[lug] IP aliasing, https and iptables
bluey at iguanaworks.net
Tue Jun 17 16:05:18 MDT 2008
I'm pretty sure ssl supprts vhosts just like regular http.
By the way, Firefox 3 now puts up a lot of warnings signs when
connecting to a https site with a self-signed certificate. It takes a
few clicks to tell it to ignore the self-signed certificate, and will
probably freak-out the non-techies. If you are like me and didn't want
to pay for a ssl certificate, you made a self-signed certificate a long
time ago and forgot about it. Now Startssl (www.startssl.com) offers
free Class 1 digital signing of your certificate I found it easy to
setup and worth it to avoid the warning messages.
karl horlen wrote:
> I'm getting ready to add some ssl support to a website that lives on my apache server which runs multiple vhosted sites. It's likely I might want to add ssl capability to more vhosts in the future.
> My understanding is that ssl requires ip versus name based vhosts. Since I only have one public nic on my server, my thought was to use ip aliasing to bind multiple physical ip addresses to the single nic.
> Is this the way ssl is implemented on servers with multiple vhosts or is there some other technique?
> My current iptables rules are based on the single ip address presently bound to the nic. If I bind more ip addresses to the same nic, is iptables granular enough to allow for different rulesets on the ip aliases? Can I specify "global" rules that apply to the entire interface and work backward applying more specific rules to each of the aliases? This looks like it could get quite complicated the more ssl vhosts you have that require ip aliases.
> Does anybody have an idea of how much overhead if any multiple ips on a single nic create, especially if iptables is running against all those ips assuming it's even possible. I know the best answer is it all depends but just trying to get some general advice here from someone that has been down this road.
> Web Page: http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: lug.boulder.co.us port=6667 channel=#colug
More information about the LUG