[ietf78-tech] Fwd: Certificates for the IETF
John Kemp
kemp at network-services.uoregon.edu
Wed Jul 14 20:28:02 PDT 2010
I believe Russ is helping us out here, and that is in progress.
So we won't need to take it that direction.
/jgk
On 7/14/2010 5:31 PM, Joel Jaeggli wrote:
> On 7/14/10 12:07 PM, John Kemp wrote:
>>
>> Just an educated guess... I'm going by what I read in the
>> iptables manpage for REDIRECT, and by the fact that we will
>> have more than one bridge interface, each having a different
>> IP address. Seems like we are stuck with having to target
>> the IP on the bridge interface. Which ties to SSL, which
>> ties to NAME... :(
>
> little split horizon dns asshatery for each vlan could probably make
> the name map to different ip's in both cases. source ip of the request
> out to be enough to serve up the different dns view I think.
>
> would have to think about how I would do that.
>
>> /jgk
>>
>>
>> On 07/14/2010 11:53 AM, Jim Martin wrote:
>>> Folks,
>>> Could you guys sanity check this for John and I? I can't imagine
>>> you
>>> would really need a separate cert per van. John, no offense intended,
>>> but I want to be really sure before I go back to Russ for yet something
>>> else.
>>>
>>> -Jim
>>>
>>> Sent from my iPhone
>>>
>>> Begin forwarded message:
>>>
>>>> *From:* John Kemp<kemp at network-services.uoregon.edu
>>>> <mailto:kemp at network-services.uoregon.edu>>
>>>> *Date:* July 14, 2010 10:17:03 AM PDT
>>>> *To:* Jim Martin<jim at daedelus.com<mailto:jim at daedelus.com>>
>>>> *Subject:* *Re: Certificates for the IETF*
>>>> *Reply-To:*
>>>> <mailto:kemp at network-services.uoregon.edu>kemp at network-services.uoregon.edu
>>>>
>>>> <mailto:kemp at network-services.uoregon.edu>
>>>>
>>>> On 07/13/2010 09:36 AM, Jim Martin wrote:
>>>>> Ray,
>>>>> The cert for portal.meeting.ietf.org
>>>>> <http://portal.meeting.ietf.org> should go to John, since he's the
>>>>> guy actually building the boxes.
>>>>>
>>>>> Thanks!
>>>>>
>>>>> - Jim
>>>>>
>>>>
>>>> Gah.
>>>>
>>>> I just realized that we require one more certificate for the 2nd vlan.
>>>> Hopefully, that should do it. I believe we only have "ietf-portal"
>>>> and
>>>> "ipef-a-portal". So maybe: https://portal-a.meeting.ietf.org/ as
>>>> well???
>>>>
>>>> Should I just generate the csr and ask for 1 more?
>>>>
>>>> /jgk
>>>>
>>>>
>>>> --> here's the sequence. Upshot is that we need to hand the
>>>> user: https://NAME/, otherwise, they will get a match error at
>>>> the point the SSL starts to check. And we can't hand them a
>>>> NAME on a vlan outside of the redirect to local bridge ip so...
>>>>
>>>> Iptables redirects user to br_int_ip.
>>>> br_int_ip is an IP Virtual Host in apache.
>>>> http -> https/NAME/index.pl?redir=...
>>>> Apache also does rewrite of any https URL to a NAME/index.pl
>>>>
>>>> index.pl/Apache processes "index.pl" looks at the client IP.
>>>> index.pl determines the vlan.
>>>> index.pl uses br_int_name as POST action
>>>> Configured br_int_name is then filled in as the POST action
>>>>
>>>> -----------------------------
>>>
>>>
>>> _______________________________________________
>>> ietf78-tech mailing list
>>> ietf78-tech at daedelus.com
>>> http://www.daedelus.com/mailman/listinfo/ietf78-tech
>>
>> _______________________________________________
>> ietf78-tech mailing list
>> ietf78-tech at daedelus.com
>> http://www.daedelus.com/mailman/listinfo/ietf78-tech
>>
More information about the ietf78-tech
mailing list