SSL proxy

SSL proxy

am 10.07.2008 22:23:52 von nrssl

I have several web servers currently that all have the same IP, but
different host names, and I have an apache that uses mod_proxy to direct
requests to the correct internal server to process the request.

I would like to use my apache proxy server to provide SSL encryption and
decryption, and not have to have each individual server do that.

Is that possible?

I have worked with virtual host configuration, and I have tried to set up
the ssl stuff so that this will work, but so far I have not been successful.

I have tried to search for this, but the closest I have come is proxy to an
ssl server. I want to have the proxy server do the ssl stuff for me.

Can anyone provide instructions or links?

Thanks.


____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: SSL proxy

am 10.07.2008 22:38:15 von Gilles Cuesta

nrssl@thepinc.com a =E9crit :
> I have several web servers currently that all have the same IP, but
> different host names, and I have an apache that uses mod_proxy to direc=
t
> requests to the correct internal server to process the request.
>
> I would like to use my apache proxy server to provide SSL encryption an=
d
> decryption, and not have to have each individual server do that.
>
> Is that possible?
> =20
Apparently, understanding what you want to do, it's possible.

It might depend on Apache / modssl versions

One of the best way is doing encrypted HTTPS between client and proxy=20
and clear HTTP between proxy and real server.
You can also do encrypted HTTPS between proxy and real server, just=20
adding some Apache configuration
..
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: SSL proxy

am 11.07.2008 09:30:39 von mdn teo

------=_Part_1643_11818968.1215761439822
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

How is it possible? By definition SSL does not allow different host names o=
n
the same IP:PORT.
Or is there something I'm missing?




> ---------- Forwarded message ----------
> From: Gilles Cuesta (Gmail)
> Date: Thu, Jul 10, 2008 at 10:38 PM
> Subject: Re: SSL proxy
> To: modssl-users@modssl.org
>
>
> nrssl@thepinc.com a =E9crit :
>
>> I have several web servers currently that all have the same IP, but
>> different host names, and I have an apache that uses mod_proxy to direct
>> requests to the correct internal server to process the request.
>>
>> I would like to use my apache proxy server to provide SSL encryption and
>> decryption, and not have to have each individual server do that.
>>
>> Is that possible?
>>
>>
> Apparently, understanding what you want to do, it's possible.
>
> It might depend on Apache / modssl versions
>
> One of the best way is doing encrypted HTTPS between client and proxy and
> clear HTTP between proxy and real server.
> You can also do encrypted HTTPS between proxy and real server, just addin=
g
> some Apache configuration
>
> .
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
>
>

------=_Part_1643_11818968.1215761439822
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

How is it possible? By definition SSL does not a=
llow different host names on the same IP:PORT.

Or is there something I'm missing?



 

px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">
---------- Forwarded message ----------
From:=
Gilles Cuesta (Gmail) < lto:gilles.cuesta@gmail.com" target=3D"_blank">gilles.cuesta@gmail.com&=
gt;

Date: Thu, Jul 10, 2008 at 10:38 PM
Subject: Re: SSL proxy
To: f=3D"mailto:modssl-users@modssl.org" target=3D"_blank">modssl-users@modssl.=
org



n=
rssl@thepinc.com
a =E9crit :=20


pt 0pt 0.8ex; BORDER-LEFT: rgb(204,204,204) 1px solid">I have several web s=
ervers currently that all have the same IP, but
different host names, an=
d I have an apache that uses mod_proxy to direct

requests to the correct internal server to process the request.

I wo=
uld like to use my apache proxy server to provide SSL encryption and
dec=
ryption, and not have to have each individual server do that.

Is tha=
t possible?

 
Apparently, understanding what you want to do,=
it's possible.

It might depend on Apache / modssl versions
<=
br>One of the best way is doing encrypted HTTPS between client and proxy an=
d clear HTTP between proxy and real server.

