Home
The Toolkit for Online Communities
16715 Community Members, 1 member online, 2519 visitors today
Log In Register
OpenACS Home : Forums : OpenACS Q&A : Nsopenssl with virtual hosting

Forum OpenACS Q&A: Nsopenssl with virtual hosting

Icon of envelope Request notifications

How can I get workin nsopenssl with virtual hosting in aolserver 4. Where can i get a config example?

Thanks

Collapse
Posted by Randy O'Meara on
Collapse
Posted by Bart Teeuwisse on
Angel,

Maybe you could describe you goals a bit more. What are you trying to achieve? Multiple virtual servers each with their own SSL certificate? Multiple virtual servers using a single wildcard certificate? Multiple virtual servers w/ only one virtual server accepting secure connections. Etc.

/Bart

Collapse
Posted by Angel Francisco Marcos Alonso on
The goal is to have 3 domains with SSL using port 443 each one.
Collapse
Posted by C. R. Oldham on
Angel,

If you are trying to virtual host multiple domains with a single IP address over https, that's not possible.  Here's a good explanation from the Pound website at http://www.apsis.ch/pound:

---
HTTPS does not allow virtual hosting

This is not a limitation of Pound, but of HTTPS - no Web server or proxy are able to do it due to the nature of the beast.

In order to see why this is the case we need to look at the way HTTPS works. Basically there are three stages in any HTTPS connection:

Connection negotiation - the client (your browser) and the server (Web server or proxy) negotiate the basic parameters: ciphers to use, session key, etc.
Connection authentication: at the very least the server presents the client with a certificate that says "I am server www.encrypted.com - and certificate.authority.org will verify that". The client may also present a certificate of its own at this stage.
Request/response cycle: normal HTTP is sent (through the encrypted channel) back and forth.
The vital point to notice here is that connection authentication takes place BEFORE any request was issued.

On the other hand, the way virtual hosting works is for the client to specify in the request to which server it would like to talk. This is accomplished via a Host header:

        GET /index.html HTTP/1.1
        Host: http://www.virthost.com

Combining the two we get to an impasse: on connection setup the server will reply with the certificate for "www.realhost.com", but the request is really for "www.virthost.com" - and most browsers will scream blue murder (as well they should) if the two do not match.
---

Collapse
Posted by Bart Teeuwisse on
Angel,

It is not clear from you answer whether the 3 domains are subdomains of the same main domain or separate main domains. E.g. sub1.domain.com, sub2.domain.com & sub2.domain.com or www.domain1.com, www.domain2.com & www.domain3.com.

The difference is important as Pound can handle HTTPS connections for wildcard SSL certificates (*.domain.com). While C.R. is correct in that HTTPS doesn't allow virtual hosting, Pound can setup the SSL connection w/ the client and forward the request as a HTTP request to the backend server. Pound can only do that for 1 wildcard certificate.

I've made some modifications to OpenACS (not yet committed to CVS) that allow OpenACS to handle the proxied HTTPS requests (which OpenACS receives as HTTP requests w/ an additional HTTP header indicating that Pound received the requests as HTTPS) as if they are secure.

/Bart

Collapse
Posted by Angel Francisco Marcos Alonso on
Three separate domains. www.domain1.com www.domain2.com www.domain3.com
Collapse
Posted by Bart Teeuwisse on
Angel,

as C.R. mentioned that is not possible with HTTPS. Each domain will have to have a direct Internet connection w/o a reverse proxy in between.

This is a restriction imposed by HTTPS and not by AOLServer or OpenACS.

/Bart

Collapse
Posted by Samer Abukhait on
http://www.scottg.net/

nsopenssl 3.0 beta 17 ready for testing

This version implements nsopenssl for AOLserver 4.x only. It is not backwards-compatible with AOLserver 3.x. This version is virtual server-aware, and you only have to load it once: it will serve multiple drivers on multiple virtual servers....