In message on 09/18/09(09:21:45)
you David Wang wrote:
|Actually our delegate host is our portal, acting as the proxy from https to
|http. Most customers access it via our domain with permmitted source IP
|address list, such as https://portal.abc.com/ with our ssl certificate. It's
|been working fine so far. But now some customers would like to access it via
|their own domain, such as https://portal.xyz.com/ with their own ssl
|certificate. we can ask them to add a DNS A record to resolve the domain to
|our delegate host IP address, but how can delegate achieve the multiple ssl
|certificates from multiple domains on the same IP address and port? Apache
|has official support for SNI since 2.2.12 and the details how to implement.
|We have all delegate settings with a config file named delegate_https.cfg,
|and running delegate with this CLI:
|$DELEGATED -P443 SERVER=https RESOLV="file:/etc/hosts-dg,dns,sys"
|CERTDIR=/var/spool/delegate-nobody/etc/certs, STLS=mitm those settings
|is followed from your notes CLUSTER and TLS ext. SNI
|Also can I have another question? that permitted source IP address list
|seems not working while accessing our portal via those external domains,
|such as https://portal.xyz.com/.
Again I must ask why you use MITM for your usage (that I'm not sure yet).
STLS=mitm only makes sense in a client-side visible HTTP proxy (referred
by clients as a SSLtnuuel with the CONNECT method).
In a HTTPS gateway (a proxy at the server-side, or "reverse proxy" that
is accessed as if it is an origin server), it must be STLS=fcl in a gateway
for HTTPS client to HTTP server, or STLS=fcl,fsv in HTTPS to HTTPS gateway.
Also you should be sure that SNI must be supported on the client-side
(usually in browsers) to enable and available the feature at the server-side.
9 9 Yutaka Sato http://delegate.org/y.sato/
( ~ ) National Institute of Advanced Industrial Science and Technology
_< >_ 1-1-4 Umezono, Tsukuba, Ibaraki, 305-8568 Japan
Do the more with the less -- B. Fuller