You can also do encrypted HTTPS between proxy and real server, just adding =
some Apache configuration=20



.
____________________________________________________________ _=
_________
Apache Interface to OpenSSL (mod_ssl)       &nb=
sp;           arget=3D"_blank">www.modssl.org
User Support Mailing List   &nb=
sp;                   =3D"mailto:modssl-users@modssl.org" target=3D"_blank">modssl-users@modssl.o=
rg


Automated List Manager               &nb=
sp;             dssl.org" target=3D"_blank">majordomo@modssl.org
<=
br>



------=_Part_1643_11818968.1215761439822--
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: SSL proxy

am 11.07.2008 09:57:03 von Eckard Wille

nrssl@thepinc.com schrieb:
> I have several web servers currently that all have the same IP, but
> different host names, and I have an apache that uses mod_proxy to direct
> requests to the correct internal server to process the request.
>
> I would like to use my apache proxy server to provide SSL encryption and
> decryption, and not have to have each individual server do that.
>
> Is that possible?
>
> I have worked with virtual host configuration, and I have tried to set up
> the ssl stuff so that this will work, but so far I have not been successful.
>
> I have tried to search for this, but the closest I have come is proxy to an
> ssl server. I want to have the proxy server do the ssl stuff for me.

Hi,

you can not use SSL with virtual hosting, see
http://www.modssl.org/docs/2.8/ssl_faq.html#ToC47

You'll have to get a dedicated ip for every single ssl host. You could
play around with one ssl proxy on your single ip with a common name
and do some rewriting according to an url praefix matching the secure
parts of your backend virtual hosts; decide yourself if this config
work is worth it.

Regards

Eckard
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: SSL proxy

am 11.07.2008 10:02:22 von Gilles Cuesta

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig8322AB6A12A6E359CC37AD8F
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: quoted-printable

Eckard Wille a =E9crit :
> nrssl@thepinc.com schrieb:
>> I have several web servers currently that all have the same IP, but
>> different host names, and I have an apache that uses mod_proxy to dire=
ct
>> requests to the correct internal server to process the request.
>>
>> I would like to use my apache proxy server to provide SSL encryption a=
nd
>> decryption, and not have to have each individual server do that.
>>
>> Is that possible?
>>
>> I have worked with virtual host configuration, and I have tried to=20
>> set up
>> the ssl stuff so that this will work, but so far I have not been=20
>> successful.
>>
>> I have tried to search for this, but the closest I have come is proxy =

>> to an
>> ssl server. I want to have the proxy server do the ssl stuff for me.
>
> Hi,
>
> you can not use SSL with virtual hosting, see=20
> http://www.modssl.org/docs/2.8/ssl_faq.html#ToC47
>
> You'll have to get a dedicated ip for every single ssl host. You could =

> play around with one ssl proxy on your single ip with a common name=20
> and do some rewriting according to an url praefix matching the secure=20
> parts of your backend virtual hosts; decide yourself if this config=20
> work is worth it.
I thought that using wildcard or multi-cn certificates will work ?
In this case, only one certificate is needeed for a range of Vhost

--=20
Gilles CUESTA - Logiciels Libres
69139920



--------------enig8322AB6A12A6E359CC37AD8F
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFIdxOR545quQSHen8RAs2UAKDTpfXdP7oojVv2cN2NJ8mOLhajTgCe J0ID
Z09jBS0mqyjDumkRoPmHoBc=
=TFva
-----END PGP SIGNATURE-----

--------------enig8322AB6A12A6E359CC37AD8F--
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: SSL proxy

am 11.07.2008 11:56:25 von Eckard Wille

Cuesta Gilles schrieb:
> I thought that using wildcard or multi-cn certificates will work ?

No.

> In this case, only one certificate is needeed for a range of Vhost

If you only have one ip this won't make things better because virtual
hosting is still not possible. Wildcard certs do not enable vHosting
because the ssl handshake still takes place before the http host
header can be evaluated. They were offered by CAs to make it easier
for admins so they wouldn't have to fiddle around with dozens of certs
and their validity management in a masshosting environment or for
subdomains.

Eckard
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: SSL proxy

am 11.07.2008 12:44:34 von Gilles Cuesta

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig3FD21A20A2BD020081B2FC37
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: quoted-printable

Eckard Wille a =E9crit :
> Cuesta Gilles schrieb:
>> I thought that using wildcard or multi-cn certificates will work ?
>
> No.
>
>> In this case, only one certificate is needeed for a range of Vhost
>
> If you only have one ip this won't make things better because virtual=20
> hosting is still not possible. Wildcard certs do not enable vHosting=20
> because the ssl handshake still takes place before the http host=20
> header can be evaluated. They were offered by CAs to make it easier=20
> for admins so they wouldn't have to fiddle around with dozens of certs =

