Article delegate-en/4545 of [1-5169] on the server localhost:119
  upper oldest olders older1 this newer1 newers latest
search
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
[Reference:<_A4544@delegate-en.ML_>]
Newsgroups: mail-lists.delegate-en

[DeleGate-En] virtual hosting based on SNI / TLS (Re: ftp mount and virtual names bound to one IP-address)
11 Aug 2009 18:30:22 GMT feedback@delegate.org (Yutaka Sato)
The DeleGate Project


Hi,

In message <_A4544@delegate-en.ML_> on 08/11/09(23:57:02) I wrote:
 |It will be realized with a MountOption as "sni=hostname" instread of
 |"nvhost=hostname".

I implemented it as the enclosed patch and uploaded it as 9.9.5-pre2.
It can be used as follows for example:

  -P8021 SERVER=ftps STLS=fcl MOUNT="/* ftp://ftp-1/* sni=ftp1.dom" \
                              MOUNT="/* ftp://ftp-2/* sni=ftp2.dom"

  -P8110 SERVER=pop3s STLS=fcl MOUNT="* pop://pop-1/* sni=pop1.dom" \
                               MOUNT="* pop://pop-2/* sni=pop2.dom"

  ... and so on

Note that you need recent versions of OpenSSL (later than 0.9.8g)
with SNI support.


In message <_A4541@delegate-en.ML_> on 08/11/09(15:30:07) I wrote:
 |In message <_A4539@delegate-en.ML_> on 08/10/09(21:55:05)
 |you Jens-Erik Hansen <puicqbdyi-6cfuxbq5so3r.ml@ml.delegate.org> wrote:
 | |I try to distinguish ftp mounts by the host name. Therefor I start
 | |delegated with:
 |
 |As long as I know, the FTP protocol (and other application protocols
 |excpet HTTP/1.1) does not support switching host by a virtual host name.
 |That is the hostname shown at the client as the server name is not
 |transferred to the server.
 |So what you can do with FTP is using multipl IP-addresses and ipfw
 |(or iptables) and DeleGate's MOUNT with "odst=host" option.
 |Another possible way is using SSL (or extended TLS) (just for)
 |"Server Name Indication" which indicates the (logical or virtual)
 |server name from the client's view to the client.

Cheers,
Yutaka
--
  9 9   Yutaka Sato <y.sato@delegate.org> http://delegate.org/y.sato/
 ( ~ )  National Institute of Advanced Industrial Science and Technology
_<   >_ 1-1-4 Umezono, Tsukuba, Ibaraki, 305-8568 Japan
Do the more with the less -- B. Fuller


diff -cr dist/src/delegate9.9.5-pre1/filters/sslway.c ./filters/sslway.c
*** dist/src/delegate9.9.5-pre1/filters/sslway.c	Mon Jul 13 14:20:00 2009
--- ./filters/sslway.c	Wed Aug 12 02:13:43 2009
***************
*** 1858,1863 ****
--- 1858,1869 ----
  #define SSL_TLSEXT_ERR_OK 0
  #define SSL_TLSEXT_ERR_ALERT_FATAL 2
  #define SSL_TLSEXT_ERR_NOACK 3
+ static struct {
+ 	MStr(s_name,128);
+ } TlsSni;
+ const char *tlssni(){
+ 	return TlsSni.s_name;
+ }
  static int get_vhost(SSL *ssl,int *ad,void *arg){
  	const char *vhost;
  	IStr(certd,256);
***************
*** 1867,1872 ****
--- 1873,1879 ----
  
  	vhost = SSL_get_servername(ssl,TLSEXT_NAMETYPE_host_name);
  	TRACE("-- TLSxSNI: recv %s",vhost?vhost:"NULL");
+ 	strcpy(TlsSni.s_name,vhost?vhost:"__none");
  	if( vhost == 0 ){
  		return SSL_TLSEXT_ERR_NOACK;
  	}
diff -cr dist/src/delegate9.9.5-pre1/src/mount.c ./src/mount.c
*** dist/src/delegate9.9.5-pre1/src/mount.c	Mon Jul 13 14:15:21 2009
--- ./src/mount.c	Wed Aug 12 02:28:28 2009
***************
*** 167,172 ****
--- 167,173 ----
  #define VHOST_BYNAME	0x1 /* "nvhost=hostList" */
  #define VHOST_ORIGDST	0x2 /* "odst=hostList" */
  #define VHOST_AVHOST	0x4 /* "avhost=hostList" */
+ #define VHOST_TLSSNI	0x8 /* "sni=hostList" */
  
  typedef struct {
    const	char	*u_src;
***************
*** 435,440 ****
--- 436,442 ----
  	{CFO,"vhost",	C_VHOST,	0,L_VHOST	},
  	{CFO,"avhost",	C_VHOST,	0,L_VHOST	},
  	{CFO,"nvhost",	C_VHOST,	0,L_VHOST	},
+ 	{CFO,"sni",	C_VHOST,	0,L_VHOST	},
  	{0,  "from",	C_CLFROM,	0,L_FROM	},
  	{0,  "auth",	C_CLAUTH,	0,L_AUTH	},
  	{0,  "host",	C_CLHOST,	0,L_CLIF	},
***************
*** 699,704 ****
--- 701,711 ----
  				mt->Src.u_vserv |= VHOST_BYNAME;
  			mt->u_condList[list1].c_int = makePathListX(what,StrAlloc(val),"n");
  			}else
+ 			if( streq(nam1,"sni") ){
+ 				mt->Src.u_vserv |= VHOST_TLSSNI;
+ 				mt->u_condList[list1].c_int =
+ 					makePathListX(what,StrAlloc(val),"n");
+ 			}else
  			mt->u_condList[list1].c_int = makePathList(what,StrAlloc(val));
  			mt->u_condList[list1].c_direction = direction;
  		}
***************
*** 1812,1817 ****
--- 1819,1828 ----
  
  	if( direction & mt->D_vhostList )
  	if( mt->vhostList && clif != NULL ){
+ 		if( mt->Src.u_vserv & VHOST_TLSSNI ){
+ 			const char *tlssni();
+ 			clif = tlssni();
+ 		}else
  		if( (mt->Src.u_vserv & VHOST_AVHOST) /* avhost=host */
  		 && clif[0] == '-'
  		){

  admin search upper oldest olders older1 this newer1 newers latest
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
@_@V