Chris,
Thanks very much for the summary. It seems to me that the built in virtual hosting whilst convenient in some ways, and efficient in terms of resources is not scalable.
Certainly having multple domains running as children of the same process is not ideal. I run each service as a different user so that if any server is compromised the attacker can only damage one installation. The built in solution undermines this significantly.
Seems to me that, based on your answer, Pound is the solution to my needs - lightweight and functional, so I will work on setting up a test system of that - thank you.
There is one other issue that I thought I would comment on here and that is this issue of reverse proxying https. Now I initially wondered about this when setting up nsvhr, but then after much head scratching realised that it is a bit of a flawed notion. This is because you really only need to reverse proxy the initial contact with a site so that when someone types the domain name into their browser they are patched through to the Aolserver instance that is serving the domain that they requested. Once the connection with that server is established you might serve some public pages through the proxy until someone tries to access a restricted page. This will cause a redirect (if you have login restricted to ssl) to the /register page which will be at the address specified in the kernel parameters as [https://xxx.xxx.xxx.xxx:8443/].
The browser, has already done the domain lookup so still displays [https://www.domain.com:8443/register?return_urletc], but the advantage now is that all the traffic is direct to the domain server on its own port which avoids hammering the proxy by passing all requests through it. The only config change is to open up the firewall to allow direct connections on each of your https ports. This is in practical terms no less secure than having 1 https listener open - 1 open port or 100 open ports makes no difference if they are all attached to instances of the same software (i.e. if there is a security hole in your webserver, one open port is just as insecure as 100 open ports!).
So I hope that this can be done using pound and that the full request header will be logged in each server instance.
Many thanks - I'll post my results.
Regards
Richard