> and their validity management in a masshosting environment or for=20
> subdomains.
>

So what about this ?
"*MULTIPLE CN (SAN) SERVER CERTIFICATES*

This type of certificate (also called /Subject Alternative Name/ (SAN) ) =

enables to secure not only one website but a large number of sites (a=20
list of sites) hosted on a shared infrastructure (server with multiple=20
names, reverse proxy). Ideal to secure multiple brands of a corporation. =

One certificate per hardware is required."

http://www.tbs-certificats.com/index.html.en

--=20
Gilles CUESTA - Logiciels Libres
69139920



--------------enig3FD21A20A2BD020081B2FC37
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFIdzmS545quQSHen8RAha4AKCVFSOS7NlxqUKMdHC9uI+Df3tlZACg kPyQ
W/Q8R0u54ICG9FsBnrO/JPY=
=/rrm
-----END PGP SIGNATURE-----

--------------enig3FD21A20A2BD020081B2FC37--
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: SSL proxy

am 11.07.2008 12:57:23 von Eckard Wille

Cuesta Gilles schrieb:
> "*MULTIPLE CN (SAN) SERVER CERTIFICATES*
>
> This type of certificate (also called /Subject Alternative Name/ (SAN) )
> enables to secure not only one website but a large number of sites (a
> list of sites) hosted on a shared infrastructure (server with multiple
> names, reverse proxy). Ideal to secure multiple brands of a corporation.
> One certificate per hardware is required."

This only means that one host can have several names by configuring
ServerName and ServerAlias, but does not enable virtual hosting.

Eckard
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: SSL proxy

am 11.07.2008 13:34:06 von Eckard Wille

Eckard Wille schrieb:
> Cuesta Gilles schrieb:
>> "*MULTIPLE CN (SAN) SERVER CERTIFICATES*
>>
>> This type of certificate (also called /Subject Alternative Name/ (SAN)
>> ) enables to secure not only one website but a large number of sites
>> (a list of sites) hosted on a shared infrastructure (server with
>> multiple names, reverse proxy). Ideal to secure multiple brands of a
>> corporation. One certificate per hardware is required."
>
> This only means that one host can have several names by configuring
> ServerName and ServerAlias, but does not enable virtual hosting.

Hi Cuesta,

with some tricks you could achive your goal by using the preconditions
of mod_rewrite rules. If your ssl proxy has one single host entry with
such a multi-named cert, it may be possible to rewrite via proxy after
a look at the host header:

RewriteEngine on
RewriteCond %{HTTP_HOST} www.vhost1.com
RewriteRule ^/(.*) www.internal.http.vhost1.com/$1 [P]

RewriteCond %{HTTP_HOST} www.vhost2.com
RewriteRule ^/(.*) www.internal.http.vhost2.com/$1 [P]

If this works for you depends also on the backend webapps, for example
if they are capable of running behind a reverse proxy with a different
http schema (HTTP<->HTTPS, servername references in html, internal
redirects...).

Good luck

Eckard
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: SSL proxy

am 11.07.2008 14:32:46 von Dave Paris

It seem like you might be confusing "shared infrastructure" with
"single ip". As others have said, you need a distinct address for each
SSL-enabled httpd or proxy, although they can reside on the same hardware.

A good example of this is the typical configuration for larger server
farms. You find multiple High Availability load balancers in the DMZ for
both http and https using something like ha/keepalived for linux. These
proxy the incoming request back into private address space. The SSL
proxies terminate the SSL connection and broker the request on behalf of
the user and everything goes to the private address space in plain http.
This allows each of the _real_ webservers to achieve better
performance since the SSL overhead is not present.

While you can use Apache as an SSL-terminating proxy, I find I get
better performance, lower memory utilization and easier configuration
using Pound ( http://www.apsis.ch/pound/ ). Using keepalived, I have
multiple public IP addresses floating between several hosts and pound
binds https to those addresses.

