On Thu, 5 Jul 2001, Dirk Vleugels wrote:
> Hi,
>
> On Thu, Jul 05, 2001 at 01:05:55PM +0200, Martin Hierling wrote:
> > > 2. https certificates are by url name, not by IP. You can have any number
> > > of certificates on a real-server.
> >
> > Partly correct.
> > You canīt do Name Based VHosts, because the SSL Stuff is done before HTTP
> > snaps in. So at the Beginning there is only the IP:Port and no
> > www.domain.com.
> > Look at http://www.modssl.org/docs/2.4/ssl_faq.html
> > "Why can't I use SSL with name-based/non-IP-based virtual hosts?"
>
> Yes. With LVS-NAT this would be no problem (targeting different
> ports on the RS's). But with direct routing i need different virtual IP's
> on the RS. The qustion: will the return traffic use the VIP-IP by
> default? Otherwise the client will notice the mismatch during the SSL
> handshake.
Yes, on the real servers you will have multiple dummy interfaces, on for
each VIP. Apache will bind itself to each interface. The sockets for the
SSL session are also bound to the interface. The machine will send
packets from the IP address of the interface the packet leaves the machine
on. So, it will work as expected. The clients will see packets from the
IP address they connected to.
-Matt
--
----------------------------------------------------------------------
Matthew S. Crocker
Vice President / Internet Division Email: matthew@xxxxxxxxxxx
Crocker Communications Phone: (413) 587-3350
PO BOX 710 Fax: (413) 587-3352
Greenfield, MA 01302-0710 http://www.crocker.com
----------------------------------------------------------------------
|