Forum OpenACS Q&A: OpenSSL, Host-Node Map and Subsites

Collapse
Posted by David Newhook on
Hi there,

I've got a site www.answerplusuk.com working with https thanks to some certificates I bought at www.freessl.com.

Since I configured https on the server, I've been unable to login to the subsites via their custom URLs in the host-node map.

Example, I've got a subsite at http://www.answerplusuk.com/tauntonmgoc, if I enter this URL directly, I'm directed to https://www.answerplusuk.com to login and redirected to http://www.answerplusuk.com/tauntonmgoc once authenticated.

When I enter it's reference from the host node map http://www.tauntonmgoc.co.uk, I'm directed to https://www.answerplusuk.com to login and redirected to http://www.tauntonmgoc.co.uk afterwards but I'm not logged in.

I've tried toggling the kernel parameter  RegisterRestrictToSSLFilters from 0 to 1 with no luck (currently set to 0).

My subsite is set up with RestrictToSSL set to 'admin/*'

Any help would be much appreciated.

Dave

My SSL configuration is as follows:

#---------------------------------------------------------------------
#
# OpenSSL, nsopenssl and aolserver 4
#
#---------------------------------------------------------------------
#
# SSL contexts. Define the ssl contexts for this server.

ns_section "ns/server/${server}/module/nsopenssl/sslcontexts"
ns_param ssl_incoming_requests_context  "SSL context used for regular user access to the website"
ns_param ssl_outgoing_context            "SSL context used for outgoing script socket connections"

ns_section "ns/server/${server}/module/nsopenssl/defaults"
ns_param server              ssl_incoming_requests_context
ns_param client              ssl_outgoing_context

ns_section "ns/server/${server}/module/nsopenssl/sslcontext/ssl_incoming_requests_context"
ns_param Role                  server
ns_param ModuleDir            ${serverroot}/etc/certs
ns_param CertFile              certfile.pem
ns_param KeyFile              keyfile.pem
ns_param Protocols            "SSLv3, TLSv1"
ns_param CipherSuite          "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP"
ns_param PeerVerify            false
ns_param PeerVerifyDepth      3
ns_param Trace                true

# SSL drivers. Each driver defines a port and a named SSL context to associate with it.

ns_section "ns/server/${server}/module/nsopenssl/ssldrivers"
ns_param ssl_incoming_requests_driver "Driver for regular user access to the website"

ns_section "ns/server/${server}/module/nsopenssl/ssldriver/ssl_incoming_requests_driver"
ns_param sslcontext            ssl_incoming_requests_context
ns_param port                  $httpsport
ns_param hostname              $hostname
ns_param address              $address

Collapse
Posted by David Newhook on
By setting the kernel parameter RestrictLoginToSSLP from 1 to 0, I've got around the issue of www.tauntonmgoc.co.uk subsite users being unable to login.

Of course they can only log-in using http at that domain as the certificate is for www.answerplusuk.com, not www.tauntonmgoc.co.uk.  I guess I'll ask subsite administrators to make secure changes using https://www.answerplusuk.com/tauntonmgoc to avoid passwords being sniffed.

Does anyone know how the RegisterRestrictToSSLFilters parameter works?

I've got the nscgi module installed on my setup to take advantage of the great omail webmail perl script.  Unix users can check their qmail Maildir and send email via https://www.answerplusuk.com/cgi-bin/omail.pl.

I'd like for calls to the http version to be redirected to https before logon.  I've set the RegisterRestrictToSSLFilters parameter to 1 and added "cgi-bin/*" to the RestrictToSSL parameter of my parent site at www.answerplusuk.com, this hasn't done the trick.

Is this because cgi-bin isn't an OpenACS made directory.  Do I need to change the ns_section for the nscgi module?  I'm guessing the map parameters should redirect POST and GET requests on /cgi-bin to https in some way.

Collapse
Posted by James Thornton on
I am noticing the same behavior -- if RestrictToSSL and RegisterRestrictToSSLFilters are set, it will redirect to https:// on the main site for log in if a host is mapped to a subsite with the host-node-map utility.

Did anyone find a solution to the problem? Will it allow you to require and use SSL with mapped hosts if you set up an SSL key for each?

Collapse
Posted by James Thornton on
I haven't tested using SSL certs for hosts mapped to subsites via host-node-map, but let's assume that it can be made to work. Since each host will need its own SSL cert, what would be the best way to load the certs? -- AOLserver virtual hosting for each host needing SSL?

At the moment, the mapped host simply has a DNS entry aliased to the primary host's IP and then the host-node-map takes over, but I don't see how this can work with SSL since the mapped host will need its own SSL key.

Thoughts?

Collapse
Posted by Bart Teeuwisse on
James,

AFAIK, aolserver virtual hosting can't support multiple SSL certificates. There is only one aolserver instance running listening to 1 port. Per definition of the SSL protocol this port can handle only one certificate. At best this is a wildcard certificate which certifies *.domain-name.