Hope that adds a bit of additional clarity,
Dave

Cuesta Gilles sent forth:
> So what about this ?
> "*MULTIPLE CN (SAN) SERVER CERTIFICATES*
>
> This type of certificate (also called /Subject Alternative Name/ (SAN) )
> enables to secure not only one website but a large number of sites (a
> list of sites) hosted on a shared infrastructure (server with multiple
> names, reverse proxy). Ideal to secure multiple brands of a corporation.
> One certificate per hardware is required."
>
> http://www.tbs-certificats.com/index.html.en
>
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

wrong e-mail !!!!!!!!!!!!!!!!!!!!!!!

am 14.07.2008 20:10:12 von erika20

--NextPart_Webmail_9m3u9jl4l_22034_1216059012_0
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

stop stop sending me=20
this bs , i have no idea who are you !!!!
stop !!!!!!!!!!!!!!!
-------------- Original message from Dave Paris : ---=
-----------=20


> It seem like you might be confusing "shared infrastructure" with=20
> "single ip". As others have said, you need a distinct address for each=20
> SSL-enabled httpd or proxy, although they can reside on the same hardwa=
re.=20
>=20
> A good example of this is the typical configuration for larger server=20
> farms. You find multiple High Availability load balancers in the DMZ fo=
r=20
> both http and https using something like ha/keepalived for linux. These=
=20
> proxy the incoming request back into private address space. The SSL=20
> proxies terminate the SSL connection and broker the request on behalf o=
f=20
> the user and everything goes to the private address space in plain http=
..=20
> This allows each of the _real_ webservers to achieve better=20
> performance since the SSL overhead is not present.=20
>=20
> While you can use Apache as an SSL-terminating proxy, I find I get=20
> better performance, lower memory utilization and easier configuration=20
> using Pound ( http://www.apsis.ch/pound/ ). Using keepalived, I have=20
> multiple public IP addresses floating between several hosts and pound=20
> binds https to those addresses.=20
>=20
> Hope that adds a bit of additional clarity,=20
> Dave=20
>=20
> Cuesta Gilles sent forth:=20
> > So what about this ?=20
> > "*MULTIPLE CN (SAN) SERVER CERTIFICATES*=20
> >=20
> > This type of certificate (also called /Subject Alternative Name/ (SAN=
) )=20
> > enables to secure not only one website but a large number of sites (a=
=20
> > list of sites) hosted on a shared infrastructure (server with multipl=
e=20
> > names, reverse proxy). Ideal to secure multiple brands of a corporati=
on.=20
> > One certificate per hardware is required."=20
> >=20
> > http://www.tbs-certificats.com/index.html.en=20
> >=20
> ____________________________________________________________ __________=20
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org=20
> User Support Mailing List modssl-users@modssl.org=20
> Automated List Manager majordomo@modssl.org=20

--NextPart_Webmail_9m3u9jl4l_22034_1216059012_0
Content-Type: multipart/related; boundary="NextPart_Webmail_9m3u9jl4l_22034_1216059012_1"


--NextPart_Webmail_9m3u9jl4l_22034_1216059012_1
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: quoted-printable







stop stop FONT>  sending me

this bs , i have no idea  who are =
you !!!!

stop !!!!!!!!!!!!!!!

0ff 2px solid">-------------- Original message from Dave Paris <dparis@w=
3works.com>: --------------


> It seem like you might be c=
onfusing "shared infrastructure" with
> "single ip". As others have =
said, you need a distinct address for each
> SSL-enabled httpd or pr=
oxy, although they can reside on the same hardware.
>
> A goo=
d example of this is the typical configuration for larger server
> f=
arms. You find multiple High Availability load balancers in the DMZ for >> both http and https using something like ha/keepalived for linux. The=
se
> proxy the incoming request back into private address space. The=
SSL
> proxies terminate the SSL connection and broker the request o=
n behalf of
> the user and everything goes to the private address sp=
ace in plain http.
> This allows each of the _real_ webservers to ac=
hieve better
> performance since the SSL overhead is not present. R>>
> While you can use Apache as an SSL-terminating proxy, I fin=
d I get
> better performance, lower memory utilization and easier co=
nfiguration
> using Pound ( http://www.apsis.ch/pound/ ). Using keep=
alived, I have
> multiple public IP addresses floating between sever=
al hosts and pound
> binds https to those addresses.
>
&g=
t; Hope that adds a bit of additional clarity,
> Dave
>
&=
gt; Cuesta Gilles sent forth:
> > So what about this ?
> &=
gt; "*MULTIPLE CN (SAN) SERVER CERTIFICATES*
> >
> > Th=
is type of certificate (also called /Subject Alternative Name/ (SAN) )
=
> > enables to secure not only one website but a large number of site=
s (a
> > list of sites) hosted on a shared infrastructure (server=
with multiple
> > names, reverse proxy). Ideal to secure multipl=
e brands of a corporation.
> > One certificate per hardware is re=
quired."
> >
> > http://www.tbs-certificats.com/index.h=
tml.en
> >
> _____________________________________________=
_________________________
> Apache Interface to OpenSSL (mod_ssl) ww=
w.modssl.org
> User Support Mailing List modssl-users@modssl.org >> Automated List Manager majordomo@modssl.org






