IBM HTTP Server as Reverse Proxy with SSL question - Websphere

This is a discussion on IBM HTTP Server as Reverse Proxy with SSL question - Websphere ; I'm aware of the whole issue regarding Name Based virtual hosting and SSL (IHS can't read the hostname from the HTTP header to direct it to the proper host because the header is encrypted). I basically want to know if ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: IBM HTTP Server as Reverse Proxy with SSL question

  1. IBM HTTP Server as Reverse Proxy with SSL question

    I'm aware of the whole issue regarding Name Based virtual hosting and SSL (IHS can't read the hostname from the HTTP header to direct it to the proper host because the header is encrypted).

    I basically want to know if what I'm trying to do is possible, because I thought the above scenario was an issue with only multiple VHosts.

    We've got three applications:

    App A:80 (Non-SSL)
    App B:80 (Non-SSL)
    App S:443 (SSL)

    Is it possible to use name based virtual hosting in this scenario? We want to be able to use port 80 for App A & App B, but we want proxy to hit App S when something comes in on Port 443. It seems that as soon as Name Based vhosting comes on, it ignores ports completely, looks for a host, gets confused and drops it off at the highest priority vhost.

    Is it possible to terminate SSL *on this server* before it makes any decisions about which vhost will serve the request?

    Thanks.

  2. Re: IBM HTTP Server as Reverse Proxy with SSL question

    arnell.santos@hotmail.com wrote:
    > I'm aware of the whole issue regarding Name Based virtual hosting and SSL (IHS can't read the hostname from the HTTP header to direct it to the proper host because the header is encrypted).
    >


    The opposite is the case. IHS has to decide which encryption settings
    to negotiate before the client uses those settings to encrypt the Host:
    header.

    > I basically want to know if what I'm trying to do is possible, because I thought the above scenario was an issue with only multiple VHosts.
    >
    > We've got three applications:
    >
    > App A:80 (Non-SSL)
    > App B:80 (Non-SSL)
    > App S:443 (SSL)
    >
    > Is it possible to use name based virtual hosting in this scenario? We want to be able to use port 80 for App A & App B, but we want proxy to hit App S when something comes in on Port 443. It seems that as soon as Name Based vhosting comes on, it ignores ports completely, looks for a host, gets confused and drops it off at the highest priority vhost.


    Apache first chooses the "best" match considering only the
    local interface and port. If there's a NameVirtualHost with identical
    arguments, it further looks at ServerNames and ServerAliases of all
    identically named vhosts.

    Your example is unclear about where the proxy is in this configuration,
    but I can't imagine what wouldn't be possible. It's also unclear if
    "App X" is an interface or something like a context root.

    Check for warnings in apachectl -S and make sure your VirtualHost
    directives all specify a port and any NameVirtualHost directives match
    exactly the corresponding VirtualHost directives.

    >
    > Is it possible to terminate SSL *on this server* before it makes any decisions about which vhost will serve the request?


    The SSL configuration to be used depends on the selection of the ip/port
    based vhost. In IHS, if you try to configure SSL on anything other than
    the default vhost in a NameVirtualHost the SSL settings just become dead
    configuration, but the vhost itself will still be used for any non-SSL
    configuration [i.e. it gets selected, but this happens after the SSL
    handshake has completed].

    Net, you're fine if you don't need two sets of SSL configuration on one
    iport combination.


    --
    Eric Covener

+ Reply to Thread