A repository of notes and comments that will
eventually make their way into the documentation. Please
treat the information here with caution, it has often not been
verified.
When using the 2.6 Linux kernel or RedHat 9.0, you can use
the standard user-name configuration. On older Linux versions,
you'll need to use a bit of trickery.
You can use kernel based port forwarding. This feature is not
available for all flavours of Unix, but at least for recent Linux
kernels (2.4) it works fine.
Here is a very basic example for iptables in a static environment (static means that the example does not deal with ppp connections properly, you might have to add something similar to your ip-up/down scripts).
iptables -t nat -A OUTPUT -d localhost -p tcp --dport 80 -j REDIRECT --to-ports 8080
iptables -t nat -A OUTPUT -d your hostname -p tcp --dport 80 -j REDIRECT --to-ports 8080
iptables -t nat -A PREROUTING -d your hostname -p tcp --dport 80 -j REDIRECT --to-ports 8080
ipchains (for Linux 2.2. kernels) should work similar - it might also be possible to map the port directly inside your firewall.
I have different IP's, but am trying to avoid using them in the config
files as we have a
develepment, staging and production environment each of which would have
different IP's. Is it possible to specify multiple IP's for it to try binding
to?
The basic way to configure ssl for multiple virtual hosts is to bind an https
listener to the ip address (interface) for the corresponding virtual host:
<http host="*" port="80"/>
<http host="199.199.0.10" port="443" virtual-host="gryffindor.com">
<openssl>
<certificate-file>keys/gryffindor.crt</certificate-file>
<certificate-key-file>keys/gryffindor.key</certificate-key-file>
<password>test123</password>
</openssl>
</http>
<http host="199.199.0.11" port="443" virtual-host="slytherin.com">
<openssl>
<certificate-file>keys/slytherin.crt</certificate-file>
<certificate-key-file>keys/slytherin.key</certificate-key-file>
<password>test123</password>
</openssl>
</http>
...
<host id="gryffindor.com">
<host-alias>www.gryffindor.com</host-alias>
...
</host>
<host id="slytherin.com">
<host-alias>www.slytherin.com</host-alias>
...
</host>
...
|
If you want to keep one .conf file for different environments,
you can use the configuration
control statements .
<resin:choose>
<resin:when test="${sslmode == 'production'}">
<resin:log>Production mode https listeners</resin:log>
<http host="199.199.0.10" port="443">
<openssl>
<certificate-file>keys/gryffindor.crt</certificate-file>
<certificate-key-file>keys/gryffindor.key</certificate-key-file>
<password>test123</password>
</openssl>
</http>
<http host="199.199.0.11" port="443">
<openssl>
<certificate-file>keys/slytherin.crt</certificate-file>
<certificate-key-file>keys/slytherin.key</certificate-key-file>
<password>test123</password>
</openssl>
</http>
</resin:when>
<resin:when test="${sslmode == 'staging'}">
<resin:log>Staging mode https listeners</resin:log>
<http host="198.168.0.5" port="443">
<openssl>
<certificate-file>keys/gryffindor.crt</certificate-file>
<certificate-key-file>keys/gryffindor.key</certificate-key-file>
<password>test123</password>
</openssl>
</http>
<http host="198.168.0.6" port="443">
<openssl>
<certificate-file>keys/slytherin.crt</certificate-file>
<certificate-key-file>keys/slytherin.key</certificate-key-file>
<password>test123</password>
</openssl>
</http>
</resin:when>
<resin:otherwise>
<resin:log>Development mode https listeners</resin:log>
<http host="*" port="443">
<openssl>
<certificate-file>keys/test.crt</certificate-file>
<certificate-key-file>keys/test.key</certificate-key-file>
<password>test123</password>
</openssl>
</http>
</resin:otherwise>
</resin:choose>
|
Then start Resin with a -Dsslmode={production|staging|development}.
unix> bin/httpd.sh -Dsslmode=production ...
win> httpd.exe -Dsslmode=production ...
unix> bin/httpd.sh -Dsslmode=staging ....
win> httpd.exe -Dsslmode=staging ....
unix> bin/httpd.sh -Dsslmode=development ...
win>$ httpd.exe -Dsslmode=development ...
|