--NextPart_Webmail_9m3u9jl4l_22034_1216059012_1--

--NextPart_Webmail_9m3u9jl4l_22034_1216059012_0--
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: wrong e-mail !!!!!!!!!!!!!!!!!!!!!!!

am 14.07.2008 21:13:05 von Shahadat Hossain

------=_Part_58931_3824991.1216062786004
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

you know what, You are a f***en idiot.
if you do not want to receive these emails, just get your name taken off
from the list instead of b-shitting.

send an email to majordomo@modssl.org address (you can also find it at the
bottom of this message) with subject as 'Remove me'.

ok?

On Mon, Jul 14, 2008 at 7:10 PM, wrote:

> stop stop sending me
> this bs , i have no idea who are you !!!!
> stop !!!!!!!!!!!!!!!
>
> -------------- Original message from Dave Paris :
> --------------
>
>
> > It seem like you might be confusing "shared infrastructure" with
> > "single ip". As others have said, you need a distinct address for each
> > SSL-enabled httpd or proxy, although they can reside on the same
> hardware.
> >
> > A good example of this is the typical configuration for larger server
> > farms. You find multiple High Availability load balancers in the DMZ for
> > both http and https using something like ha/keepalived for linux. These
> > proxy the incoming request back into private address space. The SSL
> > proxies terminate the SSL connection and broker the request on behalf of
> > the user and everything goes to the private address space in plain http.
> > This allows each of the _real_ webservers to achieve better
> > performance since the SSL overhead is not present.
> >
> > While you can use Apache as an SSL-terminating proxy, I find I get
> > better performance, lower memory utilization and easier configuration
> > using Pound ( http://www.apsis.ch/pound/ ). Using keepalived, I have
> > multiple public IP addresses floating between several hosts and pound
> > binds https to those addresses.
> >
> > Hope that adds a bit of additional clarity,
> > Dave
> >
> > Cuesta Gilles sent forth:
> > > So what about this ?
> > > "*MULTIPLE CN (SAN) SERVER CERTIFICATES*
> > >
> > > This type of certificate (also called /Subject Alternative Name/ (SAN)
> )
> > > enables to secure not only one website but a large number of sites (a
> > > list of sites) hosted on a shared infrastructure (server with multiple
> > > names, reverse proxy). Ideal to secure multiple brands of a
> corporation.
> > > One certificate per hardware is required."
> > >
> > > http://www.tbs-certificats.com/index.html.en
> > >
> > ____________________________________________________________ __________
> > Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> > User Support Mailing List modssl-users@modssl.org
> > Automated List Manager majordomo@modssl.org
>
>

------=_Part_58931_3824991.1216062786004
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

you know what, You are a f***en idiot.

if you do not want to receive these emails, just get your name taken off from the list instead of b-shitting.

 

send an email to address (you can also find it at the bottom of this message) with subject as 'Remove me'.

 

ok?


On Mon, Jul 14, 2008 at 7:10 PM, <> wrote:




stop stop  sending me

this bs , i have no idea  who are you !!!!

stop !!!!!!!!!!!!!!!

-------------- Original message from Dave Paris <>: --------------



> It seem like you might be confusing "shared infrastructure" with
> "single ip". As others have said, you need a distinct address for each
> SSL-enabled httpd or proxy, although they can reside on the same hardware.

>
> A good example of this is the typical configuration for larger server
> farms. You find multiple High Availability load balancers in the DMZ for
> both http and https using something like ha/keepalived for linux. These

> proxy the incoming request back into private address space. The SSL
> proxies terminate the SSL connection and broker the request on behalf of
> the user and everything goes to the private address space in plain http.

> This allows each of the _real_ webservers to achieve better
> performance since the SSL overhead is not present.
>
> While you can use Apache as an SSL-terminating proxy, I find I get
> better performance, lower memory utilization and easier configuration

> using Pound ( ). Using keepalived, I have
> multiple public IP addresses floating between several hosts and pound
> binds https to those addresses.

