Forum OpenACS Q&A: Re: OpenACS with virtual hosting

Collapse
6: Re: OpenACS with virtual hosting (response to 1)
Posted by C. R. Oldham on 03/12/04 04:18 PM
Setting my reply above aside, however, I installed and configured Pound for my little 2-virtual host setup last night in about 30 minutes.  And that included backporting the Pound 1.5 package from Debian Unstable to the stable release and upgrading it to Pound 1.6.  It works very well so far.

Caveat: my hosts don't get a lot of traffic.

Note that in AOLserver 4.0, the nslog module already knows to look for the X-Forwarded-For: header, so you don't need to play tricks with the logs anymore.  The IP address of the client is in the correct place in the access.log file now.

Collapse
7: Re: OpenACS with virtual hosting (response to 6)
Posted by Bart Teeuwisse on 03/12/04 07:56 PM
Last I tried the patch mentioned at http://borkware.com/rants/aolserver-vhosting/ it didn't work for AOLServer 4.x. The code of 4.x has been overhauled and it appears that the patch doesn't apply to 4.x at all.

Regarding the cautionary note of the author of Pound, I would say that there as many opinions as people. The security risk is minimal and in the case of AOLServer the backend support for virtual hosting is rather minimal. Using Pound for virtual hosting isn't any riskier than say using Squid or any other reverse proxy.

I've done some extensive research into virtual hosting w/ AOLServer and OpenACS. There are other options -like Squid, or AOLServer + nsvhr (but w/o X-Forwarded-For headers)- but I came to the conclusion that Pound is by far the best solution.

/Bart

Collapse
8: Re: OpenACS with virtual hosting (response to 7)
Posted by Mark Bucciarelli on 03/15/04 02:30 AM
Hi Bart,

A couple questions ...

I just finished reading through the Pound mailing list thread you initiated this past February.  From that thread resolution (hard work!), it looks like the latest and greatest Pound will work with AOL Server.  What version of Pound are you using on your production server(s)?

As far as I can see, the only additional security risk of using a reverse proxy is that you are adding another layer, and that layer (the reverse proxy) may have some kind of exploit.  This risk looks minimal with Pound.  Did you have any other risks in mind when you wrote the parent post?

Finally, can you provide any data points on RAM vs. # of AOLServer Instances?  I have a box with 512MB of RAM that I will be using for virtual hosting and I am considering using AOLServer and OpenACS.  (Catherine Meeks gave me a brief overview at a conference this weekend, and I'm pretty excited by the possibilities ...)

Mark

Collapse
9: Re: OpenACS with virtual hosting (response to 8)
Posted by Bart Teeuwisse on 03/15/04 04:38 AM
Mark,

that's right another layer that could be exploited. I'm running production w/ the previous Pound 1.6 current (no longer available from Apsis as it has been replaced w/ a newer version). I haven't tried this new version.

I can't give you hard data points but as a comparison I'm running 3 AOLserver instances on a single processor w/ 640 Mb quite comfortably. Mind you all these sites are small sites. The Code Mill (http://www.thecodemill.biz) gets the most hists. Nothing to write home about though.

Maybe that others who provide virtual hosting can give more detailed information.

/Bart