Forum OpenACS Q&A: Re: how to config for multiple aolserver instances

Collapse
Posted by Brad Duell on
Actually, the only place that ports need to be set up is in your squid.conf file.  By default (the default squid.conf), the SSL port 443 is considered a safe port, I believe.

This is all under the ACCESS CONTROLS section of squid.conf.

Collapse
Posted by Bart Teeuwisse on
Brad,

while squid supports SSL this does NOT mean that squid can REVERSE proxy SSL servers.

See also http://www.squid-cache.org/mail-archive/squid-users/200005/0745.html as well as various threads on openacs.org.

/Bart

Collapse
Posted by Brad Ford on
Wow, that was over my head... Bart, am I correct in interpreting that thread and the other openacs.org threads to mean that https/ssl is inherently not a possibility with virtual hosting because of the layers between the servers? Any chance you could summarize in layman's terms - would be greatly appreciated.
Collapse
Posted by Bart Teeuwisse on
Brad,

that is (partially) correct. Yes, you can NOT proxy an SSL server. That is you can NOT setup the following scenario:

- https://dev.domain.com/ and
- https://xml.domain.com/

both behind a proxy. The proxy can NOT pass the https requests on to the virtual domains.

However, you can setup a proxy server that handles ALL SSL negotiations and passes the https requests on as http requests to the appropriate virtual domain. In other words, when the proxy receives a request for https://dev.domain.com/ it will authenticate the secure request and forward the request to http://dev.domain.com/. The virtual web servers never see a secure connection.

Pound (http://www.apsis.ch/pound/) is a reverse proxy that I know of to support this configuration.

In order to do this, the proxy would require a wildcard certificate for *.domain.com so that it can authenticate requests for both subdomains in the above example.

/Bart