Forum OpenACS Development: Re: What issues remain for OpenACS on AOLserver4

Collapse
Posted by C. R. Oldham on
<blockquote> [SSL]...If this function is moved to a proxy server
it might be a go at this point.
</blockquote>

If SSL is moved to a proxy server then you must serve all requests via SSL, or use a "smart" proxy server that knows what parts of your site need to be served via SSL.  You cannot communicate this information back into OpenACS without some hacking, so I would vote that we not recommend AOLserver 4.0 until there is a working SSL implementation.

Collapse
Posted by Bart Teeuwisse on
I did some hacking to the security procs of OpenACS to achieve just that for Pound. Having tried Squid and failed to redirect HTTP connections to HTTPS connections in the proxy I've switched back to Pound. Squid is also incapable of informing AOLserver which connections to AOLserver are HTTPS connections to the Proxy.

Pound has the issue with ns_write but there is a patch in the making to removing this limitation. In all other respects, I found Pound to be better. For example, Pound can add a custom header to requests forwarded to AOLserver when the request comes in as a HTTPS connection to Pound. Using this information, I have modified to the security procs of OpenACS to treat these requests as if they were HTTPS connections to AOLserver.

The big win is that security management becomes transparent to OpenACS. One can still use the same security methods in OpenACS as before.

Also, nsopenssl should not be far of for AOLserver 4.0.

All in all, AOLserver 4.0 can be used with OpenACS under certain circumstances:

1) When the site doesn't require SSL
2) When the site uses SSL but off loads the SSL handshake to Pound and user pages don't use ns_write
3) When the site uses SSL but off loads the SSL handshake to Pound and Gustav's patch is applied to Pound.

Options 2) and 3) also require my hack to OpenACS. Should I be committing this hack to CVS?
/Bart

Collapse
Posted by Andrew Piskorski on
Bart, your changes to make OpenACS support using Pound sound like they're very useful, and should go into the toolkit. Will you add them for OpenACS 5.0?

Barry, the patch Bart is talking about is for Pound. One of the Pound maintainers posted to the AOLserver list with info about it. Basically, AOLserver happens to use older style syntax for some HTTP stuff, which Pound didn't support yet, so he's adding it.