Bill Clark wrote:
On Sat, 10 Jul 2004 12:44:20 -0700, Brion Vibber brion@pobox.com wrote:
For Wikipedia, we briefly discussed the possibility a couple years ago but were stymied by the nasty virtual server problem: basically, HTTPS and name-based virtual servers don't mix.
HTTPS and IP-based virtualhosts work just fine, however.
We have over 300 wikis, each with a virtual subdomain. Each "major" project which supports all languages will add about 150 wikis: right now that's Wikipedia and Wiktionary.
Our IP subnet is a /27, with 32 addresses available. Between Wikimedia's machines, a few second IPs for failover of the squids, and a few Bomis boxes, it's pretty near full. I don't know what it would cost to secure 300 more IP addresses, but that's not a sustainable route...
TLS also works with name-based virtualhosts (although it isn't supported in all browsers).
Can you give some pointers on setting this up with an Apache server, and providing a sane failure mode for clients that don't support it?
Can't squid be reconfigured to handle the SSL portion itself? In other words, can it simply treat all requests to the backend as if they were HTTP, and simply serve out cached/fresh copies of pages via SSL?
I don't know, can it?
That said, I tend to think that only logins really need to be secure anyway.
Right.
-- brion vibber (brion @ pobox.com)