
> App S:443 (SSL)
>
> Is it possible to use name based virtual hosting in this scenario? We want to be able to use port 80 for App A & App B, but we want proxy to hit App S when something comes in on Port 443. It seems that as soon as Name Based vhosting comes on, it ignores ports completely, looks for a host, gets confused and drops it off at the highest priority vhost.

Apache first chooses the "best" <VirtualHost> match considering only the
local interface and port. If there's a NameVirtualHost with identical
arguments, it further looks at ServerNames and ServerAliases of all
identically named vhosts.

Your example is unclear about where the proxy is in this configuration,
but I can't imagine what wouldn't be possible. It's also unclear if
"App X" is an interface or something like a context root.

Check for warnings in apachectl -S and make sure your VirtualHost
directives all specify a port and any NameVirtualHost directives match
exactly the corresponding VirtualHost directives.

>
> Is it possible to terminate SSL *on this server* before it makes any decisions about which vhost will serve the request?

The SSL configuration to be used depends on the selection of the ip/port
based vhost. In IHS, if you try to configure SSL on anything other than
the default vhost in a NameVirtualHost the SSL settings just become dead
configuration, but the vhost itself will still be used for any non-SSL
configuration [i.e. it gets selected, but this happens after the SSL
handshake has completed].

Net, you're fine if you don't need two sets of SSL configuration on one
ip:port combination.


--
Eric Covener

0 new messages