You will have to run multiple aolserver instances at different IP addresses and/or different ports in order to use multiple SSL certificates.

/Bart

Collapse
Posted by James Thornton on
Scott Goodwin says, "[nsopenssl 3.0 beta 17] is virtual server-aware, and you only have to load it once: it will serve multiple drivers on multiple virtual servers" (http://www.scottg.net/webtools/aolserver/modules/nsopenssl/).

Bart, I read in other threads that you were doing some research on AOLserver virtual hosting methods -- did you research this?

I sent e-mail to Scott asking about it.

Collapse
Posted by James Thornton on
My e-mail to Scott Goodwin (nsopenssl author):

OpenACS allows you to create subsites under the main site so that you can run multiple sites from the same code and database. For example:

  • Main Site: http://www.mainsite.com/
  • Subsite: http://www.mainsite.com/my-subsite/
With the OpenACS host-node-map utility, you can map any hostname to the subsite, hiding its relation to the main site. For example:

You could map

  • http://www.my-subsite.com/
...to...
  • http://www.mainsite.com/my-subsite/
...where www.my-subsite.com and www.mainsite.com point to the same IP.

We are trying to determine the best way to enable SSL on subsites that use mapped hosts since each subsite/host will need its own certificate.

I was hoping nsopenssl 3.x would allow you to set up multiple drivers for an nsd so that you could use a the same IP address and port with a separate sslcontext and hostname. But, when I tested that, it didn't work in that it always used the last driver specified in the AOLserver config file.

Scott Goodwin's response:
Unfortunately, this isn't possible and it has to do with the SSL spec. When a client connects, the first thing that happens is the SSL handshake. Your server doesn't even know what URL, and hence, which subsite the connection is destined for until after the SSL handshake is done.

The only way to do what you want is to add multiple IP addresses to your ethernet card and assign each address to a different subsite. This way you can attach a cert on a subsite basis. nsd listens on a different address for each subsite and so knows which cert to use.

Collapse
Posted by Bart Teeuwisse on
Exactly as I was saying.

/Bart

Collapse
Posted by James Thornton on
Yeah, I was just posting his response here for the archive.

But, since the host-node-map, as I understand it, requires that all hosts point to the same IP, does that mean that SSL cannot be made to work for subsites using the host-node-map functionality?

If all the hosts were in the form of subsite1.mydomain.com and subsite2.mydomain.com, you could use a wildcard SSL cert, but that will not always be the case.

Collapse
Posted by Bart Teeuwisse on
James,

that is correct. Only subsites who are subdomains of the same parent domain in conjunction with a wildcard SSL certificate could be secured. However, I don't know if aolserver's virtual hosting supports wildcard certificates. I do know that Pound can. If aolserver doesn't support wildcard certificates with virtual hosting you could place pound in front of aolserver to handle the SSL connections on behalf of aolserver.

/Bart

Collapse
Posted by James Thornton on
Ok, so if you must use a proxy, couldn't the proxy also enable you to use SSL with subsites that use separate, disparate domains, such as www.mydomain1.com and www.mydomain2.com (i.e. when a wildcard cert isn't an option)?

For example, would this work...?

1. Pound (or another proxy) handles https handshake for :
  - www.mydomain1.com on external IP 1.2.3.4
  - www.mydomain2.com on external IP 1.2.3.5
2. Internal DNS set up with both domains pointing to same IP:
  - www.mydomain1.com on internal IP 192.168.0.1
  - www.mydomain2.com on internal IP 192.168.0.1
3. AOLserver instance running www.mydomain1.com on 192.168.0.1
4. OpenACS configured to use host-node-map to map:
  - www.mydomain2.com to www.mydomain1.com/mysubsite2/
5. Pound communicates with AOLsever using HTTP, not HTTPS,
  but Pound can tell OpenACS if the external connection is
  secure so OpenACS can enforce the require SSL on
  registration/log in (probably with a little modification to
  the OpenACS code)

Collapse
Posted by Bart Teeuwisse on
James,

I deleted my earlier post as I had misread your message.

Yes you can do this with Pound:

1. One Pound instance (p1) handles requests for www.mydomain1.com another (p2) for www.mydomain2.com. They handle both HTTP and HTTPS connections.

2. Both Pound instances proxy the same internal aolserver. All external requests are forwarded to aolserver as HTTP requests. Aolserver uses the header in the request to map the request to the appropriate sub-site.

3. Pound includes 'X-SSL-Request: true' to HTTPS requests forwarded to aolserver. Aolserver uses this information to detect HTTPS connections. I can provide modifications to the request processor to make this transparent to OpenACS.

There is no need to setup an internal DNS.

/Bart

Collapse
Posted by James Thornton on
I can provide modifications to the request processor to make this transparent to OpenACS.

That would be great. Please let me know when you post the code. Thanks.