SSL and virtual hosts

7 views
Skip to first unread message

Curtis Dutton

unread,
Mar 13, 2022, 1:02:10 PM3/13/22
to Racket Developers
I have a webserver with a set of admin pages that use client certificates to control access.

I would also like to use a letsencrypt certificate for the main site for standard guest users.


Is is possible to set up my webserver to have

https://mywebserver.com which uses the letsencrypt certificate for standard users

and

https://admin.mywebserver.com which uses the self signed certificate that validates client certificates for administrative use

I would like to run only one instance of my server that listens on port 443 but will serve either style of certificate based upon the domain.

I know apache can do this with the SNI protocol. 

If racket webserver does not yet support this I will build an SNI dispatcher and share it.

Thanks,
  Curtis

Ryan Culpepper

unread,
Mar 13, 2022, 5:11:29 PM3/13/22
to Curtis Dutton, Racket Developers
You need to set up multiple server contexts and install a callback to select the right context for each connection. See the docs for `ssl-set-server-name-identification-callback!` for an example sketch.

A preemptive warning: There might be issues with client certificate authentication with TLS 1.3 connections --- or maybe not. I think it will still work fine if you use `ssl-set-verify!` on the server context to require client authentication; but calling `ssl-set-verify!` on a port returned by `ssl-accept` probably won't work. Anyway, if you have problems with client authentication see if it works with a TLS 1.2 client, and if so write back (here or any other Racket place).

Ryan

--
You received this message because you are subscribed to the Google Groups "Racket Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to racket-dev+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/racket-dev/CAPChLEoMEo%3DNR8CfzrA4Yd2Z%3DgHpvC_2QFvD%3Dg%3DsXiFTBAFVZg%40mail.gmail.com.
Reply all
Reply to author
Forward
0 new messages