Problem with... proxy? Module? Or what?

Hello!

I'm running FreeBSD, and apache/mod_ssl with virtual hosts in jailed environment. Jail means that I can have only one IP address for apache, ipfilter's ipnat is used to multiplex several external IPs.

I also need to support https virtual hosts, and here my troubles begins.

Of course, I could not use pure name-based virtual hosts, and I even understand, why.

What's a bit worse, that I seems to be unable to obtain data from /dev/ipl from inside the jail.

Maybe someone can guide me towards proper proxy? Things like mod_real_ip should not help much, and I'm still trying to make pound (http://www.apsis.ch/pound/) to work.

Having received https connection via some proxy, how can I pass SSL variables by the easiest way?

--
Alex.
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Problem with... proxy? Module? Or what?

On Thu, 21 Nov 2002, Alex Povolotsky wrote:

> Hello!
>
> I'm running FreeBSD, and apache/mod_ssl with virtual hosts in jailed environment. Jail means that I can have only one IP address for apache, ipfilter's ipnat is used to multiplex several external IPs.
>
> I also need to support https virtual hosts, and here my troubles begins.
>
> Of course, I could not use pure name-based virtual hosts, and I even understand, why.
>
> What's a bit worse, that I seems to be unable to obtain data from /dev/ipl from inside the jail.

It sounds like yer jail is lacking the libs and devices for this access.
Now, whether or not your jail will be safe if you move what's required to
get this to function within the jail is another matter you will have to
determine after setting up a working jailed testbed with those items.
lsof and various other tools are you friend in this endeavor. One of the
recent system admin editions had a good article on how to work through the
process of setting up jailed applications I think it was the last months
or two months back edition.

>
> Maybe someone can guide me towards proper proxy? Things like mod_real_ip should not help much, and I'm still trying to make pound (http://www.apsis.ch/pound/) to work.
>
> Having received https connection via some proxy, how can I pass SSL variables by the easiest way?
>
>


Thanks,


Ron DuFresne
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
admin & senior security consultant: sysinfo.com
http://sysinfo.com

"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
-- Johnny Hart

testing, only testing, and damn good at it too!

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Problem with... proxy? Module? Or what?

On Thu, 21 Nov 2002 15:25:20 -0500 (EST)
"R. DuFresne" wrote:

RD> > I'm running FreeBSD, and apache/mod_ssl with virtual hosts in RD> It sounds like yer jail is lacking the libs and devices for this access.

libs exists; device exists. I'm getting IOCTL error trying to access /dev/ipl.

Nov 21 20:11:01 class-a tproxy[52225]: ioctl(SIOCGNATL): Bad address

Maybe, ipfilter requires kmem or mem; in this case, I'm surely helpless.
RD> recent system admin editions had a good article on how to work through the
RD> process of setting up jailed applications I think it was the last months
RD> or two months back edition.

URL? I don't think I'll be able to get hold on it in reasonable time...


--
Alex.
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Problem with... proxy? Module? Or what?

On Fri, 22 Nov 2002, Alex Povolotsky wrote:

> On Thu, 21 Nov 2002 15:25:20 -0500 (EST)
> "R. DuFresne" wrote:
>
> RD> > I'm running FreeBSD, and apache/mod_ssl with virtual hosts in RD> It sounds like yer jail is lacking the libs and devices for this access.
>
> libs exists; device exists. I'm getting IOCTL error trying to access /dev/ipl.
>
> Nov 21 20:11:01 class-a tproxy[52225]: ioctl(SIOCGNATL): Bad address
>
> Maybe, ipfilter requires kmem or mem; in this case, I'm surely helpless.
> RD> recent system admin editions had a good article on how to work through the
> RD> process of setting up jailed applications I think it was the last months
> RD> or two months back edition.
>
> URL? I don't think I'll be able to get hold on it in reasonable time...
>
>
>

If you're in that much of a time pinch hopefully you googled for it
yourself, rather then waiting on me :

http://www.sysadminmag.com/

Look at the past couple of issues, the article should be in there on
jailing deamons. Which I did not locate with a quick search on the site
with the term 'jail' yet there were at least 5 articles found with that
term relating to this, at least one specific to freebsd. Searching with
the term chroot produces more results and between the two, should locate
information to help you here.

Thanks,


Ron DuFresne
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
admin & senior security consultant: sysinfo.com
http://sysinfo.com

"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
-- Johnny Hart

testing, only testing, and damn good at it too!

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Problem with... proxy? Module? Or what?

On Thu, 21 Nov 2002 18:04:24 -0500 (EST)
"R. DuFresne" wrote:

RD> > RD> recent system admin editions had a good article on how to work through the
RD> > RD> process of setting up jailed applications I think it was the last months
RD> > RD> or two months back edition.
RD> >
RD> > URL? I don't think I'll be able to get hold on it in reasonable time...
RD> If you're in that much of a time pinch hopefully you googled for it
RD> yourself, rather then waiting on me :
RD>
RD> http://www.sysadminmag.com/
Thanks. Last evening I was too sleepy to google it out. However, all articles I was able to found are more than one year old, and they doesn't answer my question - jail'ed virtual https.

What is 'CONNECT' method used by squid to proxy https connection? RFC number is enough. As far as I understand, my only option is to use non-jailed proxy that provide https, but what is the least painful way to pass ssl-related variables to jailed apache?

--
Alex.
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org