Forum OpenACS Q&A: Virtual hosting with AOLserver 4

Collapse
Posted by Lars Pind on
We've had virtual hosting of AOLserver instances on our boxes for a while now using, I believe, this setup:

http://jamesthornton.com/acs/nsunix.html

But now we've switched one of our servers to AOLserver 4 to play around with it a bit, and it doesn't have nsunix.

Does anyone here know how to do virtual hosting with AOLserver? Supposedly it should be built-in and easy, or did I hear wrong?

Thanks a bunch.

/Lars

Collapse
Posted by Tom Jackson on

Do you want separate isolated code in each virtual server, or would you want shared code? Supposedly the sample-config.tcl file that comes with AOLserver4 has an example.

Collapse
Posted by Bart Teeuwisse on
Lars,

AOLserver 4.x does have built in virtual hosting but it is not as flexible as nsunix. The main disadvantage is that you can not (re)start individual virtual servers. You can only restart the AOLserver process affecting all virtual servers.

You can however start the AOLserver process with one of the virtual servers (instead of all virtual servers). Don't confuse this with starting individual virtual servers one after another. That is NOT possible.

For these reasons, I've switched to nsvhr TCP/IP based virtual hosting. I plan to write an article about my virtual hosting research.

Drop me a line should you want to give AOLserver 4.x built virtual hosting a try, and I'll send you a sample config file.

/Bart

Collapse
Posted by Lars Pind on
Bart,

Thanks a bunch, I'd love to see that document when it comes out. It's not too urgent for us, we're fine with running good ol' patched version of 3.3.1-ad13, but we do want to switch to AOLserver 4 as soon as it's possible. So please do finish up that document.

I'm pretty happy with the constellation we have now where we can start individual AOLserver instances and they live completely separate lives.

However they do tend to eat up a lot of memory each, so maybe the built-in AOLserver 4 solution is actually better?

I really don't know which is the best way to go, which is why I'm looking forward to that document, and seeking advice :)

/Lars

Collapse
Posted by Don Baccus on
The single process virtual hosting solution AOLserver 4.0 provides may indeed be more economical of resources.  You can either have all virtual servers share one big pool of threads or you can give each virtual server its own private pool, for instance.  The first approach should work well if you're running a bunch of low-traffic sites, the latter approach for virtual servers that are high-traffic and need a guaranteed number of threads to keep up.

It is a drag needing to restart all servers rather than just one, though.  But with the use of the APM watch etc restarts should be rare.  I haven't restarted birdnotes.net in months ...

Be certain to grab the patches for Tcl 8.4.2 or to wait for Tcl 8.4.3 before switching, though ...

Collapse
Posted by Jarkko Laine on
...which reminds me. How does the way of aolserver 4 virtual hosting  play together with APM which automatically stops the server process when a new package has been installed?
Collapse
Posted by Don Baccus on
Well ... that's the big issue if you're adding new packages to a production server which virtually serves several sites.

But I think that's a relatively rare event ...

Collapse
Posted by Jorge Garcia on
Hi, Bart:

I have downloaded the final version of aolserver 4 and I want to try the virtual hosting capabilities.

1. Do you have any sample config file you could send me? There is not documentation I could find about this.

2. Cite  'I plan to write an article about my virtual hosting research'. Do you take the time to do so?

3. Could you give me some advice about using 'nsvhr' instead? I'm reading http://borkware.com/rants/aolserver-vhosting/

4. Another experiences apart from Bart?

Thanks for your help.

/Jorge

Collapse
Posted by Bart Teeuwisse on
Jorge,

I haven't found the time to write down my experiences. Neither have I found a perfect solution. But here's a synopsis of what I've learned so far (all with AOLserver 4.x):

- The build in virtual hosting doesn't allow you to start and stop individual virtual servers. A major drawback in a development environment. Neither does it support HTTPS virtual hosting (with a wildcard certificate).

- nssock/nsvhr works well for HTTP connections but like the build in virtual hosting it doesn't support HTTPS virtual hosting. And all requests to your virtual hosts will be recorded with the IP address of the proxy. The patch listed at  http://borkware.com/rants/aolserver-vhosting/ doesn't work for  AOLserver 4.x.

- Squid reverse proxy does support HTTPS virtual hosting, including multiple sub-domains with a wildcard certificate. But squid is incapable of passing on to the backend server whether or not the incoming request is on a secure port or not.

