[ietf78-tech] Fwd: Certificates for the IETF
Joel Jaeggli
joelja at bogus.com
Wed Jul 14 17:31:10 PDT 2010
On 7/14/10 12:07 PM, John Kemp wrote:
>
> Just an educated guess... I'm going by what I read in the
> iptables manpage for REDIRECT, and by the fact that we will
> have more than one bridge interface, each having a different
> IP address. Seems like we are stuck with having to target
> the IP on the bridge interface. Which ties to SSL, which
> ties to NAME... :(
little split horizon dns asshatery for each vlan could probably make the
name map to different ip's in both cases. source ip of the request out
to be enough to serve up the different dns view I think.
would have to think about how I would do that.
> /jgk
>
>
> On 07/14/2010 11:53 AM, Jim Martin wrote:
>> Folks,
>> Could you guys sanity check this for John and I? I can't imagine you
>> would really need a separate cert per van. John, no offense intended,
>> but I want to be really sure before I go back to Russ for yet something
>> else.
>>
>> -Jim
>>
>> Sent from my iPhone
>>
>> Begin forwarded message:
>>
>>> *From:* John Kemp<kemp at network-services.uoregon.edu
>>> <mailto:kemp at network-services.uoregon.edu>>
>>> *Date:* July 14, 2010 10:17:03 AM PDT
>>> *To:* Jim Martin<jim at daedelus.com<mailto:jim at daedelus.com>>
>>> *Subject:* *Re: Certificates for the IETF*
>>> *Reply-To:*
>>> <mailto:kemp at network-services.uoregon.edu>kemp at network-services.uoregon.edu
>>> <mailto:kemp at network-services.uoregon.edu>
>>>
>>> On 07/13/2010 09:36 AM, Jim Martin wrote:
>>>> Ray,
>>>> The cert for portal.meeting.ietf.org
>>>> <http://portal.meeting.ietf.org> should go to John, since he's the
>>>> guy actually building the boxes.
>>>>
>>>> Thanks!
>>>>
>>>> - Jim
>>>>
>>>
>>> Gah.
>>>
>>> I just realized that we require one more certificate for the 2nd vlan.
>>> Hopefully, that should do it. I believe we only have "ietf-portal" and
>>> "ipef-a-portal". So maybe: https://portal-a.meeting.ietf.org/ as well???
>>>
>>> Should I just generate the csr and ask for 1 more?
>>>
>>> /jgk
>>>
>>>
>>> --> here's the sequence. Upshot is that we need to hand the
>>> user: https://NAME/, otherwise, they will get a match error at
>>> the point the SSL starts to check. And we can't hand them a
>>> NAME on a vlan outside of the redirect to local bridge ip so...
>>>
>>> Iptables redirects user to br_int_ip.
>>> br_int_ip is an IP Virtual Host in apache.
>>> http -> https/NAME/index.pl?redir=...
>>> Apache also does rewrite of any https URL to a NAME/index.pl
>>>
>>> index.pl/Apache processes "index.pl" looks at the client IP.
>>> index.pl determines the vlan.
>>> index.pl uses br_int_name as POST action
>>> Configured br_int_name is then filled in as the POST action
>>>
>>> -----------------------------
>>
>>
>> _______________________________________________
>> ietf78-tech mailing list
>> ietf78-tech at daedelus.com
>> http://www.daedelus.com/mailman/listinfo/ietf78-tech
>
> _______________________________________________
> ietf78-tech mailing list
> ietf78-tech at daedelus.com
> http://www.daedelus.com/mailman/listinfo/ietf78-tech
>
More information about the ietf78-tech
mailing list