>
> Hope that adds a bit of additional clarity,
> Dave
>
> Cuesta Gilles sent forth:
> > So what about this ?
> > "*MULTIPLE CN (SAN) SERVER CERTIFICATES*
> >

> > This type of certificate (also called /Subject Alternative Name/ (SAN) )
> > enables to secure not only one website but a large number of sites (a
> > list of sites) hosted on a shared infrastructure (server with multiple

> > names, reverse proxy). Ideal to secure multiple brands of a corporation.
> > One certificate per hardware is required."
> >
> >

> >
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl)

> Automated List Manager



------=_Part_58931_3824991.1216062786004--
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: wrong e-mail !!!!!!!!!!!!!!!!!!!!!!!

am 14.07.2008 21:24:46 von erika20

--NextPart_Webmail_9m3u9jl4l_25854_1216063486_0
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

THANK'S=20
-------------- Original message from "Shahadat Hossain" il.com>: --------------=20


you know what, You are a f***en idiot.
if you do not want to receive these emails, just get your name taken off =
from the list instead of b-shitting.=20

send an email to majordomo@modssl.org address (you can also find it at th=
e bottom of this message) with subject as 'Remove me'.

ok?


On Mon, Jul 14, 2008 at 7:10 PM, wrote:

stop stop sending me=20
this bs , i have no idea who are you !!!!
stop !!!!!!!!!!!!!!!
-------------- Original message from Dave Paris : ---=
-----------=20


> It seem like you might be confusing "shared infrastructure" with=20
> "single ip". As others have said, you need a distinct address for each=20
> SSL-enabled httpd or proxy, although they can reside on the same hardwa=
re.=20
>=20
> A good example of this is the typical configuration for larger server=20
> farms. You find multiple High Availability load balancers in the DMZ fo=
r=20
> both http and https using something like ha/keepalived for linux. These=
=20
> proxy the incoming request back into private address space. The SSL=20
> proxies terminate the SSL connection and broker the request on behalf o=
f=20
> the user and everything goes to the private address space in plain http=
..=20
> This allows each of the _real_ webservers to achieve better=20
> performance since the SSL overhead is not present.=20
>=20
> While you can use Apache as an SSL-terminating proxy, I find I get=20
> better performance, lower memory utilization and easier configuration=20
> using Pound ( http://www.apsis.ch/pound/ ). Using keepalived, I have=20
> multiple public IP addresses floating between several hosts and pound=20
> binds https to those addresses.=20
>=20
> Hope that adds a bit of additional clarity,=20
> Dave=20
>=20
> Cuesta Gilles sent forth:=20
> > So what about this ?=20
> > "*MULTIPLE CN (SAN) SERVER CERTIFICATES*=20
> >=20
> > This type of certificate (also called /Subject Alternative Name/ (SAN=
) )=20
> > enables to secure not only one website but a large number of sites (a=
=20
> > list of sites) hosted on a shared infrastructure (server with multipl=
e=20
> > names, reverse proxy). Ideal to secure multiple brands of a corporati=
on.=20
> > One certificate per hardware is required."=20
> >=20
> > http://www.tbs-certificats.com/index.html.en=20
> >=20
> ____________________________________________________________ __________=20
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org=20
> User Support Mailing List modssl-users@modssl.org=20
> Automated List Manager majordomo@modssl.org=20

--NextPart_Webmail_9m3u9jl4l_25854_1216063486_0
Content-Type: multipart/related; boundary="NextPart_Webmail_9m3u9jl4l_25854_1216063486_1"


--NextPart_Webmail_9m3u9jl4l_25854_1216063486_1
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: quoted-printable







THANK'S

0ff 2px solid">-------------- Original message from "Shahadat Hossain" <=
shahadat9612@gmail.com>: --------------


you know what, You are a f***en idiot.

if you do not want to receive these emails, just get your name taken o=
ff from the list instead of b-shitting.

 

send an email to majordomo@mod=
ssl.org
address (you can also find it at the bottom of this message) wi=
th subject as 'Remove me'.

 

ok?


