Hello all Sorry for asking, maybe answer is somewhere, but i didn't find it... I'm trying to have multiple vhosts, with some running ssl. If i understand well i must run different lighttpd preocesses with different configurations. okay. Now what i don't understand, is: 1 - How do i defaultly make web browser fall to an https:// and not http:// url? url.redirect maybe? 2 - How to make only certain pages under ssl while most of the site not? If someone could clarify this to me, or point me to good readings, thanks in advance. Tuxbubling
on 14.02.2006 23:45
on 15.02.2006 18:14
Tuxbubling wrote: > > I'm trying to have multiple vhosts, with some running ssl. > If i understand well i must run different lighttpd preocesses with > different configurations. okay. No, you can have lighty listen on different IP addresses/port within the same config file, like: $SERVER["socket"] == "<IP1>:80" { # more settings here } $SERVER["socket"] == "<IP1>:443" { # more ssl stuff and other settings here } $SERVER["socket"] == "<IP2>:443" { # more ssl stuff and other settings here } > Now what i don't understand, is: > > 1 - How do i defaultly make web browser fall to an https:// and not > http:// url? > url.redirect maybe? Yes. > 2 - How to make only certain pages under ssl while most of the site not? This is off-topic, try googling for this...
on 15.02.2006 18:50
Marc wrote: > Tuxbubling wrote: >> >> I'm trying to have multiple vhosts, with some running ssl. >> If i understand well i must run different lighttpd preocesses with >> different configurations. okay. > > No, you can have lighty listen on different IP addresses/port within the > same config file, like: > > $SERVER["socket"] == "<IP1>:80" { > # more settings here > } > > $SERVER["socket"] == "<IP1>:443" { > # more ssl stuff and other settings here > } > > $SERVER["socket"] == "<IP2>:443" { > # more ssl stuff and other settings here > } The problem is that all my vhosts (at least 4) are pointing to the same IP... >> Now what i don't understand, is: >> >> 1 - How do i defaultly make web browser fall to an https:// and not >> http:// url? >> url.redirect maybe? > > Yes. > >> 2 - How to make only certain pages under ssl while most of the site not? > > This is off-topic, try googling for this... Not really off topic, but i think i've found solution ;) Thanks for answer
on 15.02.2006 21:02
Guest wrote: > The problem is that all my vhosts (at least 4) are pointing to the same > IP... if you want every vhost with separate SSL certificate, you need one IP per vhost, and this is not lighty specific but SSL itself --- Albatros Vep Taloha http://blog.host8.biz
on 18.02.2006 01:12
> if you want every vhost with separate SSL certificate, > you need one IP per vhost, and this is not lighty > specific but SSL itself Almost! It is part of the current HTTP protocol (version 1.1 is the latest as of writing) that you can only have one SSL connection per IP address and port, rather than inherently part of SSL. This means that if you want to have multiple virtual hosts running SSL, then they need to be using different IP addresses, different ports, or both. Options: Having different ports ---------------------- Any browser should be able access any IP port, so you could have a website that used https and a port different to 443, but you would need to specify it in the URL (e.g. https://example.com:450/rest/of/url). Normally you wouldn't want to do this, since it will be unfamiliar to many people, doesn't look good on the screen and might result in errors if typed in incorrectly. Having different IP addresses ----------------------------- 1) You could have a different public IP address for each virtual host. If you are using someone else to host your site, then it would be worth checking how many IP addresses the host offers .There are some web hosts that offer 'unlimited IP addresses' or offer up to a large number. If you are hosting the site yourself, then you'll probably need to purchase the IP addresses from someone who sells them separately. 