#1  
Old 9th March 2007, 00:59
LeoLinux LeoLinux is offline
Senior Member
 
Join Date: Jul 2006
Location: Ellwangen
Posts: 119
Thanks: 16
Thanked 0 Times in 0 Posts
Send a message via ICQ to LeoLinux
Default SSL problem

Hi,

I want to use more then one website in combination with SSL Certs ....

It perfectly works for one site ... but not for a second one ... it says that it's not possible for this IP anymore ... ?

I've just read some threads like this in the howtoforge forum:

Quote:
Do you use a dedicated IP for the site you want SSL on? You can not have multiple sites with SSL on one IP. One SSL cert == one IP

what exactly does that mean?

#
just for understanding... :

My ISPconfig Servers internal IP:192.168.1.100 (the Server is behind a NAT with public IP T-Com)

when I create a new web I have a option to chose a IP Adress for the web.... but it only gives me one example (192.168.1.100) do I have to create a virtual IP for each more SSL Cert I want to use? Or do I really have to dedicate a new public IP address?!

I just don't really understand why its only possible to run one Cert under one IP because in reallity there are allready more then one cert running ... for example my first one: https://server1:81 for the ISPconfig Webinterface and the second one in a costumers web ...

So it would be nice if somebody could help and describe me a little the way how SSL works and how I might solve this problem ;-)


Thanks a lot ... and btw. ... espacelly to Falko and Till!!!! ;-)

Leander
Reply With Quote
Sponsored Links
  #2  
Old 9th March 2007, 08:53
martinfst martinfst is offline
Senior Member
 
Join Date: Dec 2006
Location: Hilversum, The Netherlands
Posts: 880
Thanks: 1
Thanked 18 Times in 17 Posts
Send a message via MSN to martinfst Send a message via Skype™ to martinfst
Default

Behind NAT, you're not able to have multiple certificates, because you can forward port 80 only to one IP address. You will need to have mulitiple (external accessible) IP addresses. That's a restriction of SSL, Nothing can be done about that. It ensures a server with a certificate is the server is says it is.

You have two certs now, because you use two different ports (and two different Apapche webservers). But the default webserver port is port 80 and you only have one of that. Port 81 is special, because of the dedicated webservre that comes with ISPConfig.

If you search the Internet, you will find some obscure possibilities to use one IP and multiple certs, but these all require a special setup and in general break the purpose of SSL.
Reply With Quote
The Following User Says Thank You to martinfst For This Useful Post:
LeoLinux (15th April 2007)
  #3  
Old 10th March 2007, 18:13
LeoLinux LeoLinux is offline
Senior Member
 
Join Date: Jul 2006
Location: Ellwangen
Posts: 119
Thanks: 16
Thanked 0 Times in 0 Posts
Send a message via ICQ to LeoLinux
Default

Hi and thanks for this good description !! ;-)

How would such an network without a NAT and multible IP's look like?!
I mean for each IP you'll need a DSL modem more or how does that work?? Has anybody a good link to learn more about this kind of networktopology without NAT but with much public IPS on one machine?
Would be greate ;-)

Thanks !!

Leander
Reply With Quote
  #4  
Old 10th March 2007, 21:19
Hawker Hawker is offline
Senior Member
 
Join Date: Feb 2007
Posts: 100
Thanks: 0
Thanked 9 Times in 9 Posts
Default

Quote:
Originally Posted by LeoLinux
Hi and thanks for this good description !! ;-)

How would such an network without a NAT and multible IP's look like?!
I mean for each IP you'll need a DSL modem more or how does that work?? Has anybody a good link to learn more about this kind of networktopology without NAT but with much public IPS on one machine?
Would be greate ;-)

Thanks !!

Leander
In very simple terms, one modem/router can have multiple IP addresses and one network card can also have multiple IP addresses. That is the use of ifcfg-eth0:X where X is a number. It allows assigning multiple IP addresses to your network card.

As an example I have 5 IP addresses on my line.
4 are used by the web server (2 dedicated to SSL sites, 1 for shared sites, 1 free).
1 is used by my windows system.
When a request for a given IP address comes in only the computer/network card that's configured to that IP will answer.
Reply With Quote
The Following User Says Thank You to Hawker For This Useful Post:
LeoLinux (15th April 2007)
  #5  
Old 11th March 2007, 15:23
LeoLinux LeoLinux is offline
Senior Member
 
Join Date: Jul 2006
Location: Ellwangen
Posts: 119
Thanks: 16
Thanked 0 Times in 0 Posts
Send a message via ICQ to LeoLinux
Default

ok makes sence what yu tell me ;-)

so a simple way to solve my problem would look like:

Modem-----conected with my Debian ISPconfig Server ---->dial in with ppoe daemon---> give the ethernet card which is used for the ppoe dial in some virtual IPs which I dedicated by any provider...

and then I would be able to chose betwen the IP adresses when I create a new web in my ISPconfig webinterface?!

ok... should be possible to fix this ... but anyway ... I'm just interested how bigger companys like 1&1 or strato solve this in their serverfarms?! don't they have a NAT behind their modem? How is it possible to give each standalone machine a public IP during they all share the same "DSL" Line?

