Hi, I want to use more then one website in combination with SSL Certs .... It perfectly works for one site ... but not for a second one ... it says that it's not possible for this IP anymore ... ? I've just read some threads like this in the howtoforge forum: what exactly does that mean? # just for understanding... : My ISPconfig Servers internal IP:192.168.1.100 (the Server is behind a NAT with public IP T-Com) when I create a new web I have a option to chose a IP Adress for the web.... but it only gives me one example (192.168.1.100) do I have to create a virtual IP for each more SSL Cert I want to use? Or do I really have to dedicate a new public IP address?! I just don't really understand why its only possible to run one Cert under one IP because in reallity there are allready more then one cert running ... for example my first one: https://server1:81 for the ISPconfig Webinterface and the second one in a costumers web ... So it would be nice if somebody could help and describe me a little the way how SSL works and how I might solve this problem ;-) Thanks a lot ... and btw. ... espacelly to Falko and Till!!!! ;-) Leander
Behind NAT, you're not able to have multiple certificates, because you can forward port 80 only to one IP address. You will need to have mulitiple (external accessible) IP addresses. That's a restriction of SSL, Nothing can be done about that. It ensures a server with a certificate is the server is says it is. You have two certs now, because you use two different ports (and two different Apapche webservers). But the default webserver port is port 80 and you only have one of that. Port 81 is special, because of the dedicated webservre that comes with ISPConfig. If you search the Internet, you will find some obscure possibilities to use one IP and multiple certs, but these all require a special setup and in general break the purpose of SSL.
Hi and thanks for this good description !! ;-) How would such an network without a NAT and multible IP's look like?! I mean for each IP you'll need a DSL modem more or how does that work?? Has anybody a good link to learn more about this kind of networktopology without NAT but with much public IPS on one machine? Would be greate ;-) Thanks !! Leander
In very simple terms, one modem/router can have multiple IP addresses and one network card can also have multiple IP addresses. That is the use of ifcfg-eth0:X where X is a number. It allows assigning multiple IP addresses to your network card. As an example I have 5 IP addresses on my line. 4 are used by the web server (2 dedicated to SSL sites, 1 for shared sites, 1 free). 1 is used by my windows system. When a request for a given IP address comes in only the computer/network card that's configured to that IP will answer.
ok makes sence what yu tell me ;-) so a simple way to solve my problem would look like: Modem-----conected with my Debian ISPconfig Server ---->dial in with ppoe daemon---> give the ethernet card which is used for the ppoe dial in some virtual IPs which I dedicated by any provider... and then I would be able to chose betwen the IP adresses when I create a new web in my ISPconfig webinterface?! ok... should be possible to fix this ... but anyway ... I'm just interested how bigger companys like 1&1 or strato solve this in their serverfarms?! don't they have a NAT behind their modem? How is it possible to give each standalone machine a public IP during they all share the same "DSL" Line? Thx! ;-) Leander
The IPs used for SSL must be public IP addresses. As an example, my modem/router has 5 useable addresses. Let's say they are xxx.xxx.xxx.001 through xxx.xxx.xxx.005. My server uses these addresses... ifcfg-eth0 = xxx.xxx.xxx.001 ifcfg-eth0:0 = xxx.xxx.xxx.002 ifcfg-eth0:1 = xxx.xxx.xxx.003 ifcfg-eth0:2 = xxx.xxx.xxx.004 My windows machine uses xxx.xxx.xxx.005 These are all assigned on the server and windows machines themselves. NAT does not come into play when you use public IP addresses. NAT only comes into effect when you have multiple computers on a private network behind a public IP.
.... I think I got it ... anyway only tow more questions: 1. I guess there is no way to use this option which is given by my router: 2. I just don't understand how you can give two different machines different public IPs with only ONE used MODEM I mean how do you share this modem with your windows box?!?!?! HOW does that work?! can any body please draw me a picture ;-)) I might be to stupid to understand it written down ;-) Leander
My modem is also a router. I have NAT turned off and all ports a open (not blocked) on an ADSL line. A single DSL Line connects to Modem/Router Network cables connect like this... Modem/Router Network Port 1 - Server (IPs 1 through 4) Modem/Router Network Port 2 - Windows machine (IP 5) Modem/Router Network Port 3 - unused Modem/Router Network Port 4 - unused I guess the way to explain it is that IP addresses are a software function, not a hardware one. I'm sorry if I'm confusing you.
In most countries you only get one public IP address on your home connection, unless you have some business grade line.
ok - makes sence to disable the NAT function. What kind of Router are you using? I hope I can do the same with my pfsense router - because I still want to use loadbalancing between two DSL connections thx Leander {EDIT} ahhh I found something ...: I think I'm on the right way .. because this option disables NAT? does my router from now on work like a IP forwarding machine which lets me use my public / dedicated IPs on my Debian? can somebody maybe give me an example how it should look like if my dedicated public IP would be 222.222.222.222 and my internal Debians IP 192.168.1.100 with this screenshot? that would be very helpfully!! ;-) or is it maybe the not the NAT outbound but the 1:1 option what we are looking for?: thx for helping ;-) Leander
That's ok - if just found some good threads in the pfsense forum at http://forum.pfsense.org Anyway - thanks to all of you!! Leander
