Forum OpenACS Q&A: Re: how to config for multiple aolserver instances

7: Re: how to config for multiple aolserver instances (response to 6)

Posted by Bart Teeuwisse on 07/07/03 11:39 PM

Brad,

while squid supports SSL this does NOT mean that squid can REVERSE proxy SSL servers.

See also http://www.squid-cache.org/mail-archive/squid-users/200005/0745.html as well as various threads on openacs.org.

/Bart

8: Re: how to config for multiple aolserver instances (response to 7)

Posted by Brad Ford on 07/07/03 11:54 PM

Wow, that was over my head... Bart, am I correct in interpreting that thread and the other openacs.org threads to mean that https/ssl is inherently not a possibility with virtual hosting because of the layers between the servers? Any chance you could summarize in layman's terms - would be greatly appreciated.

9: Re: how to config for multiple aolserver instances (response to 8)

Posted by Bart Teeuwisse on 07/08/03 12:06 AM

Brad,

that is (partially) correct. Yes, you can NOT proxy an SSL server. That is you can NOT setup the following scenario:

- https://dev.domain.com/ and
- https://xml.domain.com/

both behind a proxy. The proxy can NOT pass the https requests on to the virtual domains.

However, you can setup a proxy server that handles ALL SSL negotiations and passes the https requests on as http requests to the appropriate virtual domain. In other words, when the proxy receives a request for https://dev.domain.com/ it will authenticate the secure request and forward the request to http://dev.domain.com/. The virtual web servers never see a secure connection.

Pound (http://www.apsis.ch/pound/) is a reverse proxy that I know of to support this configuration.

In order to do this, the proxy would require a wildcard certificate for *.domain.com so that it can authenticate requests for both subdomains in the above example.

/Bart