Many services on the same port (VirtualHost)
Hello all! Does anyone knows a way to make many services listening on the same port? I've got one stunnel4 server which allows me to crypt two http servers. The first service bind on port 465 and the second on 470. What I will is to let user access on the port 465 using 2 different ServerNames. Thank you in anticipation, and excuse me for my quite bad english =D
On Sat, 30 Oct 2010, Hugo wrote:
Does anyone knows a way to make many services listening on the same port? I've got one stunnel4 server which allows me to crypt two http servers. The first service bind on port 465 and the second on 470. What I will is to let user access on the port 465 using 2 different ServerNames. I am not sure what you are trying to do. You want clients to connect via https to ports 465 on two different IPs and then stunnel to forward them to the appropriate http daemon? I am not sure if stunnel works in that method - that is the reverse of what I use stunnel for - I connect via an unencrypted connection, and forward via stunnel to an encrypted daemon. And if you are talking about virtually hosting https connections, that will work, as long as the certificate contains both servernames - you can't use two different certificates, because you don't know which certificate to serve until after the connection is encrypted.
-- Jon Daley http://jon.limedaley.com ~~ "I think that too much media in the hands of one powerful entity or one individual is a mistake. I think it runs counter to the foundation of our country. I think it runs counter to the need for Americans to know that they are getting news and information from multiple sources that are not singularly controlled." -- John Kerry, June 2004
Hi Hugo, On Sat, Oct 30, 2010 at 05:12:19PM +0200, Hugo wrote:
Does anyone knows a way to make many services listening on the same port? I've got one stunnel4 server which allows me to crypt two http servers. The first service bind on port 465 and the second on 470. What I will is to let user access on the port 465 using 2 different ServerNames.
You have to use Server Name Indication, which is basically a "Host:" equivalent header at the TLS level. However, AFAIK, stunnel doesn't support this. Regards, -- Jeremie Le Hen Humans are born free and equal. But some are more equal than others. Coluche
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jeremie Le Hen wrote:
You have to use Server Name Indication, which is basically a "Host:" equivalent header at the TLS level.
However, AFAIK, stunnel doesn't support this.
Support for Server Name Indication is already on my TODO list: http://stunnel.mirt.net/?page=todo_sdf Implementation should be possible with SSL_CTX_set_tlsext_servername_callback() function introduced by recent versions of OpenSSL. I found some patches for mod_ssl to support SNI extension. stunnel.conf changes would probably introduce a new service endpoint option called "serverName" or "SNI". These sections would not be available directly (with an "accept" endpoint option), but instead switched to when SNI TLS extension is received. Anyone willing to sponsor this feature? Best regards, Mike -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (Darwin) iEYEARECAAYFAkzO9sAACgkQ/NU+nXTHMtEkywCg6LeBp7wwkQagOmRacLYM+mcP 2M0An0FqWBTu+70aIqJ0cwyZncgVzHNj =NXgB -----END PGP SIGNATURE-----
participants (4)
-
Hugo -
Jeremie Le Hen -
Jon Daley -
Michal Trojnara