Bill Clark wrote:
On Sat, 10 Jul 2004 12:44:20 -0700, Brion Vibber
<brion(a)pobox.com> wrote:
For Wikipedia, we briefly discussed the
possibility a couple years ago
but were stymied by the nasty virtual server problem: basically, HTTPS
and name-based virtual servers don't mix.
HTTPS and IP-based virtualhosts work just fine, however.
We have over 300 wikis, each with a virtual subdomain. Each "major"
project which supports all languages will add about 150 wikis: right now
that's Wikipedia and Wiktionary.
Our IP subnet is a /27, with 32 addresses available. Between Wikimedia's
machines, a few second IPs for failover of the squids, and a few Bomis
boxes, it's pretty near full. I don't know what it would cost to secure
300 more IP addresses, but that's not a sustainable route...
TLS also works with name-based virtualhosts (although
it isn't supported
in all browsers).
Can you give some pointers on setting this up with an Apache server, and
providing a sane failure mode for clients that don't support it?
Can't squid be reconfigured to handle the SSL
portion itself? In
other words, can it simply treat all requests to the backend as if
they were HTTP, and simply serve out cached/fresh copies of pages via
SSL?
I don't know, can it?
That said, I tend to think that only logins really
need to be secure anyway.
Right.
-- brion vibber (brion @
pobox.com)