Thx!

;-)

Leander
Reply With Quote
  #6  
Old 11th March 2007, 15:39
Hawker Hawker is offline
Senior Member
 
Join Date: Feb 2007
Posts: 100
Thanks: 0
Thanked 9 Times in 9 Posts
Default

The IPs used for SSL must be public IP addresses.

As an example, my modem/router has 5 useable addresses. Let's say they are xxx.xxx.xxx.001 through xxx.xxx.xxx.005.

My server uses these addresses...
ifcfg-eth0 = xxx.xxx.xxx.001
ifcfg-eth0:0 = xxx.xxx.xxx.002
ifcfg-eth0:1 = xxx.xxx.xxx.003
ifcfg-eth0:2 = xxx.xxx.xxx.004

My windows machine uses xxx.xxx.xxx.005

These are all assigned on the server and windows machines themselves.

NAT does not come into play when you use public IP addresses. NAT only comes into effect when you have multiple computers on a private network behind a public IP.

Last edited by Hawker; 11th March 2007 at 15:41.
Reply With Quote
The Following User Says Thank You to Hawker For This Useful Post:
LeoLinux (15th April 2007)
  #7  
Old 11th March 2007, 15:57
LeoLinux LeoLinux is offline
Senior Member
 
Join Date: Jul 2006
Location: Ellwangen
Posts: 119
Thanks: 16
Thanked 0 Times in 0 Posts
Send a message via ICQ to LeoLinux
Default

.... I think I got it ...

anyway only tow more questions:

1. I guess there is no way to use this option which is given by my router:




2. I just don't understand how you can give two different machines different public IPs with only ONE used MODEM I mean how do you share this modem with your windows box?!?!?! HOW does that work?! can any body please draw me a picture ;-)) I might be to stupid to understand it written down ;-)

Leander
Reply With Quote
  #8  
Old 11th March 2007, 16:20
Hawker Hawker is offline
Senior Member
 
Join Date: Feb 2007
Posts: 100
Thanks: 0
Thanked 9 Times in 9 Posts
Default

My modem is also a router. I have NAT turned off and all ports a open (not blocked) on an ADSL line.

A single DSL Line connects to Modem/Router

Network cables connect like this...
Modem/Router Network Port 1 - Server (IPs 1 through 4)
Modem/Router Network Port 2 - Windows machine (IP 5)
Modem/Router Network Port 3 - unused
Modem/Router Network Port 4 - unused

I guess the way to explain it is that IP addresses are a software function, not a hardware one.

I'm sorry if I'm confusing you.
Reply With Quote
The Following User Says Thank You to Hawker For This Useful Post:
LeoLinux (15th April 2007)
  #9  
Old 11th March 2007, 16:23
martinfst martinfst is offline
Senior Member
 
Join Date: Dec 2006
Location: Hilversum, The Netherlands
Posts: 880
Thanks: 1
Thanked 18 Times in 17 Posts
Send a message via MSN to martinfst Send a message via Skype™ to martinfst
Default

In most countries you only get one public IP address on your home connection, unless you have some business grade line.
Reply With Quote
The Following User Says Thank You to martinfst For This Useful Post:
LeoLinux (15th April 2007)
  #10  
Old 11th March 2007, 18:06
LeoLinux LeoLinux is offline
Senior Member
 
Join Date: Jul 2006
Location: Ellwangen
Posts: 119
Thanks: 16
Thanked 0 Times in 0 Posts
Send a message via ICQ to LeoLinux
 
Default

ok - makes sence to disable the NAT function.
What kind of Router are you using?

I hope I can do the same with my pfsense router - because I still want to use loadbalancing between two DSL connections


thx


Leander

{EDIT}

ahhh I found something ...:




I think I'm on the right way .. because this option disables NAT?

does my router from now on work like a IP forwarding machine which lets me use my public / dedicated IPs on my Debian?




can somebody maybe give me an example how it should look like if my dedicated public IP would be 222.222.222.222 and my internal Debians IP 192.168.1.100 with this screenshot?

that would be very helpfully!! ;-)





or is it maybe the not the NAT outbound but the 1:1 option what we are looking for?:




thx for helping ;-)

Leander

Last edited by LeoLinux; 11th March 2007 at 18:38.
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
sending e-mail using mail() function linuxuser1 HOWTO-Related Questions 38 21st April 2009 12:20
SSL Problem Not Found in Other Threads sonoracomm Installation/Configuration 11 4th August 2007 05:33
Can't solve SSL problem virtualweb Installation/Configuration 2 10th January 2007 16:50
Problem generating SSL Request vogelor General 5 7th January 2007 19:08
problem with ssl cappeonghe General 1 7th August 2006 13:22


All times are GMT +2. The time now is 23:40.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.