- Pound is currently my favorite proxy even though it still can't handle streaming pages. Pound supports HTTPS virtual hosting. Pound can tell OpenACS whether the incoming connection is on a secure port. With a small patch to OpenACS it allows OpenACS to handle those connections as secure connections just like direct HTTPS connections to the backend server.

/Bart

Collapse
Posted by Jorge Garcia on
Derek, thanks for your answer. I was forget these link. My fault 😉

Bart, interesting info.

What do you mean with: Pound....With a small path to OpenACS

A 'small path'. I don't understand this. Could you explain me, please.

Do you mean a patch?

Thanks.

/Jorge

Collapse
Posted by Jorge Garcia on
Bart, one more thing.

You say Pound supports HTTPS virtual hosting, but I was reading the Pound webpage at http://www.apsis.ch/pound/index.html and this is what I found.

<blockquote>>>>>
</blockquote>

Virtual Hosts and HTTPS

Quite often we get inquiries about Pound's ability to do virtual hosting with HTTPS. In order to lay this matter to rest, let me say:

    HTTPS does not allow virtual hosting

This is not a limitation of Pound, but of HTTPS - no Web server or proxy are able to do it due to the nature of the beast.
<<<<<

Have you find the method to achieve this?

Could you then share a config file or some additional explanation?.

Thank you again.

/Jorge

Collapse
Posted by Bart Teeuwisse on
Jorge,

yes that it is a typo. It should be patch. I plan to commit the patch to CVS when pound has resolved the issue with streaming pages.

/Bart

Collapse
Posted by Jorge Garcia on
Ok. I understand now.

I see there exist a mailing list for Pound, but there exist a cvs access or some other link who could be of interest?.

/Jorge

Collapse
Posted by Bart Teeuwisse on
Jorge,

by support for HTTPS virtual hosting I mean that the proxy will handle the SSL connection to then pass on the request to the backend server as a regular HTTP request. The backend server thus never sees the HTTPS connection. And in that sense pound does not proxy HTTPS connections. Which is what the Pound web page is trying to explain.

However, to the client it appears as if it does as the client establishes a secure connection with the proxy and returns the response from the backend server over the established secure connection. As such the client is not aware that the communication between the proxy and the backend server is not encrypted.

Further down the Pound webpage you can read how Pound can accept HTTPS connections and what information it forwards to the backend server in the HTTP connection between Pound and the server.

My patch allows OpenACS to detect a secure connection to Pound based on a custom header added to the information passed from Pound to the server so that OpenACS will treat the connection as a secure connection (e.g. as if it is a direct HTTPS connection). This makes proxied HTTPS connections transparent to OpenACS.

/Bart

Collapse
Posted by Jorge Garcia on
Ok. I understand.

I'll wait for your patch, Bart :)

/Jorge

Collapse
Posted by jerry arns on
Hello, this thread is interesting. I have been (lazely) looking for a virtual hosting solution for more than a year  (I experimented nsvhr but one of my web servers is IIS on Micro$oft Win2k, the other 2 being AOLServer 3.3-ad13 on RedHat 6.2, and running an ACS3.2 site).

Pound seems like a good solution.

Just one question : I'm concerned about logging and keeping the originating IP in the web server log. I see on the Pound page that it adds an "X-Forwarded-for: client-IP-address".

How can I have Webalizer (my web server log analyzer) use this  header so I can keep on seeing the variety of people that come to my site ? Is it a configuration in AOL-Server ? A patch ? A ns_filter ?

If you could point me to a page with some info about that, I would be thrilled ! 😉

Thank you.

/Jerry

Collapse
Posted by Bart Teeuwisse on
Jerry,

if you analyze the AOLserver log of AOLserver 4.0 then you don't have to do anything extra as this version of the web server logs the X-Forwarded-for IP address in the log.

/Bart

Collapse
Posted by Richard Hamilton on
The best resource that I have come across was an article written by Jerry Asher. I have been using his patched version of nsunix for well over a year now with no problems. His site is no longer active but he is a member of the community. I suggested on another thread that he might consider making his instructions available on Jade's articles section on the openacs.org front page. In any event you could try dropping him a line to ask for a copy or see if google still has it cached.

Regards
Richard

Collapse
Posted by bill kellerman on
here is google's cached copy of the virtual hosting howto