Article delegate-en/4568 of [1-5169] on the server localhost:119
  upper oldest olders older1 this newer1 newers latest
search
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
[Reference:<_A4562@delegate-en.ML_>]
Newsgroups: mail-lists.delegate-en

[DeleGate-En] Re: how to implement SNI on https? detailed instruction please.
18 Sep 2009 00:23:49 GMT David Wang <p2eiqbdyi-e6yerocu2xtr.ml@ml.delegate.org>


Hi Yutaka,

Thanks for your prompt response.
Actually our delegate host is our portal, acting as the proxy from https to
http. Most customers access it via our domain with permmitted source IP
address list, such as https://portal.abc.com/ with our ssl certificate. It's
been working fine so far. But now some customers would like to access it via
their own domain, such as https://portal.xyz.com/ with their own ssl
certificate. we can ask them to add a DNS A record to resolve the domain to
our delegate host IP address, but how can delegate achieve the multiple ssl
certificates from multiple domains on the same IP address and port?  Apache
has official support for SNI since 2.2.12 and the details how to implement.
We have all delegate settings with a config file named delegate_https.cfg,
and running delegate with this CLI:
$DELEGATED -P443 SERVER=https RESOLV="file:/etc/hosts-dg,dns,sys"
RES_VRFY="" +=/var/spool/delegate-nobody/etc/delegate_https.cfg
CERTDIR=/var/spool/delegate-nobody/etc/certs, STLS=mitm those settings
is followed from your notes CLUSTER and TLS ext. SNI
http://www.delegate.org/mail-lists/delegate-en/03889.
Also can I have another question? that permitted source IP address list
seems not working while accessing our portal via those external domains,
such as https://portal.xyz.com/.

Thanks again for your help.

Kind Regards,
David

2009/9/17 Yutaka Sato <feedback@delegate.org>

> Hi,
>
> In message <_A4561@delegate-en.ML_>
> on 09/16/09(13:33:55)
> you David Wang <p2eiqbdyi-e6yerocu2xtr.ml@ml.delegate.org> wrote:
>  |We致e compiled the 9.9.3 from the source already, now would like to
>  |implement different https url with associated ssl certificate bundled
> with
>  |the same IP address. I downloaded the ssl lib from
>  |ftp://ftp.delegate.org/pub/DeleGate/bin/linux/sslway/dglibssl.so.gz,
>  |uncompress it and replace /lib/libssl.so.0.9.7a, then re-compile from the
>  |source via run ~delegate9.93/make, then change the config file followed
> your
>  |release note http://www.delegate.org/mail-lists/delegate-en/03889, it痴:
>
> I thinks the following documents should be helpful to see how to use
> SSL gatewaying by DeleGate.
> <URL:http://www.delegate.org/delegate/HowToDG.html#sslgateway>
> <URL:http://www.delegate.org/delegate/tls/>
> <URL:http://www.delegate.org/delegate/nvproxy/>
> <URL:http://www.delegate.org/mail-lists/delegate-en/4545>
>
>  |DGPATH=/var/spool/delegate-nobody/etc:+
>
> I'm not sure why you need the above.
>
>  |CERTDIR=/var/spool/delegate-nobody/etc/certs
>
> I'm not sure why you need the above.
>
>  |STLS=mitm
>  |REMITTABLE=https
>
> I'm not sure what the above parameters intends and I'm not sure
> your DeleGate is to work as an origin or a proxy server.
> If your DeleGate is an origin HTTPS server as a gateway to HTTP servers,
> it should be as follows instead:
>
>  STLS=fcl
>  SERVER=https
>
>  |MOUNT=/ http://xx.xx.xx.xx:8080/index.html host=-name1.domain.com
>  |MOUNT=/* http://xx.xx.xx.xx:8080/* host=-name1.domain.com
>  |MOUNT=/ http://xx.xx.xx.xx:8080/index.html host=-name2.domain.com
>  |MOUNT=/* http://xx.xx.xx.xx:8080/* host=-name2.domain.com
>
> I can't understand what the above MOUNTs means.
>
>  |And ~/etc/certs contains the key and CSR for both domains:
>  |
>  |name1.domain.com-key.pem
>  |sn.name1.domain.com.pem
>  |name2.domain.com-key.pem
>  |sn.name2.domain.com.pem
>  |
>  |but both not working. Could you tell me the detailed instruction how to
>  |implement the SNI with delegated installed from source?
>
> Cheers,
> Yutaka
> --
>  9 9   Yutaka Sato <y.sato@delegate.org> http://delegate.org/y.sato/
>  ( ~ )  National Institute of Advanced Industrial Science and Technology
> _<   >_ 1-1-4 Umezono, Tsukuba, Ibaraki, 305-8568 Japan
> Do the more with the less -- B. Fuller
>


  admin search upper oldest olders older1 this newer1 newers latest
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
@_@V