Article delegate-en/4547 of [1-5169] on the server localhost:119
  upper oldest olders older1 this newer1 newers latest
search
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
[Reference:<_A4546@delegate-en.ML_>]
Newsgroups: mail-lists.delegate-en

[DeleGate-En] Re: ftp mount and virtual names bound to one IP-address
13 Aug 2009 06:31:56 GMT feedback@delegate.org (Yutaka Sato)
The DeleGate Project


Hi,

In message <_A4546@delegate-en.ML_> on 08/13/09(05:41:35)
you Jens-Erik Hansen <puicqbdyi-b7qnormv2whr.ml@ml.delegate.org> wrote:
 |> It will be realized with a MountOption as "sni=hostname" instread of
 |> "nvhost=hostname".
 |
 |I checked everything twice -- it seem not to work.
 |What I have is:
 |
 |SERVER=ftps
 |STLS=-fcl
 |MOUNT="/* ftp://127.0.0.1:8021/* sni=hostA.sub.foo.org"
 |MOUNT="/* ftp://127.0.0.1:8021/demo/* sni=hostB.sub.foo.org"
 |
 |and /demo is always mounted even if I connect to hostA.sub.foo.org.
 |
 |Do you have any ideas?

1) You must force implicit SSL with STLS="fcl" without "-".
2) You need DeleGate/9.9.5-pre2 or later
3) You need a FTPS client program with SNI "server name indication"
   extended capability enabled (with OpenSSL later than 0.9.8g)

I myself don't have a FTP client with SNI enabled, so I tested it
with DeleGate as this:

  Versions% dg995p2 -Fver
  DeleGate/9.9.5-pre2 (August 11, 2009)
  Loaded: OpenSSL 0.9.8j 07 Jan 2009

  server% dg995p2 -fv -P9021 SERVER=ftps STLS=fcl TLSCONF=-vd \
                       MOUNT="/* /* sni=localhost" \
                       MOUNT="/* /tmp/* sni=127.0.0.1"

  client-1% dg995p2 FSV=sslway -Fconnect localhost 9021
  CWD /
  QUIT

  client-2% dg995p2 FSV=sslway -Fconnect 127.0.0.1 9021
  CWD /
  QUIT

With client-1, the server shows as:

  08/13 15:25:32.14 [94612] 1+0: ## SSLway -- TLSxSNI: recv localhost 
  ...
  08/13 15:25:32.16 [94612] 1+0: *** / => file://localhost/ ***

while with client-2:

  08/13 15:26:44.04 [94626] 2+0: ## SSLway -- TLSxSNI: recv 127.0.0.1
  ...
  08/13 15:26:44.06 [94626] 2+0: *** / => file://localhost/tmp/ ***

Cheers,
Yutaka
--
  9 9   Yutaka Sato <y.sato@delegate.org> http://delegate.org/y.sato/
 ( ~ )  National Institute of Advanced Industrial Science and Technology
_<   >_ 1-1-4 Umezono, Tsukuba, Ibaraki, 305-8568 Japan
Do the more with the less -- B. Fuller


Subject: Re: [DeleGate-En] virtual hosting based on SNI / TLS
On 08/12/09(03:30) I wrote in <_A4545@delegate-en.ML_>
 |Hi,
 |
 |In message <_A4544@delegate-en.ML_> on 08/11/09(23:57:02) I wrote:
 | |It will be realized with a MountOption as "sni=hostname" instread of
 | |"nvhost=hostname".
 |
 |I implemented it as the enclosed patch and uploaded it as 9.9.5-pre2.
 |It can be used as follows for example:
 |
 |  -P8021 SERVER=ftps STLS=fcl MOUNT="/* ftp://ftp-1/* sni=ftp1.dom" \
 |                              MOUNT="/* ftp://ftp-2/* sni=ftp2.dom"
 |
 |  -P8110 SERVER=pop3s STLS=fcl MOUNT="* pop://pop-1/* sni=pop1.dom" \
 |                               MOUNT="* pop://pop-2/* sni=pop2.dom"
 |
 |  ... and so on
 |
 |Note that you need recent versions of OpenSSL (later than 0.9.8g)
 |with SNI support.
 |
 |
 |In message <_A4541@delegate-en.ML_> on 08/11/09(15:30:07) I wrote:
 | |In message <_A4539@delegate-en.ML_> on 08/10/09(21:55:05)
 | |you Jens-Erik Hansen <puicqbdyi.ml@delegate.org> wrote:
 | | |I try to distinguish ftp mounts by the host name. Therefor I start
 | | |delegated with:
 | |
 | |As long as I know, the FTP protocol (and other application protocols
 | |excpet HTTP/1.1) does not support switching host by a virtual host name.
 | |That is the hostname shown at the client as the server name is not
 | |transferred to the server.
 | |So what you can do with FTP is using multipl IP-addresses and ipfw
 | |(or iptables) and DeleGate's MOUNT with "odst=host" option.
 | |Another possible way is using SSL (or extended TLS) (just for)
 | |"Server Name Indication" which indicates the (logical or virtual)
 | |server name from the client's view to the client.
 |
 |Cheers,
 |Yutaka
 |--
 |  9 9   Yutaka Sato <y.sato@delegate.org> http://delegate.org/y.sato/
 | ( ~ )  National Institute of Advanced Industrial Science and Technology
 |_<   >_ 1-1-4 Umezono, Tsukuba, Ibaraki, 305-8568 Japan
 |Do the more with the less -- B. Fuller

  admin search upper oldest olders older1 this newer1 newers latest
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
@_@V