Hi. Thank You for that damned fast answer - wow!
On Thu, Nov 21, 2002 at 10:22:12AM +1100, Robert Collins wrote:
> On Thu, 2002-11-21 at 10:56, nils toedtmann wrote:
[...]
> > squid
>
> (or any SSL web server)
(of course. i didn't want to make squid responsible for this
SSL/TLS property ;-)
> > has to use _different_ certs on _different_ ip addresses!
> > The "httpd_accel_uses_host_header" does not really help because
> > squid has to hand out the cert to the client depending in the
> > dest ip of the request, and before squid has even seen the "host:"
> > header!
> >
> > So i need multiple "https_port/httpd_accel_host/httpd_accel_port"
> > triples. Can i do this in _one_ squid.conf?
>
> Yes. You associate the cert with the port. That should do it for anyone
> using a web browser. If someone plays games with your server, then the
> worst thing that would happen is they get the content from the wrong
> port - but that will not happen to your users.
That's fine, i'll check that out.
Regards, /nils.
ps: I still would prefer to bind a "http[s]_port" to a
"httpd_accel_[host|port]" to get rid of
"httpd_accel_uses_host_header" and to gain more control over
the possible connections (ie a firewall in front of squid could
be involved in ip-based access control). Maybe as a future
feature?
-- nils toedtmann technische abteilung marcant internet-services gmbh <http://www.marcant.net>Received on Thu Nov 21 2002 - 09:49:09 MST
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:11:28 MST