2) You could use a separate router/load-balancer to send the requests for different hosts to different IP addresses (but it would need to understand domains and not just IP addresses). Each IP address would be on the same computer, but the computer would register multiple IP addresses with its local network. This is fine if you have access to a load-balancer or router, though it depends on your situation as to whether you do or not. You could of course just use a separate computer as a load-balancer, if you have one. 3) You could implement a software load balancer on the host machine, using internal loopbacks (i.e. addresses starting with 127), with a different virtual host for each. You would have the load-balancer listen on a single public IP address and on port 443, and when a new SSL connection was needed, it would redirect the request to an internal IP address based on the destination address (so would again need to be able to read the destination address header of the HTTP request). If you're using a Linux kernel which is version 2.6 or above, then there is a load-balancer incorporated into the kernel (see <a href="http://www.linuxvirtualserver.org/">here</a> for details). I'm not sure about the BSD distros, since I'm not so familiar with them. You should be able to do internal load-balancing with this. Options 2 + 3 would be much more of an effort than just having a web server, and would probably require writing some scripts to automatically update load-balancing information if you wanted to automate the process (rather than adding the info statically for each new virtual host), but it may be a solution for you. 4) There are probably other ways too, but I figure that's enough info for now. -------------- There's really no reason why the virtual host addressing couldn't be used as part of HTTPS. The destination address (i.e. the URL) is still sent on requests, so the additional security that would exist by encrypting the address as well doesn't exist. Perhaps the protocol will be changed in the future. Good luck with what you're doing.
on 24.02.2006 17:36
Marcus wrote: > > It is part of the current HTTP protocol (version 1.1 is the latest as of > writing) that you can only have one SSL connection per IP address and > port, rather than inherently part of SSL. This means that if you want > to have multiple virtual hosts running SSL, then they need to be using > different IP addresses, different ports, or both. > Some certificate issuer offer "multi domain" certificates (which is different from wildcard certs). Different domains share the same certificate, so they can run under the same IP and port. It is an extension to the standars SSL protocol, so I don't know, wether lighttpd supports this feature.
on 24.02.2006 23:14
> Some certificate issuer offer "multi domain" certificates (which is > different from wildcard certs). Different domains share the same > certificate, so they can run under the same IP and port. It is an > extension to the standars SSL protocol, so I don't know, wether lighttpd > supports this feature. Interesting, I'll look into that.
on 30.04.2008 08:37
Marc wrote: > Tuxbubling wrote: >> >> I'm trying to have multiple vhosts, with some running ssl. >> If i understand well i must run different lighttpd preocesses with >> different configurations. okay. > > No, you can have lighty listen on different IP addresses/port within the > same config file, like: > > $SERVER["socket"] == "<IP1>:80" { > # more settings here > } > > $SERVER["socket"] == "<IP1>:443" { > # more ssl stuff and other settings here > } > > $SERVER["socket"] == "<IP2>:443" { > # more ssl stuff and other settings here > } > > >> Now what i don't understand, is: >> >> 1 - How do i defaultly make web browser fall to an https:// and not >> http:// url? >> url.redirect maybe? > > Yes. > >> 2 - How to make only certain pages under ssl while most of the site not? > > This is off-topic, try googling for this... I have name based virtual hosting working fine, but need to switch to ip based to support multiple ssl. I have lighttpd running on a single machine with a main ip and one virtual ip. How should I route the requests to the right ip to begin with? I run varnish in front of lighttpd and have tried using it to route to the right ip, but I only ever get back the same cert from lighttpd. If I put in a $HTTP["host"] check for the domain name, then I get nothing at all. Anyone have any pointers on this? $SERVER["socket"] == "10.0.0.1:443" { ssl.engine = "enable" ssl.pemfile = var.confdir + "/www.woohoo.com.ext.pem" ssl.ca-file = var.confdir + "/gd_intermediate.crt" server.name = var.confdir + "/www.woohoo.com" } $SERVER["socket"] == "10.0.0.2:443" { ssl.engine = "enable" ssl.pemfile = var.confdir + "/www.woohoo2.com.ext.pem" ssl.ca-file = var.confdir + "/gd_intermediate.crt" server.name = var.confdir + "/www.woohoo2.com" }
