Multiple SSL Keys #4

Closed
tracker1 opened this Issue Aug 6, 2012 · 9 comments

Comments

Projects
None yet
8 participants

tracker1 commented Aug 6, 2012

If listening on multiple IP addresses, it would be nice to be able to do an SSL key-pair per address, this way you can front different SSL sites in the one proxy. :)

+1

There should be an explanation how you can setup hipache with SSL for multiple IPs for incoming requests and then calling HTTP backends. If I'm right, you have to push in Redis

$ redis-cli rpush frontend:https://example.com http://127.0.0.1
Contributor

samalba commented Aug 9, 2012

I agree with you, it's currently not supported but it's important and useful. I'll add that to the TODO page.

Contributor

jpetazzo commented Mar 21, 2013

If #10 (bind to a specific IP address) is implemented, it would also allow to handle multiple SSL certificates—by running multiple copies of Hipache.

Multiple SSL support on the same IP using SNI would be great as well, Apache Traffic Server does this.

+1 for SNI support. This is a big limitation using hipache in a private PaaS type of setup.

There was a PR #70, but for some reason it was closed. Maybe that is a good starting point? It adds SNI with on the fly configuration through redis.

@dmp42 dmp42 added this to the 0.4 milestone Mar 19, 2014

@dmp42 dmp42 self-assigned this Mar 19, 2014

dmp42 added a commit that referenced this issue Apr 21, 2014

Config && dry-run work
- now sports a config class that can do all sort of magic / preparation / legacy handling
- new command line flag -d (--dry) that just tries to load the config and exit (will catch a number of config errors, although not all) - need extra work
- new http / https configuration syntax that allows binding individually on any number of ips / port, with specific certificates
- fixes #4 (but not SNI yet)
- fixes #10
- on the road to fix #122

@dmp42 dmp42 referenced this issue Apr 21, 2014

Closed

0.4 #128

Owner

dmp42 commented Apr 21, 2014

#10 is implemented by #128, along with the ability to have different certificates per-ip. I'm also allowing passphrases for keys, and additional CA.

SNI will follow soon (but that's a different horse).

Here's the suggested (new) syntax:

Simple syntax:

 http: {
 // if not specified, will use 80
   port: 1080,
// If not specified, will bind to 127.0.0.1
   bind: "192.168.1.100"
}

Multiple ips binding, with default and non-default port:

 http: {
 // if not specified, will use 80
   port: 1080,
// If not specified, will bind to 127.0.0.1
   bind: [
    // Will bind to general port 1080
    "192.168.1.100",
    // Override port for this interface
     {
        address: "192.168.1.5",
        port: 1082
     }
   ]
}

For https, one needs to specify a certificate and key as well, either globally (that will get inherited -same as with port) or per-ip, possibly overriding the global.

 https: {
 // if not specified, will use 443
   port: 1443,
// Default certificate / key
   cert: "path",
   key: "path",
   passphrase: "optional key passphrase",
// If not specified, will NOT bind
   bind: [
    // Will bind to general port 1443, with general key / cert
    "192.168.1.100",
    // Override port and key / cert for this interface, along with additional CA certs
     {
        address: "192.168.1.5",
        port: 1444,
        cert: "other",
        key: "other",
        ca: ["some", "other", "certs"]
     }
   ]
}

Any comments welcome - as this is not yet ready to be merged.

Owner

dmp42 commented Apr 21, 2014

Experimental SNI support is testable. Your opinions/tests welcome @ #130

@dmp42 dmp42 closed this in 57d2e3c Apr 29, 2014

Owner

dmp42 commented Apr 29, 2014

I'm closing this as the O.P. (@tracker1) description is the ability to bind to independent ips with different certificates (which is now live on master).
SNI is different, and follows on its own ticket / PR (#129 and #130 ).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment