Article delegate-en/4572 of [1-5169] on the server localhost:119
  upper oldest olders older1 this newer1 newers latest
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
Newsgroups: mail-lists.delegate-en

[DeleGate-En] Re: how to implement SNI on https? detailed instruction please.
19 Sep 2009 09:12:21 GMT (Yutaka Sato)
The DeleGate Project


In message <_A4568@delegate-en.ML_> on 09/18/09(09:21:45)
you David Wang <> wrote:
 |Actually our delegate host is our portal, acting as the proxy from https to
 |http. Most customers access it via our domain with permmitted source IP
 |address list, such as with our ssl certificate. It's
 |been working fine so far. But now some customers would like to access it via
 |their own domain, such as with their own ssl
 |certificate. we can ask them to add a DNS A record to resolve the domain to
 |our delegate host IP address, but how can delegate achieve the multiple ssl
 |certificates from multiple domains on the same IP address and port?  Apache
 |has official support for SNI since 2.2.12 and the details how to implement.
 |We have all delegate settings with a config file named delegate_https.cfg,
 |and running delegate with this CLI:
 |$DELEGATED -P443 SERVER=https RESOLV="file:/etc/hosts-dg,dns,sys"
 |RES_VRFY="" +=/var/spool/delegate-nobody/etc/delegate_https.cfg
 |CERTDIR=/var/spool/delegate-nobody/etc/certs, STLS=mitm those settings
 |is followed from your notes CLUSTER and TLS ext. SNI
 |Also can I have another question? that permitted source IP address list
 |seems not working while accessing our portal via those external domains,
 |such as

Again I must ask why you use MITM for your usage (that I'm not sure yet).
STLS=mitm only makes sense in a client-side visible HTTP proxy (referred
by clients as a SSLtnuuel with the CONNECT method).

In a HTTPS gateway (a proxy at the server-side, or "reverse proxy" that
is accessed as if it is an origin server), it must be STLS=fcl in a gateway
for HTTPS client to HTTP server, or STLS=fcl,fsv in HTTPS to HTTPS gateway.

Also you should be sure that SNI must be supported on the client-side
(usually in browsers) to enable and available the feature at the server-side.

  9 9   Yutaka Sato <>
 ( ~ )  National Institute of Advanced Industrial Science and Technology
_<   >_ 1-1-4 Umezono, Tsukuba, Ibaraki, 305-8568 Japan
Do the more with the less -- B. Fuller

  admin search upper oldest olders older1 this newer1 newers latest
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]