Forum OpenACS Q&A: OpenSSL, Host-Node Map and Subsites

I've got a site www.answerplusuk.com working with https thanks to some certificates I bought at www.freessl.com.

Since I configured https on the server, I've been unable to login to the subsites via their custom URLs in the host-node map.

Example, I've got a subsite at http://www.answerplusuk.com/tauntonmgoc, if I enter this URL directly, I'm directed to https://www.answerplusuk.com to login and redirected to http://www.answerplusuk.com/tauntonmgoc once authenticated.

When I enter it's reference from the host node map http://www.tauntonmgoc.co.uk, I'm directed to https://www.answerplusuk.com to login and redirected to http://www.tauntonmgoc.co.uk afterwards but I'm not logged in.

I've tried toggling the kernel parameter  RegisterRestrictToSSLFilters from 0 to 1 with no luck (currently set to 0).

My subsite is set up with RestrictToSSL set to 'admin/*'

Any help would be much appreciated.

Dave

My SSL configuration is as follows:

#---------------------------------------------------------------------
#
# OpenSSL, nsopenssl and aolserver 4
#
#---------------------------------------------------------------------
#
# SSL contexts. Define the ssl contexts for this server.

ns_section "ns/server/${server}/module/nsopenssl/sslcontexts"
ns_param ssl_incoming_requests_context  "SSL context used for regular user access to the website"
ns_param ssl_outgoing_context            "SSL context used for outgoing script socket connections"

ns_section "ns/server/${server}/module/nsopenssl/defaults"
ns_param server              ssl_incoming_requests_context
ns_param client              ssl_outgoing_context

ns_section "ns/server/${server}/module/nsopenssl/sslcontext/ssl_incoming_requests_context"
ns_param Role                  server
ns_param ModuleDir            ${serverroot}/etc/certs
ns_param CertFile              certfile.pem
ns_param KeyFile              keyfile.pem
ns_param Protocols            "SSLv3, TLSv1"
ns_param CipherSuite          "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP"
ns_param PeerVerify            false
ns_param PeerVerifyDepth      3
ns_param Trace                true

# SSL drivers. Each driver defines a port and a named SSL context to associate with it.

ns_section "ns/server/${server}/module/nsopenssl/ssldrivers"
ns_param ssl_incoming_requests_driver "Driver for regular user access to the website"

ns_section "ns/server/${server}/module/nsopenssl/ssldriver/ssl_incoming_requests_driver"
ns_param sslcontext            ssl_incoming_requests_context
ns_param port                  $httpsport
ns_param hostname              $hostname
ns_param address              $address

Did anyone find a solution to the problem? Will it allow you to require and use SSL with mapped hosts if you set up an SSL key for each?

AFAIK, aolserver virtual hosting can't support multiple SSL certificates. There is only one aolserver instance running listening to 1 port. Per definition of the SSL protocol this port can handle only one certificate. At best this is a wildcard certificate which certifies *.domain-name.

You will have to run multiple aolserver instances at different IP addresses and/or different ports in order to use multiple SSL certificates.

/Bart

OpenACS allows you to create subsites under the main site so that you can run multiple sites from the same code and database. For example:

• Main Site: http://www.mainsite.com/
• Subsite: http://www.mainsite.com/my-subsite/

With the OpenACS host-node-map utility, you can map any hostname to the subsite, hiding its relation to the main site. For example:

You could map

• http://www.my-subsite.com/

...to...

• http://www.mainsite.com/my-subsite/

...where www.my-subsite.com and www.mainsite.com point to the same IP.

We are trying to determine the best way to enable SSL on subsites that use mapped hosts since each subsite/host will need its own certificate.

I was hoping nsopenssl 3.x would allow you to set up multiple drivers for an nsd so that you could use a the same IP address and port with a separate sslcontext and hostname. But, when I tested that, it didn't work in that it always used the last driver specified in the AOLserver config file.

Unfortunately, this isn't possible and it has to do with the SSL spec. When a client connects, the first thing that happens is the SSL handshake. Your server doesn't even know what URL, and hence, which subsite the connection is destined for until after the SSL handshake is done.

The only way to do what you want is to add multiple IP addresses to your ethernet card and assign each address to a different subsite. This way you can attach a cert on a subsite basis. nsd listens on a different address for each subsite and so knows which cert to use.

But, since the host-node-map, as I understand it, requires that all hosts point to the same IP, does that mean that SSL cannot be made to work for subsites using the host-node-map functionality?

If all the hosts were in the form of subsite1.mydomain.com and subsite2.mydomain.com, you could use a wildcard SSL cert, but that will not always be the case.

For example, would this work...?

1. Pound (or another proxy) handles https handshake for :
  - www.mydomain1.com on external IP 1.2.3.4
  - www.mydomain2.com on external IP 1.2.3.5
2. Internal DNS set up with both domains pointing to same IP:
  - www.mydomain1.com on internal IP 192.168.0.1
  - www.mydomain2.com on internal IP 192.168.0.1
3. AOLserver instance running www.mydomain1.com on 192.168.0.1
4. OpenACS configured to use host-node-map to map:
  - www.mydomain2.com to www.mydomain1.com/mysubsite2/
5. Pound communicates with AOLsever using HTTP, not HTTPS,
  but Pound can tell OpenACS if the external connection is
  secure so OpenACS can enforce the require SSL on
  registration/log in (probably with a little modification to
  the OpenACS code)

That would be great. Please let me know when you post the code. Thanks.