[TCLUG] SSL and NAT - part 2

[Nate Carlson]

On Fri, 24 Oct 2003, Josh Trutwin wrote:
> For example, routing the following two sites that both have the same
> public IP in DNS:
> 
> https://www.coolsite1.com -> 192.168.0.100
> https://www.coolsite2.com -> 192.168.0.101
> 
> URL based application layer routing?

If you are not using SSL, it's totally possible. The way it works is the 
client connects to port 80, and runs a GET command on 
http://www.coolsite1.com or http://www.coolsite2.com. This way, the web 
server knows which site to send.

If you *are* using SSL, however, there's a problem. For SSL to work
properly, the name of the site needs to be included in the information in
the certificate. And (the way SSL works with HTTP), the SSL cert has to be
sent to the client on the initial connection, before the client sends any
information to the server on what site it wants. So, you can only have 
one SSL cert per IP, because otherwise the server wouldn't have any way 
to distinguish which one to send.

With TLS, you are supposed to be able to get around this - the client
sends a clear-text request for the site it wants, and negotiates SSL on
the wire. I haven't yet had a chance to try to make this work, though.

Another option is to run many SSL sites on the same IP address, using 
different ports, and just set up a cleartext site to direct them to the 
proper port. For example, you've got www.coolsite1.com, www.coolsite2.com, 
and www.coolsite3.com. You decide to set them all up on the IP 10.0.0.1. 
So, you'd have the following:

10.0.0.1:80 - answering for all three sites, using http virtual hosting
10.0.0.1:443 - www.coolsite1.com
10.0.0.1:444 - www.coolsite2.com
10.0.0.1:445 - www.coolsite3.com

when someone hits http://www.coolsite1.com, it'd redirect them to 
https://www.coolsite1.com:443; when someone hits http://www.coolsite2.com, 
have a redirect for https://www.coolsite2.com:444, etc.

Hope this helps!

-- 
Nate Carlson <natecars at real-time.com>   | Phone : (952)943-8700
http://www.real-time.com                | Fax   : (952)943-8500


_______________________________________________
TCLUG Mailing List - Minneapolis/St. Paul, Minnesota
http://www.mn-linux.org tclug-list at mn-linux.org
https://mailman.real-time.com/mailman/listinfo/tclug-list