On Mon, Jul 14, 2008 at 7:10 PM, < ilto:erika20@bellsouth.net">erika20@bellsouth.net> wrote:

0px 0.8ex; BORDER-LEFT: #ccc 1px solid">


stop stop FONT>  sending me

this bs , i have no idea  who are =
you !!!!

stop !!!!!!!!!!!!!!!

0ff 2px solid">-------------- Original message from Dave Paris < =3D"mailto:dparis@w3works.com" target=3D_blank>dparis@w3works.com>: =
--------------


> It seem like you might be confusing "shared=
infrastructure" with
> "single ip". As others have said, you need a=
distinct address for each
> SSL-enabled httpd or proxy, although th=
ey can reside on the same hardware.
>
> A good example of thi=
s is the typical configuration for larger server
> farms. You find m=
ultiple High Availability load balancers in the DMZ for
> both http =
and https using something like ha/keepalived for linux. These
> prox=
y the incoming request back into private address space. The SSL
> pr=
oxies terminate the SSL connection and broker the request on behalf of
=
> the user and everything goes to the private address space in plain htt=
p.
> This allows each of the _real_ webservers to achieve better >> performance since the SSL overhead is not present.
>
> =
While you can use Apache as an SSL-terminating proxy, I find I get
>=
better performance, lower memory utilization and easier configuration
=
> using Pound ( h=
ttp://www.apsis.ch/pound/
). Using keepalived, I have
> multiple=
public IP addresses floating between several hosts and pound
> bind=
s https to those addresses.
>
> Hope that adds a bit of addit=
ional clarity,
> Dave
>
> Cuesta Gilles sent forth: R>> > So what about this ?
> > "*MULTIPLE CN (SAN) SERVER C=
ERTIFICATES*
> >
> > This type of certificate (also cal=
led /Subject Alternative Name/ (SAN) )
> > enables to secure not =
only one website but a large number of sites (a
> > list of sites=
) hosted on a shared infrastructure (server with multiple
> > nam=
es, reverse proxy). Ideal to secure multiple brands of a corporation.
&=
gt; > One certificate per hardware is required."
> >
> =
> nk>http://www.tbs-certificats.com/index.html.en
> >
> =
____________________________________________________________ __________
=
> Apache Interface to OpenSSL (mod_ssl) /" target=3D_blank>www.modssl.org
> User Support Mailing List href=3D"mailto:modssl-users@modssl.org" target=3D_blank>modssl-users@modss=
l.org
> Automated List Manager l.org" target=3D_blank>majordomo@modssl.org
UOTE>







--NextPart_Webmail_9m3u9jl4l_25854_1216063486_1--

--NextPart_Webmail_9m3u9jl4l_25854_1216063486_0--
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: wrong e-mail !!!!!!!!!!!!!!!!!!!!!!!

am 14.07.2008 22:13:22 von buz

This is a multi-part message in MIME format.
--------------010304070307090107000005
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit

One small comment. I have tried for years to get off this mailing list.
I have sent my request and it has always been effective, for say a month
or so,
then I get put back on the mailing list. And it keeps coming. My
solution was
to add it to my spam filter. It doesn't bother me that way and
occasionally I drop in
to see what the latest complaint is.

In this case I couldn't agree with the message more. Perhaps the tone
is not quite right.
Somebody ought to fix mailing-list software so that once you are off you
are really gone.
It is true that erika20@bellsouth.net ought to ask to be taken off the
list; but it won't help much I'm afraid.

