Forum OpenACS Q&A: Nsopenssl with virtual hosting
Maybe you could describe you goals a bit more. What are you trying to achieve? Multiple virtual servers each with their own SSL certificate? Multiple virtual servers using a single wildcard certificate? Multiple virtual servers w/ only one virtual server accepting secure connections. Etc.
If you are trying to virtual host multiple domains with a single IP address over https, that's not possible. Here's a good explanation from the Pound website at http://www.apsis.ch/pound:
HTTPS does not allow virtual hosting
This is not a limitation of Pound, but of HTTPS - no Web server or proxy are able to do it due to the nature of the beast.
In order to see why this is the case we need to look at the way HTTPS works. Basically there are three stages in any HTTPS connection:
Connection negotiation - the client (your browser) and the server (Web server or proxy) negotiate the basic parameters: ciphers to use, session key, etc.
Connection authentication: at the very least the server presents the client with a certificate that says "I am server www.encrypted.com - and certificate.authority.org will verify that". The client may also present a certificate of its own at this stage.
Request/response cycle: normal HTTP is sent (through the encrypted channel) back and forth.
The vital point to notice here is that connection authentication takes place BEFORE any request was issued.
On the other hand, the way virtual hosting works is for the client to specify in the request to which server it would like to talk. This is accomplished via a Host header:
GET /index.html HTTP/1.1
Combining the two we get to an impasse: on connection setup the server will reply with the certificate for "www.realhost.com", but the request is really for "www.virthost.com" - and most browsers will scream blue murder (as well they should) if the two do not match.
It is not clear from you answer whether the 3 domains are subdomains of the same main domain or separate main domains. E.g. sub1.domain.com, sub2.domain.com & sub2.domain.com or www.domain1.com, www.domain2.com & www.domain3.com.
The difference is important as Pound can handle HTTPS connections for wildcard SSL certificates (*.domain.com). While C.R. is correct in that HTTPS doesn't allow virtual hosting, Pound can setup the SSL connection w/ the client and forward the request as a HTTP request to the backend server. Pound can only do that for 1 wildcard certificate.
I've made some modifications to OpenACS (not yet committed to CVS) that allow OpenACS to handle the proxied HTTPS requests (which OpenACS receives as HTTP requests w/ an additional HTTP header indicating that Pound received the requests as HTTPS) as if they are secure.
as C.R. mentioned that is not possible with HTTPS. Each domain will have to have a direct Internet connection w/o a reverse proxy in between.
This is a restriction imposed by HTTPS and not by AOLServer or OpenACS.
nsopenssl 3.0 beta 17 ready for testing
This version implements nsopenssl for AOLserver 4.x only. It is not backwards-compatible with AOLserver 3.x. This version is virtual server-aware, and you only have to load it once: it will serve multiple drivers on multiple virtual servers....