BUZ

erika20@bellsouth.net wrote:
> stop stop sending me
> this bs , i have no idea who are you !!!!
> stop !!!!!!!!!!!!!!!
>
> -------------- Original message from Dave Paris
> : --------------
>
>
> > It seem like you might be confusing "shared infrastructure" with
> > "single ip". As others have said, you need a distinct address
> for each
> > SSL-enabled httpd or proxy, although they can reside on the same
> hardware.
> >
> > A good example of this is the typical configuration for larger
> server
> > farms. You find multiple High Availability load balancers in the
> DMZ for
> > both http and https using something like ha/keepalived for
> linux. These
> > proxy the incoming request back into private address space. The SSL
> > proxies terminate the SSL connection and broker the request on
> behalf of
> > the user and everything goes to the private address space in
> plain http.
> > This allows each of the _real_ webservers to achieve better
> > performance since the SSL overhead is not present.
> >
> > While you can use Apache as an SSL-terminating proxy, I find I get
> > better performance, lower memory utilization and easier
> configuration
> > using Pound ( http://www.apsis.ch/pound/ ). Using keepalived, I
> have
> > multiple public IP addresses floating between several hosts and
> pound
> > binds https to those addresses.
> >
> > Hope that adds a bit of additional clarity,
> > Dave
> >
> > Cuesta Gilles sent forth:
> > > So what about this ?
> > > "*MULTIPLE CN (SAN) SERVER CERTIFICATES*
> > >
> > > This type of certificate (also called /Subject Alternative
> Name/ (SAN) )
> > > enables to secure not only one website but a large number of
> sites (a
> > > list of sites) hosted on a shared infrastructure (server with
> multiple
> > > names, reverse proxy). Ideal to secure multiple brands of a
> corporation.
> > > One certificate per hardware is required."
> > >
> > > http://www.tbs-certificats.com/index.html.en
> > >
> >
> ____________________________________________________________ __________
>
> > Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> > User Support Mailing List modssl-users@modssl.org
> > Automated List Manager majordomo@modssl.org
>


--------------010304070307090107000005
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable




>



One small comment.  I have tried for years to get off this mailing l=
ist.

I have sent my request and it has always been effective, for say a
month or so,

then I get put back on the mailing list.  And it keeps coming. =
My
solution was

to add it to my spam filter.  It doesn't bother me that way and
occasionally I drop in

to see what the latest complaint is.



In this case I couldn't agree with the message more.  Perhaps the to=
ne
is not quite right.

Somebody ought to fix mailing-list software so that once you are off
you are really gone.

It is true that a20@bellsouth.net">erika20@bellsouth.net ought to ask to be taken off=
the
list; but it won't help much I'm afraid.



BUZ



t">erika20@bellsouth.net wrote:
cite=3D"mid:071420081810.22034.487B9684000ACF8F0000561222218 675169B0A02D=
2089B9A019C04040A0DBFCFCD0E05079D0A@att.net"
type=3D"cite">

stop "7">stop 
sending me

this bs , i have no idea  =
who are
you !!!!

stop !!!!!!!!!!!!!!! v>
style=3D"border-left: 2px solid rgb(16, 16, 255); padding-left: 5px; mar=
gin-left: 5px;">--------------
Original message from Dave Paris "mailto:dparis@w3works.com"><dparis@w3works.com>:
--------------





> It seem like you might be confusing "shared infrastructure" with >
> "single ip". As others have said, you need a distinct address for
each

> SSL-enabled httpd or proxy, although they can reside on the same
hardware.

>

> A good example of this is the typical configuration for larger
server

> farms. You find multiple High Availability load balancers in the
DMZ for

> both http and https using something like ha/keepalived for linux.
These

> proxy the incoming request back into private address space. The
SSL

> proxies terminate the SSL connection and broker the request on
behalf of

> the user and everything goes to the private address space in plain
http.

> This allows each of the _real_ webservers to achieve better

> performance since the SSL overhead is not present.

>

> While you can use Apache as an SSL-terminating proxy, I find I get


> better performance, lower memory utilization and easier
configuration

> using Pound ( apsis.ch/pound/">http://www.apsis.ch/pound/ ). Using keepalived, I
have

> multiple public IP addresses floating between several hosts and
pound

> binds https to those addresses.

>

> Hope that adds a bit of additional clarity,

> Dave

>

> Cuesta Gilles sent forth:

> > So what about this ?

> > "*MULTIPLE CN (SAN) SERVER CERTIFICATES*

> >

> > This type of certificate (also called /Subject Alternative
Name/ (SAN) )

> > enables to secure not only one website but a large number of
sites (a

> > list of sites) hosted on a shared infrastructure (server with
multiple

> > names, reverse proxy). Ideal to secure multiple brands of a
corporation.

> > One certificate per hardware is required."

> >

> > ficats.com/index.html.en">http://www.tbs-certificats.com/ind ex.html.en >

> >

>
____________________________________________________________ __________ r>
> Apache Interface to OpenSSL (mod_ssl)
viated" href=3D"http://www.modssl.org">www.modssl.org

> User Support Mailing List =3D"mailto:modssl-users@modssl.org">modssl-users@modssl.org

> Automated List Manager "mailto:majordomo@modssl.org">majordomo@modssl.org







--------------010304070307090107000005--
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org